1 // SPDX-License-Identifier: GPL-2.0
3 * Shared application/kernel submission and completion ring pairs, for
4 * supporting fast/efficient IO.
6 * A note on the read/write ordering memory barriers that are matched between
7 * the application and kernel side.
9 * After the application reads the CQ ring tail, it must use an
10 * appropriate smp_rmb() to pair with the smp_wmb() the kernel uses
11 * before writing the tail (using smp_load_acquire to read the tail will
12 * do). It also needs a smp_mb() before updating CQ head (ordering the
13 * entry load(s) with the head store), pairing with an implicit barrier
14 * through a control-dependency in io_get_cqring (smp_store_release to
15 * store head will do). Failure to do so could lead to reading invalid
18 * Likewise, the application must use an appropriate smp_wmb() before
19 * writing the SQ tail (ordering SQ entry stores with the tail store),
20 * which pairs with smp_load_acquire in io_get_sqring (smp_store_release
21 * to store the tail will do). And it needs a barrier ordering the SQ
22 * head load before writing new SQ entries (smp_load_acquire to read
25 * When using the SQ poll thread (IORING_SETUP_SQPOLL), the application
26 * needs to check the SQ flags for IORING_SQ_NEED_WAKEUP *after*
27 * updating the SQ tail; a full memory barrier smp_mb() is needed
30 * Also see the examples in the liburing library:
32 * git://git.kernel.dk/liburing
34 * io_uring also uses READ/WRITE_ONCE() for _any_ store or load that happens
35 * from data shared between the kernel and application. This is done both
36 * for ordering purposes, but also to ensure that once a value is loaded from
37 * data that the application could potentially modify, it remains stable.
39 * Copyright (C) 2018-2019 Jens Axboe
40 * Copyright (c) 2018-2019 Christoph Hellwig
42 #include <linux/kernel.h>
43 #include <linux/init.h>
44 #include <linux/errno.h>
45 #include <linux/syscalls.h>
46 #include <linux/compat.h>
47 #include <linux/refcount.h>
48 #include <linux/uio.h>
50 #include <linux/sched/signal.h>
52 #include <linux/file.h>
53 #include <linux/fdtable.h>
55 #include <linux/mman.h>
56 #include <linux/mmu_context.h>
57 #include <linux/percpu.h>
58 #include <linux/slab.h>
59 #include <linux/kthread.h>
60 #include <linux/blkdev.h>
61 #include <linux/bvec.h>
62 #include <linux/net.h>
64 #include <net/af_unix.h>
66 #include <linux/anon_inodes.h>
67 #include <linux/sched/mm.h>
68 #include <linux/uaccess.h>
69 #include <linux/nospec.h>
70 #include <linux/sizes.h>
71 #include <linux/hugetlb.h>
72 #include <linux/highmem.h>
73 #include <linux/namei.h>
74 #include <linux/fsnotify.h>
76 #define CREATE_TRACE_POINTS
77 #include <trace/events/io_uring.h>
79 #include <uapi/linux/io_uring.h>
84 #define IORING_MAX_ENTRIES 32768
85 #define IORING_MAX_CQ_ENTRIES (2 * IORING_MAX_ENTRIES)
88 * Shift of 9 is 512 entries, or exactly one page on 64-bit archs
90 #define IORING_FILE_TABLE_SHIFT 9
91 #define IORING_MAX_FILES_TABLE (1U << IORING_FILE_TABLE_SHIFT)
92 #define IORING_FILE_TABLE_MASK (IORING_MAX_FILES_TABLE - 1)
93 #define IORING_MAX_FIXED_FILES (64 * IORING_MAX_FILES_TABLE)
96 u32 head ____cacheline_aligned_in_smp;
97 u32 tail ____cacheline_aligned_in_smp;
101 * This data is shared with the application through the mmap at offsets
102 * IORING_OFF_SQ_RING and IORING_OFF_CQ_RING.
104 * The offsets to the member fields are published through struct
105 * io_sqring_offsets when calling io_uring_setup.
109 * Head and tail offsets into the ring; the offsets need to be
110 * masked to get valid indices.
112 * The kernel controls head of the sq ring and the tail of the cq ring,
113 * and the application controls tail of the sq ring and the head of the
116 struct io_uring sq, cq;
118 * Bitmasks to apply to head and tail offsets (constant, equals
121 u32 sq_ring_mask, cq_ring_mask;
122 /* Ring sizes (constant, power of 2) */
123 u32 sq_ring_entries, cq_ring_entries;
125 * Number of invalid entries dropped by the kernel due to
126 * invalid index stored in array
128 * Written by the kernel, shouldn't be modified by the
129 * application (i.e. get number of "new events" by comparing to
132 * After a new SQ head value was read by the application this
133 * counter includes all submissions that were dropped reaching
134 * the new SQ head (and possibly more).
140 * Written by the kernel, shouldn't be modified by the
143 * The application needs a full memory barrier before checking
144 * for IORING_SQ_NEED_WAKEUP after updating the sq tail.
148 * Number of completion events lost because the queue was full;
149 * this should be avoided by the application by making sure
150 * there are not more requests pending than there is space in
151 * the completion queue.
153 * Written by the kernel, shouldn't be modified by the
154 * application (i.e. get number of "new events" by comparing to
157 * As completion events come in out of order this counter is not
158 * ordered with any other data.
162 * Ring buffer of completion events.
164 * The kernel writes completion events fresh every time they are
165 * produced, so the application is allowed to modify pending
168 struct io_uring_cqe cqes[] ____cacheline_aligned_in_smp;
171 struct io_mapped_ubuf {
174 struct bio_vec *bvec;
175 unsigned int nr_bvecs;
178 struct fixed_file_table {
186 struct fixed_file_data {
187 struct fixed_file_table *table;
188 struct io_ring_ctx *ctx;
190 struct percpu_ref refs;
191 struct llist_head put_llist;
193 struct work_struct ref_work;
194 struct completion done;
199 struct percpu_ref refs;
200 } ____cacheline_aligned_in_smp;
206 bool cq_overflow_flushed;
210 * Ring buffer of indices into array of io_uring_sqe, which is
211 * mmapped by the application using the IORING_OFF_SQES offset.
213 * This indirection could e.g. be used to assign fixed
214 * io_uring_sqe entries to operations and only submit them to
215 * the queue when needed.
217 * The kernel modifies neither the indices array nor the entries
221 unsigned cached_sq_head;
224 unsigned sq_thread_idle;
225 unsigned cached_sq_dropped;
226 atomic_t cached_cq_overflow;
227 struct io_uring_sqe *sq_sqes;
229 struct list_head defer_list;
230 struct list_head timeout_list;
231 struct list_head cq_overflow_list;
233 wait_queue_head_t inflight_wait;
234 } ____cacheline_aligned_in_smp;
236 struct io_rings *rings;
240 struct task_struct *sqo_thread; /* if using sq thread polling */
241 struct mm_struct *sqo_mm;
242 wait_queue_head_t sqo_wait;
245 * If used, fixed file set. Writers must ensure that ->refs is dead,
246 * readers must ensure that ->refs is alive as long as the file* is
247 * used. Only updated through io_uring_register(2).
249 struct fixed_file_data *file_data;
250 unsigned nr_user_files;
252 /* if used, fixed mapped user buffers */
253 unsigned nr_user_bufs;
254 struct io_mapped_ubuf *user_bufs;
256 struct user_struct *user;
258 const struct cred *creds;
260 /* 0 is for ctx quiesce/reinit/free, 1 is for sqo_thread started */
261 struct completion *completions;
263 /* if all else fails... */
264 struct io_kiocb *fallback_req;
266 #if defined(CONFIG_UNIX)
267 struct socket *ring_sock;
271 unsigned cached_cq_tail;
274 atomic_t cq_timeouts;
275 struct wait_queue_head cq_wait;
276 struct fasync_struct *cq_fasync;
277 struct eventfd_ctx *cq_ev_fd;
278 } ____cacheline_aligned_in_smp;
281 struct mutex uring_lock;
282 wait_queue_head_t wait;
283 } ____cacheline_aligned_in_smp;
286 spinlock_t completion_lock;
287 bool poll_multi_file;
289 * ->poll_list is protected by the ctx->uring_lock for
290 * io_uring instances that don't use IORING_SETUP_SQPOLL.
291 * For SQPOLL, only the single threaded io_sq_thread() will
292 * manipulate the list, hence no extra locking is needed there.
294 struct list_head poll_list;
295 struct hlist_head *cancel_hash;
296 unsigned cancel_hash_bits;
298 spinlock_t inflight_lock;
299 struct list_head inflight_list;
300 } ____cacheline_aligned_in_smp;
304 * First field must be the file pointer in all the
305 * iocb unions! See also 'struct kiocb' in <linux/fs.h>
307 struct io_poll_iocb {
310 struct wait_queue_head *head;
316 struct wait_queue_entry wait;
321 struct file *put_file;
325 struct io_timeout_data {
326 struct io_kiocb *req;
327 struct hrtimer timer;
328 struct timespec64 ts;
329 enum hrtimer_mode mode;
335 struct sockaddr __user *addr;
336 int __user *addr_len;
361 /* NOTE: kiocb has the file as the first member, so don't do it here */
369 struct sockaddr __user *addr;
375 struct user_msghdr __user *msg;
386 const char __user *fname;
387 struct filename *filename;
388 struct statx __user *buffer;
392 struct io_files_update {
399 struct io_async_connect {
400 struct sockaddr_storage address;
403 struct io_async_msghdr {
404 struct iovec fast_iov[UIO_FASTIOV];
406 struct sockaddr __user *uaddr;
411 struct iovec fast_iov[UIO_FASTIOV];
417 struct io_async_open {
418 struct filename *filename;
421 struct io_async_ctx {
423 struct io_async_rw rw;
424 struct io_async_msghdr msg;
425 struct io_async_connect connect;
426 struct io_timeout_data timeout;
427 struct io_async_open open;
432 * NOTE! Each of the iocb union members has the file pointer
433 * as the first entry in their struct definition. So you can
434 * access the file pointer through any of the sub-structs,
435 * or directly as just 'ki_filp' in this struct.
441 struct io_poll_iocb poll;
442 struct io_accept accept;
444 struct io_cancel cancel;
445 struct io_timeout timeout;
446 struct io_connect connect;
447 struct io_sr_msg sr_msg;
449 struct io_close close;
450 struct io_files_update files_update;
453 struct io_async_ctx *io;
454 struct file *ring_file;
458 bool needs_fixed_file;
461 struct io_ring_ctx *ctx;
463 struct list_head list;
464 struct hlist_node hash_node;
466 struct list_head link_list;
469 #define REQ_F_NOWAIT 1 /* must not punt to workers */
470 #define REQ_F_IOPOLL_COMPLETED 2 /* polled IO has completed */
471 #define REQ_F_FIXED_FILE 4 /* ctx owns file */
472 #define REQ_F_LINK_NEXT 8 /* already grabbed next link */
473 #define REQ_F_IO_DRAIN 16 /* drain existing IO first */
474 #define REQ_F_IO_DRAINED 32 /* drain done */
475 #define REQ_F_LINK 64 /* linked sqes */
476 #define REQ_F_LINK_TIMEOUT 128 /* has linked timeout */
477 #define REQ_F_FAIL_LINK 256 /* fail rest of links */
478 #define REQ_F_DRAIN_LINK 512 /* link should be fully drained */
479 #define REQ_F_TIMEOUT 1024 /* timeout request */
480 #define REQ_F_ISREG 2048 /* regular file */
481 #define REQ_F_MUST_PUNT 4096 /* must be punted even for NONBLOCK */
482 #define REQ_F_TIMEOUT_NOSEQ 8192 /* no timeout sequence */
483 #define REQ_F_INFLIGHT 16384 /* on inflight list */
484 #define REQ_F_COMP_LOCKED 32768 /* completion under lock */
485 #define REQ_F_HARDLINK 65536 /* doesn't sever on completion < 0 */
486 #define REQ_F_FORCE_ASYNC 131072 /* IOSQE_ASYNC */
491 struct list_head inflight_entry;
493 struct io_wq_work work;
496 #define IO_PLUG_THRESHOLD 2
497 #define IO_IOPOLL_BATCH 8
499 struct io_submit_state {
500 struct blk_plug plug;
503 * io_kiocb alloc cache
505 void *reqs[IO_IOPOLL_BATCH];
506 unsigned int free_reqs;
507 unsigned int cur_req;
510 * File reference cache
514 unsigned int has_refs;
515 unsigned int used_refs;
516 unsigned int ios_left;
519 static void io_wq_submit_work(struct io_wq_work **workptr);
520 static void io_cqring_fill_event(struct io_kiocb *req, long res);
521 static void io_put_req(struct io_kiocb *req);
522 static void __io_double_put_req(struct io_kiocb *req);
523 static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req);
524 static void io_queue_linked_timeout(struct io_kiocb *req);
525 static int __io_sqe_files_update(struct io_ring_ctx *ctx,
526 struct io_uring_files_update *ip,
529 static struct kmem_cache *req_cachep;
531 static const struct file_operations io_uring_fops;
533 struct sock *io_uring_get_socket(struct file *file)
535 #if defined(CONFIG_UNIX)
536 if (file->f_op == &io_uring_fops) {
537 struct io_ring_ctx *ctx = file->private_data;
539 return ctx->ring_sock->sk;
544 EXPORT_SYMBOL(io_uring_get_socket);
546 static void io_ring_ctx_ref_free(struct percpu_ref *ref)
548 struct io_ring_ctx *ctx = container_of(ref, struct io_ring_ctx, refs);
550 complete(&ctx->completions[0]);
553 static struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p)
555 struct io_ring_ctx *ctx;
558 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
562 ctx->fallback_req = kmem_cache_alloc(req_cachep, GFP_KERNEL);
563 if (!ctx->fallback_req)
566 ctx->completions = kmalloc(2 * sizeof(struct completion), GFP_KERNEL);
567 if (!ctx->completions)
571 * Use 5 bits less than the max cq entries, that should give us around
572 * 32 entries per hash list if totally full and uniformly spread.
574 hash_bits = ilog2(p->cq_entries);
578 ctx->cancel_hash_bits = hash_bits;
579 ctx->cancel_hash = kmalloc((1U << hash_bits) * sizeof(struct hlist_head),
581 if (!ctx->cancel_hash)
583 __hash_init(ctx->cancel_hash, 1U << hash_bits);
585 if (percpu_ref_init(&ctx->refs, io_ring_ctx_ref_free,
586 PERCPU_REF_ALLOW_REINIT, GFP_KERNEL))
589 ctx->flags = p->flags;
590 init_waitqueue_head(&ctx->cq_wait);
591 INIT_LIST_HEAD(&ctx->cq_overflow_list);
592 init_completion(&ctx->completions[0]);
593 init_completion(&ctx->completions[1]);
594 mutex_init(&ctx->uring_lock);
595 init_waitqueue_head(&ctx->wait);
596 spin_lock_init(&ctx->completion_lock);
597 INIT_LIST_HEAD(&ctx->poll_list);
598 INIT_LIST_HEAD(&ctx->defer_list);
599 INIT_LIST_HEAD(&ctx->timeout_list);
600 init_waitqueue_head(&ctx->inflight_wait);
601 spin_lock_init(&ctx->inflight_lock);
602 INIT_LIST_HEAD(&ctx->inflight_list);
605 if (ctx->fallback_req)
606 kmem_cache_free(req_cachep, ctx->fallback_req);
607 kfree(ctx->completions);
608 kfree(ctx->cancel_hash);
613 static inline bool __req_need_defer(struct io_kiocb *req)
615 struct io_ring_ctx *ctx = req->ctx;
617 return req->sequence != ctx->cached_cq_tail + ctx->cached_sq_dropped
618 + atomic_read(&ctx->cached_cq_overflow);
621 static inline bool req_need_defer(struct io_kiocb *req)
623 if ((req->flags & (REQ_F_IO_DRAIN|REQ_F_IO_DRAINED)) == REQ_F_IO_DRAIN)
624 return __req_need_defer(req);
629 static struct io_kiocb *io_get_deferred_req(struct io_ring_ctx *ctx)
631 struct io_kiocb *req;
633 req = list_first_entry_or_null(&ctx->defer_list, struct io_kiocb, list);
634 if (req && !req_need_defer(req)) {
635 list_del_init(&req->list);
642 static struct io_kiocb *io_get_timeout_req(struct io_ring_ctx *ctx)
644 struct io_kiocb *req;
646 req = list_first_entry_or_null(&ctx->timeout_list, struct io_kiocb, list);
648 if (req->flags & REQ_F_TIMEOUT_NOSEQ)
650 if (!__req_need_defer(req)) {
651 list_del_init(&req->list);
659 static void __io_commit_cqring(struct io_ring_ctx *ctx)
661 struct io_rings *rings = ctx->rings;
663 if (ctx->cached_cq_tail != READ_ONCE(rings->cq.tail)) {
664 /* order cqe stores with ring update */
665 smp_store_release(&rings->cq.tail, ctx->cached_cq_tail);
667 if (wq_has_sleeper(&ctx->cq_wait)) {
668 wake_up_interruptible(&ctx->cq_wait);
669 kill_fasync(&ctx->cq_fasync, SIGIO, POLL_IN);
674 static inline bool io_req_needs_user(struct io_kiocb *req)
676 return !(req->opcode == IORING_OP_READ_FIXED ||
677 req->opcode == IORING_OP_WRITE_FIXED);
680 static inline bool io_prep_async_work(struct io_kiocb *req,
681 struct io_kiocb **link)
683 bool do_hashed = false;
685 switch (req->opcode) {
686 case IORING_OP_WRITEV:
687 case IORING_OP_WRITE_FIXED:
688 /* only regular files should be hashed for writes */
689 if (req->flags & REQ_F_ISREG)
692 case IORING_OP_READV:
693 case IORING_OP_READ_FIXED:
694 case IORING_OP_SENDMSG:
695 case IORING_OP_RECVMSG:
696 case IORING_OP_ACCEPT:
697 case IORING_OP_POLL_ADD:
698 case IORING_OP_CONNECT:
700 * We know REQ_F_ISREG is not set on some of these
701 * opcodes, but this enables us to keep the check in
704 if (!(req->flags & REQ_F_ISREG))
705 req->work.flags |= IO_WQ_WORK_UNBOUND;
708 if (io_req_needs_user(req))
709 req->work.flags |= IO_WQ_WORK_NEEDS_USER;
711 *link = io_prep_linked_timeout(req);
715 static inline void io_queue_async_work(struct io_kiocb *req)
717 struct io_ring_ctx *ctx = req->ctx;
718 struct io_kiocb *link;
721 do_hashed = io_prep_async_work(req, &link);
723 trace_io_uring_queue_async_work(ctx, do_hashed, req, &req->work,
726 io_wq_enqueue(ctx->io_wq, &req->work);
728 io_wq_enqueue_hashed(ctx->io_wq, &req->work,
729 file_inode(req->file));
733 io_queue_linked_timeout(link);
736 static void io_kill_timeout(struct io_kiocb *req)
740 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
742 atomic_inc(&req->ctx->cq_timeouts);
743 list_del_init(&req->list);
744 io_cqring_fill_event(req, 0);
749 static void io_kill_timeouts(struct io_ring_ctx *ctx)
751 struct io_kiocb *req, *tmp;
753 spin_lock_irq(&ctx->completion_lock);
754 list_for_each_entry_safe(req, tmp, &ctx->timeout_list, list)
755 io_kill_timeout(req);
756 spin_unlock_irq(&ctx->completion_lock);
759 static void io_commit_cqring(struct io_ring_ctx *ctx)
761 struct io_kiocb *req;
763 while ((req = io_get_timeout_req(ctx)) != NULL)
764 io_kill_timeout(req);
766 __io_commit_cqring(ctx);
768 while ((req = io_get_deferred_req(ctx)) != NULL) {
769 req->flags |= REQ_F_IO_DRAINED;
770 io_queue_async_work(req);
774 static struct io_uring_cqe *io_get_cqring(struct io_ring_ctx *ctx)
776 struct io_rings *rings = ctx->rings;
779 tail = ctx->cached_cq_tail;
781 * writes to the cq entry need to come after reading head; the
782 * control dependency is enough as we're using WRITE_ONCE to
785 if (tail - READ_ONCE(rings->cq.head) == rings->cq_ring_entries)
788 ctx->cached_cq_tail++;
789 return &rings->cqes[tail & ctx->cq_mask];
792 static void io_cqring_ev_posted(struct io_ring_ctx *ctx)
794 if (waitqueue_active(&ctx->wait))
796 if (waitqueue_active(&ctx->sqo_wait))
797 wake_up(&ctx->sqo_wait);
799 eventfd_signal(ctx->cq_ev_fd, 1);
802 /* Returns true if there are no backlogged entries after the flush */
803 static bool io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool force)
805 struct io_rings *rings = ctx->rings;
806 struct io_uring_cqe *cqe;
807 struct io_kiocb *req;
812 if (list_empty_careful(&ctx->cq_overflow_list))
814 if ((ctx->cached_cq_tail - READ_ONCE(rings->cq.head) ==
815 rings->cq_ring_entries))
819 spin_lock_irqsave(&ctx->completion_lock, flags);
821 /* if force is set, the ring is going away. always drop after that */
823 ctx->cq_overflow_flushed = true;
826 while (!list_empty(&ctx->cq_overflow_list)) {
827 cqe = io_get_cqring(ctx);
831 req = list_first_entry(&ctx->cq_overflow_list, struct io_kiocb,
833 list_move(&req->list, &list);
835 WRITE_ONCE(cqe->user_data, req->user_data);
836 WRITE_ONCE(cqe->res, req->result);
837 WRITE_ONCE(cqe->flags, 0);
839 WRITE_ONCE(ctx->rings->cq_overflow,
840 atomic_inc_return(&ctx->cached_cq_overflow));
844 io_commit_cqring(ctx);
845 spin_unlock_irqrestore(&ctx->completion_lock, flags);
846 io_cqring_ev_posted(ctx);
848 while (!list_empty(&list)) {
849 req = list_first_entry(&list, struct io_kiocb, list);
850 list_del(&req->list);
857 static void io_cqring_fill_event(struct io_kiocb *req, long res)
859 struct io_ring_ctx *ctx = req->ctx;
860 struct io_uring_cqe *cqe;
862 trace_io_uring_complete(ctx, req->user_data, res);
865 * If we can't get a cq entry, userspace overflowed the
866 * submission (by quite a lot). Increment the overflow count in
869 cqe = io_get_cqring(ctx);
871 WRITE_ONCE(cqe->user_data, req->user_data);
872 WRITE_ONCE(cqe->res, res);
873 WRITE_ONCE(cqe->flags, 0);
874 } else if (ctx->cq_overflow_flushed) {
875 WRITE_ONCE(ctx->rings->cq_overflow,
876 atomic_inc_return(&ctx->cached_cq_overflow));
878 refcount_inc(&req->refs);
880 list_add_tail(&req->list, &ctx->cq_overflow_list);
884 static void io_cqring_add_event(struct io_kiocb *req, long res)
886 struct io_ring_ctx *ctx = req->ctx;
889 spin_lock_irqsave(&ctx->completion_lock, flags);
890 io_cqring_fill_event(req, res);
891 io_commit_cqring(ctx);
892 spin_unlock_irqrestore(&ctx->completion_lock, flags);
894 io_cqring_ev_posted(ctx);
897 static inline bool io_is_fallback_req(struct io_kiocb *req)
899 return req == (struct io_kiocb *)
900 ((unsigned long) req->ctx->fallback_req & ~1UL);
903 static struct io_kiocb *io_get_fallback_req(struct io_ring_ctx *ctx)
905 struct io_kiocb *req;
907 req = ctx->fallback_req;
908 if (!test_and_set_bit_lock(0, (unsigned long *) ctx->fallback_req))
914 static struct io_kiocb *io_get_req(struct io_ring_ctx *ctx,
915 struct io_submit_state *state)
917 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN;
918 struct io_kiocb *req;
920 if (!percpu_ref_tryget(&ctx->refs))
924 req = kmem_cache_alloc(req_cachep, gfp);
927 } else if (!state->free_reqs) {
931 sz = min_t(size_t, state->ios_left, ARRAY_SIZE(state->reqs));
932 ret = kmem_cache_alloc_bulk(req_cachep, gfp, sz, state->reqs);
935 * Bulk alloc is all-or-nothing. If we fail to get a batch,
936 * retry single alloc to be on the safe side.
938 if (unlikely(ret <= 0)) {
939 state->reqs[0] = kmem_cache_alloc(req_cachep, gfp);
944 state->free_reqs = ret - 1;
946 req = state->reqs[0];
948 req = state->reqs[state->cur_req];
955 req->ring_file = NULL;
959 /* one is dropped after submission, the other at completion */
960 refcount_set(&req->refs, 2);
962 INIT_IO_WORK(&req->work, io_wq_submit_work);
965 req = io_get_fallback_req(ctx);
968 percpu_ref_put(&ctx->refs);
972 static void io_free_req_many(struct io_ring_ctx *ctx, void **reqs, int *nr)
975 kmem_cache_free_bulk(req_cachep, *nr, reqs);
976 percpu_ref_put_many(&ctx->refs, *nr);
977 percpu_ref_put_many(&ctx->file_data->refs, *nr);
982 static void __io_free_req(struct io_kiocb *req)
984 struct io_ring_ctx *ctx = req->ctx;
989 if (req->flags & REQ_F_FIXED_FILE)
990 percpu_ref_put(&ctx->file_data->refs);
994 if (req->flags & REQ_F_INFLIGHT) {
997 spin_lock_irqsave(&ctx->inflight_lock, flags);
998 list_del(&req->inflight_entry);
999 if (waitqueue_active(&ctx->inflight_wait))
1000 wake_up(&ctx->inflight_wait);
1001 spin_unlock_irqrestore(&ctx->inflight_lock, flags);
1003 percpu_ref_put(&ctx->refs);
1004 if (likely(!io_is_fallback_req(req)))
1005 kmem_cache_free(req_cachep, req);
1007 clear_bit_unlock(0, (unsigned long *) ctx->fallback_req);
1010 static bool io_link_cancel_timeout(struct io_kiocb *req)
1012 struct io_ring_ctx *ctx = req->ctx;
1015 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
1017 io_cqring_fill_event(req, -ECANCELED);
1018 io_commit_cqring(ctx);
1019 req->flags &= ~REQ_F_LINK;
1027 static void io_req_link_next(struct io_kiocb *req, struct io_kiocb **nxtptr)
1029 struct io_ring_ctx *ctx = req->ctx;
1030 bool wake_ev = false;
1032 /* Already got next link */
1033 if (req->flags & REQ_F_LINK_NEXT)
1037 * The list should never be empty when we are called here. But could
1038 * potentially happen if the chain is messed up, check to be on the
1041 while (!list_empty(&req->link_list)) {
1042 struct io_kiocb *nxt = list_first_entry(&req->link_list,
1043 struct io_kiocb, link_list);
1045 if (unlikely((req->flags & REQ_F_LINK_TIMEOUT) &&
1046 (nxt->flags & REQ_F_TIMEOUT))) {
1047 list_del_init(&nxt->link_list);
1048 wake_ev |= io_link_cancel_timeout(nxt);
1049 req->flags &= ~REQ_F_LINK_TIMEOUT;
1053 list_del_init(&req->link_list);
1054 if (!list_empty(&nxt->link_list))
1055 nxt->flags |= REQ_F_LINK;
1060 req->flags |= REQ_F_LINK_NEXT;
1062 io_cqring_ev_posted(ctx);
1066 * Called if REQ_F_LINK is set, and we fail the head request
1068 static void io_fail_links(struct io_kiocb *req)
1070 struct io_ring_ctx *ctx = req->ctx;
1071 unsigned long flags;
1073 spin_lock_irqsave(&ctx->completion_lock, flags);
1075 while (!list_empty(&req->link_list)) {
1076 struct io_kiocb *link = list_first_entry(&req->link_list,
1077 struct io_kiocb, link_list);
1079 list_del_init(&link->link_list);
1080 trace_io_uring_fail_link(req, link);
1082 if ((req->flags & REQ_F_LINK_TIMEOUT) &&
1083 link->opcode == IORING_OP_LINK_TIMEOUT) {
1084 io_link_cancel_timeout(link);
1086 io_cqring_fill_event(link, -ECANCELED);
1087 __io_double_put_req(link);
1089 req->flags &= ~REQ_F_LINK_TIMEOUT;
1092 io_commit_cqring(ctx);
1093 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1094 io_cqring_ev_posted(ctx);
1097 static void io_req_find_next(struct io_kiocb *req, struct io_kiocb **nxt)
1099 if (likely(!(req->flags & REQ_F_LINK)))
1103 * If LINK is set, we have dependent requests in this chain. If we
1104 * didn't fail this request, queue the first one up, moving any other
1105 * dependencies to the next request. In case of failure, fail the rest
1108 if (req->flags & REQ_F_FAIL_LINK) {
1110 } else if ((req->flags & (REQ_F_LINK_TIMEOUT | REQ_F_COMP_LOCKED)) ==
1111 REQ_F_LINK_TIMEOUT) {
1112 struct io_ring_ctx *ctx = req->ctx;
1113 unsigned long flags;
1116 * If this is a timeout link, we could be racing with the
1117 * timeout timer. Grab the completion lock for this case to
1118 * protect against that.
1120 spin_lock_irqsave(&ctx->completion_lock, flags);
1121 io_req_link_next(req, nxt);
1122 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1124 io_req_link_next(req, nxt);
1128 static void io_free_req(struct io_kiocb *req)
1130 struct io_kiocb *nxt = NULL;
1132 io_req_find_next(req, &nxt);
1136 io_queue_async_work(nxt);
1140 * Drop reference to request, return next in chain (if there is one) if this
1141 * was the last reference to this request.
1143 __attribute__((nonnull))
1144 static void io_put_req_find_next(struct io_kiocb *req, struct io_kiocb **nxtptr)
1146 io_req_find_next(req, nxtptr);
1148 if (refcount_dec_and_test(&req->refs))
1152 static void io_put_req(struct io_kiocb *req)
1154 if (refcount_dec_and_test(&req->refs))
1159 * Must only be used if we don't need to care about links, usually from
1160 * within the completion handling itself.
1162 static void __io_double_put_req(struct io_kiocb *req)
1164 /* drop both submit and complete references */
1165 if (refcount_sub_and_test(2, &req->refs))
1169 static void io_double_put_req(struct io_kiocb *req)
1171 /* drop both submit and complete references */
1172 if (refcount_sub_and_test(2, &req->refs))
1176 static unsigned io_cqring_events(struct io_ring_ctx *ctx, bool noflush)
1178 struct io_rings *rings = ctx->rings;
1181 * noflush == true is from the waitqueue handler, just ensure we wake
1182 * up the task, and the next invocation will flush the entries. We
1183 * cannot safely to it from here.
1185 if (noflush && !list_empty(&ctx->cq_overflow_list))
1188 io_cqring_overflow_flush(ctx, false);
1190 /* See comment at the top of this file */
1192 return READ_ONCE(rings->cq.tail) - READ_ONCE(rings->cq.head);
1195 static inline unsigned int io_sqring_entries(struct io_ring_ctx *ctx)
1197 struct io_rings *rings = ctx->rings;
1199 /* make sure SQ entry isn't read before tail */
1200 return smp_load_acquire(&rings->sq.tail) - ctx->cached_sq_head;
1204 * Find and free completed poll iocbs
1206 static void io_iopoll_complete(struct io_ring_ctx *ctx, unsigned int *nr_events,
1207 struct list_head *done)
1209 void *reqs[IO_IOPOLL_BATCH];
1210 struct io_kiocb *req;
1214 while (!list_empty(done)) {
1215 req = list_first_entry(done, struct io_kiocb, list);
1216 list_del(&req->list);
1218 io_cqring_fill_event(req, req->result);
1221 if (refcount_dec_and_test(&req->refs)) {
1222 /* If we're not using fixed files, we have to pair the
1223 * completion part with the file put. Use regular
1224 * completions for those, only batch free for fixed
1225 * file and non-linked commands.
1227 if (((req->flags & (REQ_F_FIXED_FILE|REQ_F_LINK)) ==
1228 REQ_F_FIXED_FILE) && !io_is_fallback_req(req) &&
1230 reqs[to_free++] = req;
1231 if (to_free == ARRAY_SIZE(reqs))
1232 io_free_req_many(ctx, reqs, &to_free);
1239 io_commit_cqring(ctx);
1240 io_free_req_many(ctx, reqs, &to_free);
1243 static int io_do_iopoll(struct io_ring_ctx *ctx, unsigned int *nr_events,
1246 struct io_kiocb *req, *tmp;
1252 * Only spin for completions if we don't have multiple devices hanging
1253 * off our complete list, and we're under the requested amount.
1255 spin = !ctx->poll_multi_file && *nr_events < min;
1258 list_for_each_entry_safe(req, tmp, &ctx->poll_list, list) {
1259 struct kiocb *kiocb = &req->rw.kiocb;
1262 * Move completed entries to our local list. If we find a
1263 * request that requires polling, break out and complete
1264 * the done list first, if we have entries there.
1266 if (req->flags & REQ_F_IOPOLL_COMPLETED) {
1267 list_move_tail(&req->list, &done);
1270 if (!list_empty(&done))
1273 ret = kiocb->ki_filp->f_op->iopoll(kiocb, spin);
1282 if (!list_empty(&done))
1283 io_iopoll_complete(ctx, nr_events, &done);
1289 * Poll for a minimum of 'min' events. Note that if min == 0 we consider that a
1290 * non-spinning poll check - we'll still enter the driver poll loop, but only
1291 * as a non-spinning completion check.
1293 static int io_iopoll_getevents(struct io_ring_ctx *ctx, unsigned int *nr_events,
1296 while (!list_empty(&ctx->poll_list) && !need_resched()) {
1299 ret = io_do_iopoll(ctx, nr_events, min);
1302 if (!min || *nr_events >= min)
1310 * We can't just wait for polled events to come to us, we have to actively
1311 * find and complete them.
1313 static void io_iopoll_reap_events(struct io_ring_ctx *ctx)
1315 if (!(ctx->flags & IORING_SETUP_IOPOLL))
1318 mutex_lock(&ctx->uring_lock);
1319 while (!list_empty(&ctx->poll_list)) {
1320 unsigned int nr_events = 0;
1322 io_iopoll_getevents(ctx, &nr_events, 1);
1325 * Ensure we allow local-to-the-cpu processing to take place,
1326 * in this case we need to ensure that we reap all events.
1330 mutex_unlock(&ctx->uring_lock);
1333 static int __io_iopoll_check(struct io_ring_ctx *ctx, unsigned *nr_events,
1336 int iters = 0, ret = 0;
1342 * Don't enter poll loop if we already have events pending.
1343 * If we do, we can potentially be spinning for commands that
1344 * already triggered a CQE (eg in error).
1346 if (io_cqring_events(ctx, false))
1350 * If a submit got punted to a workqueue, we can have the
1351 * application entering polling for a command before it gets
1352 * issued. That app will hold the uring_lock for the duration
1353 * of the poll right here, so we need to take a breather every
1354 * now and then to ensure that the issue has a chance to add
1355 * the poll to the issued list. Otherwise we can spin here
1356 * forever, while the workqueue is stuck trying to acquire the
1359 if (!(++iters & 7)) {
1360 mutex_unlock(&ctx->uring_lock);
1361 mutex_lock(&ctx->uring_lock);
1364 if (*nr_events < min)
1365 tmin = min - *nr_events;
1367 ret = io_iopoll_getevents(ctx, nr_events, tmin);
1371 } while (min && !*nr_events && !need_resched());
1376 static int io_iopoll_check(struct io_ring_ctx *ctx, unsigned *nr_events,
1382 * We disallow the app entering submit/complete with polling, but we
1383 * still need to lock the ring to prevent racing with polled issue
1384 * that got punted to a workqueue.
1386 mutex_lock(&ctx->uring_lock);
1387 ret = __io_iopoll_check(ctx, nr_events, min);
1388 mutex_unlock(&ctx->uring_lock);
1392 static void kiocb_end_write(struct io_kiocb *req)
1395 * Tell lockdep we inherited freeze protection from submission
1398 if (req->flags & REQ_F_ISREG) {
1399 struct inode *inode = file_inode(req->file);
1401 __sb_writers_acquired(inode->i_sb, SB_FREEZE_WRITE);
1403 file_end_write(req->file);
1406 static inline void req_set_fail_links(struct io_kiocb *req)
1408 if ((req->flags & (REQ_F_LINK | REQ_F_HARDLINK)) == REQ_F_LINK)
1409 req->flags |= REQ_F_FAIL_LINK;
1412 static void io_complete_rw_common(struct kiocb *kiocb, long res)
1414 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
1416 if (kiocb->ki_flags & IOCB_WRITE)
1417 kiocb_end_write(req);
1419 if (res != req->result)
1420 req_set_fail_links(req);
1421 io_cqring_add_event(req, res);
1424 static void io_complete_rw(struct kiocb *kiocb, long res, long res2)
1426 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
1428 io_complete_rw_common(kiocb, res);
1432 static struct io_kiocb *__io_complete_rw(struct kiocb *kiocb, long res)
1434 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
1435 struct io_kiocb *nxt = NULL;
1437 io_complete_rw_common(kiocb, res);
1438 io_put_req_find_next(req, &nxt);
1443 static void io_complete_rw_iopoll(struct kiocb *kiocb, long res, long res2)
1445 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
1447 if (kiocb->ki_flags & IOCB_WRITE)
1448 kiocb_end_write(req);
1450 if (res != req->result)
1451 req_set_fail_links(req);
1454 req->flags |= REQ_F_IOPOLL_COMPLETED;
1458 * After the iocb has been issued, it's safe to be found on the poll list.
1459 * Adding the kiocb to the list AFTER submission ensures that we don't
1460 * find it from a io_iopoll_getevents() thread before the issuer is done
1461 * accessing the kiocb cookie.
1463 static void io_iopoll_req_issued(struct io_kiocb *req)
1465 struct io_ring_ctx *ctx = req->ctx;
1468 * Track whether we have multiple files in our lists. This will impact
1469 * how we do polling eventually, not spinning if we're on potentially
1470 * different devices.
1472 if (list_empty(&ctx->poll_list)) {
1473 ctx->poll_multi_file = false;
1474 } else if (!ctx->poll_multi_file) {
1475 struct io_kiocb *list_req;
1477 list_req = list_first_entry(&ctx->poll_list, struct io_kiocb,
1479 if (list_req->file != req->file)
1480 ctx->poll_multi_file = true;
1484 * For fast devices, IO may have already completed. If it has, add
1485 * it to the front so we find it first.
1487 if (req->flags & REQ_F_IOPOLL_COMPLETED)
1488 list_add(&req->list, &ctx->poll_list);
1490 list_add_tail(&req->list, &ctx->poll_list);
1493 static void io_file_put(struct io_submit_state *state)
1496 int diff = state->has_refs - state->used_refs;
1499 fput_many(state->file, diff);
1505 * Get as many references to a file as we have IOs left in this submission,
1506 * assuming most submissions are for one file, or at least that each file
1507 * has more than one submission.
1509 static struct file *io_file_get(struct io_submit_state *state, int fd)
1515 if (state->fd == fd) {
1522 state->file = fget_many(fd, state->ios_left);
1527 state->has_refs = state->ios_left;
1528 state->used_refs = 1;
1534 * If we tracked the file through the SCM inflight mechanism, we could support
1535 * any file. For now, just ensure that anything potentially problematic is done
1538 static bool io_file_supports_async(struct file *file)
1540 umode_t mode = file_inode(file)->i_mode;
1542 if (S_ISBLK(mode) || S_ISCHR(mode) || S_ISSOCK(mode))
1544 if (S_ISREG(mode) && file->f_op != &io_uring_fops)
1550 static int io_prep_rw(struct io_kiocb *req, const struct io_uring_sqe *sqe,
1551 bool force_nonblock)
1553 struct io_ring_ctx *ctx = req->ctx;
1554 struct kiocb *kiocb = &req->rw.kiocb;
1561 if (S_ISREG(file_inode(req->file)->i_mode))
1562 req->flags |= REQ_F_ISREG;
1564 kiocb->ki_pos = READ_ONCE(sqe->off);
1565 kiocb->ki_flags = iocb_flags(kiocb->ki_filp);
1566 kiocb->ki_hint = ki_hint_validate(file_write_hint(kiocb->ki_filp));
1568 ioprio = READ_ONCE(sqe->ioprio);
1570 ret = ioprio_check_cap(ioprio);
1574 kiocb->ki_ioprio = ioprio;
1576 kiocb->ki_ioprio = get_current_ioprio();
1578 ret = kiocb_set_rw_flags(kiocb, READ_ONCE(sqe->rw_flags));
1582 /* don't allow async punt if RWF_NOWAIT was requested */
1583 if ((kiocb->ki_flags & IOCB_NOWAIT) ||
1584 (req->file->f_flags & O_NONBLOCK))
1585 req->flags |= REQ_F_NOWAIT;
1588 kiocb->ki_flags |= IOCB_NOWAIT;
1590 if (ctx->flags & IORING_SETUP_IOPOLL) {
1591 if (!(kiocb->ki_flags & IOCB_DIRECT) ||
1592 !kiocb->ki_filp->f_op->iopoll)
1595 kiocb->ki_flags |= IOCB_HIPRI;
1596 kiocb->ki_complete = io_complete_rw_iopoll;
1599 if (kiocb->ki_flags & IOCB_HIPRI)
1601 kiocb->ki_complete = io_complete_rw;
1604 req->rw.addr = READ_ONCE(sqe->addr);
1605 req->rw.len = READ_ONCE(sqe->len);
1606 /* we own ->private, reuse it for the buffer index */
1607 req->rw.kiocb.private = (void *) (unsigned long)
1608 READ_ONCE(sqe->buf_index);
1612 static inline void io_rw_done(struct kiocb *kiocb, ssize_t ret)
1618 case -ERESTARTNOINTR:
1619 case -ERESTARTNOHAND:
1620 case -ERESTART_RESTARTBLOCK:
1622 * We can't just restart the syscall, since previously
1623 * submitted sqes may already be in progress. Just fail this
1629 kiocb->ki_complete(kiocb, ret, 0);
1633 static void kiocb_done(struct kiocb *kiocb, ssize_t ret, struct io_kiocb **nxt,
1636 if (in_async && ret >= 0 && kiocb->ki_complete == io_complete_rw)
1637 *nxt = __io_complete_rw(kiocb, ret);
1639 io_rw_done(kiocb, ret);
1642 static ssize_t io_import_fixed(struct io_kiocb *req, int rw,
1643 struct iov_iter *iter)
1645 struct io_ring_ctx *ctx = req->ctx;
1646 size_t len = req->rw.len;
1647 struct io_mapped_ubuf *imu;
1648 unsigned index, buf_index;
1652 /* attempt to use fixed buffers without having provided iovecs */
1653 if (unlikely(!ctx->user_bufs))
1656 buf_index = (unsigned long) req->rw.kiocb.private;
1657 if (unlikely(buf_index >= ctx->nr_user_bufs))
1660 index = array_index_nospec(buf_index, ctx->nr_user_bufs);
1661 imu = &ctx->user_bufs[index];
1662 buf_addr = req->rw.addr;
1665 if (buf_addr + len < buf_addr)
1667 /* not inside the mapped region */
1668 if (buf_addr < imu->ubuf || buf_addr + len > imu->ubuf + imu->len)
1672 * May not be a start of buffer, set size appropriately
1673 * and advance us to the beginning.
1675 offset = buf_addr - imu->ubuf;
1676 iov_iter_bvec(iter, rw, imu->bvec, imu->nr_bvecs, offset + len);
1680 * Don't use iov_iter_advance() here, as it's really slow for
1681 * using the latter parts of a big fixed buffer - it iterates
1682 * over each segment manually. We can cheat a bit here, because
1685 * 1) it's a BVEC iter, we set it up
1686 * 2) all bvecs are PAGE_SIZE in size, except potentially the
1687 * first and last bvec
1689 * So just find our index, and adjust the iterator afterwards.
1690 * If the offset is within the first bvec (or the whole first
1691 * bvec, just use iov_iter_advance(). This makes it easier
1692 * since we can just skip the first segment, which may not
1693 * be PAGE_SIZE aligned.
1695 const struct bio_vec *bvec = imu->bvec;
1697 if (offset <= bvec->bv_len) {
1698 iov_iter_advance(iter, offset);
1700 unsigned long seg_skip;
1702 /* skip first vec */
1703 offset -= bvec->bv_len;
1704 seg_skip = 1 + (offset >> PAGE_SHIFT);
1706 iter->bvec = bvec + seg_skip;
1707 iter->nr_segs -= seg_skip;
1708 iter->count -= bvec->bv_len + offset;
1709 iter->iov_offset = offset & ~PAGE_MASK;
1716 static ssize_t io_import_iovec(int rw, struct io_kiocb *req,
1717 struct iovec **iovec, struct iov_iter *iter)
1719 void __user *buf = u64_to_user_ptr(req->rw.addr);
1720 size_t sqe_len = req->rw.len;
1723 opcode = req->opcode;
1724 if (opcode == IORING_OP_READ_FIXED || opcode == IORING_OP_WRITE_FIXED) {
1726 return io_import_fixed(req, rw, iter);
1729 /* buffer index only valid with fixed read/write */
1730 if (req->rw.kiocb.private)
1734 struct io_async_rw *iorw = &req->io->rw;
1737 iov_iter_init(iter, rw, *iovec, iorw->nr_segs, iorw->size);
1738 if (iorw->iov == iorw->fast_iov)
1746 #ifdef CONFIG_COMPAT
1747 if (req->ctx->compat)
1748 return compat_import_iovec(rw, buf, sqe_len, UIO_FASTIOV,
1752 return import_iovec(rw, buf, sqe_len, UIO_FASTIOV, iovec, iter);
1756 * For files that don't have ->read_iter() and ->write_iter(), handle them
1757 * by looping over ->read() or ->write() manually.
1759 static ssize_t loop_rw_iter(int rw, struct file *file, struct kiocb *kiocb,
1760 struct iov_iter *iter)
1765 * Don't support polled IO through this interface, and we can't
1766 * support non-blocking either. For the latter, this just causes
1767 * the kiocb to be handled from an async context.
1769 if (kiocb->ki_flags & IOCB_HIPRI)
1771 if (kiocb->ki_flags & IOCB_NOWAIT)
1774 while (iov_iter_count(iter)) {
1778 if (!iov_iter_is_bvec(iter)) {
1779 iovec = iov_iter_iovec(iter);
1781 /* fixed buffers import bvec */
1782 iovec.iov_base = kmap(iter->bvec->bv_page)
1784 iovec.iov_len = min(iter->count,
1785 iter->bvec->bv_len - iter->iov_offset);
1789 nr = file->f_op->read(file, iovec.iov_base,
1790 iovec.iov_len, &kiocb->ki_pos);
1792 nr = file->f_op->write(file, iovec.iov_base,
1793 iovec.iov_len, &kiocb->ki_pos);
1796 if (iov_iter_is_bvec(iter))
1797 kunmap(iter->bvec->bv_page);
1805 if (nr != iovec.iov_len)
1807 iov_iter_advance(iter, nr);
1813 static void io_req_map_rw(struct io_kiocb *req, ssize_t io_size,
1814 struct iovec *iovec, struct iovec *fast_iov,
1815 struct iov_iter *iter)
1817 req->io->rw.nr_segs = iter->nr_segs;
1818 req->io->rw.size = io_size;
1819 req->io->rw.iov = iovec;
1820 if (!req->io->rw.iov) {
1821 req->io->rw.iov = req->io->rw.fast_iov;
1822 memcpy(req->io->rw.iov, fast_iov,
1823 sizeof(struct iovec) * iter->nr_segs);
1827 static int io_alloc_async_ctx(struct io_kiocb *req)
1829 req->io = kmalloc(sizeof(*req->io), GFP_KERNEL);
1830 return req->io == NULL;
1833 static void io_rw_async(struct io_wq_work **workptr)
1835 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
1836 struct iovec *iov = NULL;
1838 if (req->io->rw.iov != req->io->rw.fast_iov)
1839 iov = req->io->rw.iov;
1840 io_wq_submit_work(workptr);
1844 static int io_setup_async_rw(struct io_kiocb *req, ssize_t io_size,
1845 struct iovec *iovec, struct iovec *fast_iov,
1846 struct iov_iter *iter)
1848 if (req->opcode == IORING_OP_READ_FIXED ||
1849 req->opcode == IORING_OP_WRITE_FIXED)
1851 if (!req->io && io_alloc_async_ctx(req))
1854 io_req_map_rw(req, io_size, iovec, fast_iov, iter);
1855 req->work.func = io_rw_async;
1859 static int io_read_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
1860 bool force_nonblock)
1862 struct io_async_ctx *io;
1863 struct iov_iter iter;
1866 ret = io_prep_rw(req, sqe, force_nonblock);
1870 if (unlikely(!(req->file->f_mode & FMODE_READ)))
1877 io->rw.iov = io->rw.fast_iov;
1879 ret = io_import_iovec(READ, req, &io->rw.iov, &iter);
1884 io_req_map_rw(req, ret, io->rw.iov, io->rw.fast_iov, &iter);
1888 static int io_read(struct io_kiocb *req, struct io_kiocb **nxt,
1889 bool force_nonblock)
1891 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
1892 struct kiocb *kiocb = &req->rw.kiocb;
1893 struct iov_iter iter;
1895 ssize_t io_size, ret;
1897 ret = io_import_iovec(READ, req, &iovec, &iter);
1901 /* Ensure we clear previously set non-block flag */
1902 if (!force_nonblock)
1903 req->rw.kiocb.ki_flags &= ~IOCB_NOWAIT;
1907 if (req->flags & REQ_F_LINK)
1908 req->result = io_size;
1911 * If the file doesn't support async, mark it as REQ_F_MUST_PUNT so
1912 * we know to async punt it even if it was opened O_NONBLOCK
1914 if (force_nonblock && !io_file_supports_async(req->file)) {
1915 req->flags |= REQ_F_MUST_PUNT;
1919 iov_count = iov_iter_count(&iter);
1920 ret = rw_verify_area(READ, req->file, &kiocb->ki_pos, iov_count);
1924 if (req->file->f_op->read_iter)
1925 ret2 = call_read_iter(req->file, kiocb, &iter);
1927 ret2 = loop_rw_iter(READ, req->file, kiocb, &iter);
1929 /* Catch -EAGAIN return for forced non-blocking submission */
1930 if (!force_nonblock || ret2 != -EAGAIN) {
1931 kiocb_done(kiocb, ret2, nxt, req->in_async);
1934 ret = io_setup_async_rw(req, io_size, iovec,
1935 inline_vecs, &iter);
1942 if (!io_wq_current_is_worker())
1947 static int io_write_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
1948 bool force_nonblock)
1950 struct io_async_ctx *io;
1951 struct iov_iter iter;
1954 ret = io_prep_rw(req, sqe, force_nonblock);
1958 if (unlikely(!(req->file->f_mode & FMODE_WRITE)))
1965 io->rw.iov = io->rw.fast_iov;
1967 ret = io_import_iovec(WRITE, req, &io->rw.iov, &iter);
1972 io_req_map_rw(req, ret, io->rw.iov, io->rw.fast_iov, &iter);
1976 static int io_write(struct io_kiocb *req, struct io_kiocb **nxt,
1977 bool force_nonblock)
1979 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
1980 struct kiocb *kiocb = &req->rw.kiocb;
1981 struct iov_iter iter;
1983 ssize_t ret, io_size;
1985 ret = io_import_iovec(WRITE, req, &iovec, &iter);
1989 /* Ensure we clear previously set non-block flag */
1990 if (!force_nonblock)
1991 req->rw.kiocb.ki_flags &= ~IOCB_NOWAIT;
1995 if (req->flags & REQ_F_LINK)
1996 req->result = io_size;
1999 * If the file doesn't support async, mark it as REQ_F_MUST_PUNT so
2000 * we know to async punt it even if it was opened O_NONBLOCK
2002 if (force_nonblock && !io_file_supports_async(req->file)) {
2003 req->flags |= REQ_F_MUST_PUNT;
2007 /* file path doesn't support NOWAIT for non-direct_IO */
2008 if (force_nonblock && !(kiocb->ki_flags & IOCB_DIRECT) &&
2009 (req->flags & REQ_F_ISREG))
2012 iov_count = iov_iter_count(&iter);
2013 ret = rw_verify_area(WRITE, req->file, &kiocb->ki_pos, iov_count);
2018 * Open-code file_start_write here to grab freeze protection,
2019 * which will be released by another thread in
2020 * io_complete_rw(). Fool lockdep by telling it the lock got
2021 * released so that it doesn't complain about the held lock when
2022 * we return to userspace.
2024 if (req->flags & REQ_F_ISREG) {
2025 __sb_start_write(file_inode(req->file)->i_sb,
2026 SB_FREEZE_WRITE, true);
2027 __sb_writers_release(file_inode(req->file)->i_sb,
2030 kiocb->ki_flags |= IOCB_WRITE;
2032 if (req->file->f_op->write_iter)
2033 ret2 = call_write_iter(req->file, kiocb, &iter);
2035 ret2 = loop_rw_iter(WRITE, req->file, kiocb, &iter);
2036 if (!force_nonblock || ret2 != -EAGAIN) {
2037 kiocb_done(kiocb, ret2, nxt, req->in_async);
2040 ret = io_setup_async_rw(req, io_size, iovec,
2041 inline_vecs, &iter);
2048 if (!io_wq_current_is_worker())
2054 * IORING_OP_NOP just posts a completion event, nothing else.
2056 static int io_nop(struct io_kiocb *req)
2058 struct io_ring_ctx *ctx = req->ctx;
2060 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
2063 io_cqring_add_event(req, 0);
2068 static int io_prep_fsync(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2070 struct io_ring_ctx *ctx = req->ctx;
2075 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
2077 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
2080 req->sync.flags = READ_ONCE(sqe->fsync_flags);
2081 if (unlikely(req->sync.flags & ~IORING_FSYNC_DATASYNC))
2084 req->sync.off = READ_ONCE(sqe->off);
2085 req->sync.len = READ_ONCE(sqe->len);
2089 static bool io_req_cancelled(struct io_kiocb *req)
2091 if (req->work.flags & IO_WQ_WORK_CANCEL) {
2092 req_set_fail_links(req);
2093 io_cqring_add_event(req, -ECANCELED);
2101 static void io_link_work_cb(struct io_wq_work **workptr)
2103 struct io_wq_work *work = *workptr;
2104 struct io_kiocb *link = work->data;
2106 io_queue_linked_timeout(link);
2107 work->func = io_wq_submit_work;
2110 static void io_wq_assign_next(struct io_wq_work **workptr, struct io_kiocb *nxt)
2112 struct io_kiocb *link;
2114 io_prep_async_work(nxt, &link);
2115 *workptr = &nxt->work;
2117 nxt->work.flags |= IO_WQ_WORK_CB;
2118 nxt->work.func = io_link_work_cb;
2119 nxt->work.data = link;
2123 static void io_fsync_finish(struct io_wq_work **workptr)
2125 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2126 loff_t end = req->sync.off + req->sync.len;
2127 struct io_kiocb *nxt = NULL;
2130 if (io_req_cancelled(req))
2133 ret = vfs_fsync_range(req->file, req->sync.off,
2134 end > 0 ? end : LLONG_MAX,
2135 req->sync.flags & IORING_FSYNC_DATASYNC);
2137 req_set_fail_links(req);
2138 io_cqring_add_event(req, ret);
2139 io_put_req_find_next(req, &nxt);
2141 io_wq_assign_next(workptr, nxt);
2144 static int io_fsync(struct io_kiocb *req, struct io_kiocb **nxt,
2145 bool force_nonblock)
2147 struct io_wq_work *work, *old_work;
2149 /* fsync always requires a blocking context */
2150 if (force_nonblock) {
2152 req->work.func = io_fsync_finish;
2156 work = old_work = &req->work;
2157 io_fsync_finish(&work);
2158 if (work && work != old_work)
2159 *nxt = container_of(work, struct io_kiocb, work);
2163 static void io_fallocate_finish(struct io_wq_work **workptr)
2165 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2166 struct io_kiocb *nxt = NULL;
2169 ret = vfs_fallocate(req->file, req->sync.mode, req->sync.off,
2172 req_set_fail_links(req);
2173 io_cqring_add_event(req, ret);
2174 io_put_req_find_next(req, &nxt);
2176 io_wq_assign_next(workptr, nxt);
2179 static int io_fallocate_prep(struct io_kiocb *req,
2180 const struct io_uring_sqe *sqe)
2182 if (sqe->ioprio || sqe->buf_index || sqe->rw_flags)
2185 req->sync.off = READ_ONCE(sqe->off);
2186 req->sync.len = READ_ONCE(sqe->addr);
2187 req->sync.mode = READ_ONCE(sqe->len);
2191 static int io_fallocate(struct io_kiocb *req, struct io_kiocb **nxt,
2192 bool force_nonblock)
2194 struct io_wq_work *work, *old_work;
2196 /* fallocate always requiring blocking context */
2197 if (force_nonblock) {
2199 req->work.func = io_fallocate_finish;
2203 work = old_work = &req->work;
2204 io_fallocate_finish(&work);
2205 if (work && work != old_work)
2206 *nxt = container_of(work, struct io_kiocb, work);
2211 static int io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2215 if (sqe->ioprio || sqe->buf_index)
2218 req->open.dfd = READ_ONCE(sqe->fd);
2219 req->open.mode = READ_ONCE(sqe->len);
2220 req->open.fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
2221 req->open.flags = READ_ONCE(sqe->open_flags);
2223 req->open.filename = getname(req->open.fname);
2224 if (IS_ERR(req->open.filename)) {
2225 ret = PTR_ERR(req->open.filename);
2226 req->open.filename = NULL;
2233 static int io_openat(struct io_kiocb *req, struct io_kiocb **nxt,
2234 bool force_nonblock)
2236 struct open_flags op;
2237 struct open_how how;
2241 if (force_nonblock) {
2242 req->work.flags |= IO_WQ_WORK_NEEDS_FILES;
2246 how = build_open_how(req->open.flags, req->open.mode);
2247 ret = build_open_flags(&how, &op);
2251 ret = get_unused_fd_flags(how.flags);
2255 file = do_filp_open(req->open.dfd, req->open.filename, &op);
2258 ret = PTR_ERR(file);
2260 fsnotify_open(file);
2261 fd_install(ret, file);
2264 putname(req->open.filename);
2266 req_set_fail_links(req);
2267 io_cqring_add_event(req, ret);
2268 io_put_req_find_next(req, nxt);
2272 static int io_statx_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2274 unsigned lookup_flags;
2277 if (sqe->ioprio || sqe->buf_index)
2280 req->open.dfd = READ_ONCE(sqe->fd);
2281 req->open.mask = READ_ONCE(sqe->len);
2282 req->open.fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
2283 req->open.buffer = u64_to_user_ptr(READ_ONCE(sqe->addr2));
2284 req->open.flags = READ_ONCE(sqe->statx_flags);
2286 if (vfs_stat_set_lookup_flags(&lookup_flags, req->open.flags))
2289 req->open.filename = getname_flags(req->open.fname, lookup_flags, NULL);
2290 if (IS_ERR(req->open.filename)) {
2291 ret = PTR_ERR(req->open.filename);
2292 req->open.filename = NULL;
2299 static int io_statx(struct io_kiocb *req, struct io_kiocb **nxt,
2300 bool force_nonblock)
2302 struct io_open *ctx = &req->open;
2303 unsigned lookup_flags;
2311 if (vfs_stat_set_lookup_flags(&lookup_flags, ctx->flags))
2315 /* filename_lookup() drops it, keep a reference */
2316 ctx->filename->refcnt++;
2318 ret = filename_lookup(ctx->dfd, ctx->filename, lookup_flags, &path,
2323 ret = vfs_getattr(&path, &stat, ctx->mask, ctx->flags);
2325 if (retry_estale(ret, lookup_flags)) {
2326 lookup_flags |= LOOKUP_REVAL;
2330 ret = cp_statx(&stat, ctx->buffer);
2332 putname(ctx->filename);
2334 req_set_fail_links(req);
2335 io_cqring_add_event(req, ret);
2336 io_put_req_find_next(req, nxt);
2340 static int io_close_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2343 * If we queue this for async, it must not be cancellable. That would
2344 * leave the 'file' in an undeterminate state.
2346 req->work.flags |= IO_WQ_WORK_NO_CANCEL;
2348 if (sqe->ioprio || sqe->off || sqe->addr || sqe->len ||
2349 sqe->rw_flags || sqe->buf_index)
2351 if (sqe->flags & IOSQE_FIXED_FILE)
2354 req->close.fd = READ_ONCE(sqe->fd);
2355 if (req->file->f_op == &io_uring_fops ||
2356 req->close.fd == req->ring_fd)
2362 static void io_close_finish(struct io_wq_work **workptr)
2364 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2365 struct io_kiocb *nxt = NULL;
2367 /* Invoked with files, we need to do the close */
2368 if (req->work.files) {
2371 ret = filp_close(req->close.put_file, req->work.files);
2373 req_set_fail_links(req);
2375 io_cqring_add_event(req, ret);
2378 fput(req->close.put_file);
2380 /* we bypassed the re-issue, drop the submission reference */
2382 io_put_req_find_next(req, &nxt);
2384 io_wq_assign_next(workptr, nxt);
2387 static int io_close(struct io_kiocb *req, struct io_kiocb **nxt,
2388 bool force_nonblock)
2392 req->close.put_file = NULL;
2393 ret = __close_fd_get_file(req->close.fd, &req->close.put_file);
2397 /* if the file has a flush method, be safe and punt to async */
2398 if (req->close.put_file->f_op->flush && !io_wq_current_is_worker()) {
2399 req->work.flags |= IO_WQ_WORK_NEEDS_FILES;
2404 * No ->flush(), safely close from here and just punt the
2405 * fput() to async context.
2407 ret = filp_close(req->close.put_file, current->files);
2410 req_set_fail_links(req);
2411 io_cqring_add_event(req, ret);
2413 if (io_wq_current_is_worker()) {
2414 struct io_wq_work *old_work, *work;
2416 old_work = work = &req->work;
2417 io_close_finish(&work);
2418 if (work && work != old_work)
2419 *nxt = container_of(work, struct io_kiocb, work);
2424 req->work.func = io_close_finish;
2428 static int io_prep_sfr(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2430 struct io_ring_ctx *ctx = req->ctx;
2435 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
2437 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
2440 req->sync.off = READ_ONCE(sqe->off);
2441 req->sync.len = READ_ONCE(sqe->len);
2442 req->sync.flags = READ_ONCE(sqe->sync_range_flags);
2446 static void io_sync_file_range_finish(struct io_wq_work **workptr)
2448 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2449 struct io_kiocb *nxt = NULL;
2452 if (io_req_cancelled(req))
2455 ret = sync_file_range(req->file, req->sync.off, req->sync.len,
2458 req_set_fail_links(req);
2459 io_cqring_add_event(req, ret);
2460 io_put_req_find_next(req, &nxt);
2462 io_wq_assign_next(workptr, nxt);
2465 static int io_sync_file_range(struct io_kiocb *req, struct io_kiocb **nxt,
2466 bool force_nonblock)
2468 struct io_wq_work *work, *old_work;
2470 /* sync_file_range always requires a blocking context */
2471 if (force_nonblock) {
2473 req->work.func = io_sync_file_range_finish;
2477 work = old_work = &req->work;
2478 io_sync_file_range_finish(&work);
2479 if (work && work != old_work)
2480 *nxt = container_of(work, struct io_kiocb, work);
2484 #if defined(CONFIG_NET)
2485 static void io_sendrecv_async(struct io_wq_work **workptr)
2487 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2488 struct iovec *iov = NULL;
2490 if (req->io->rw.iov != req->io->rw.fast_iov)
2491 iov = req->io->msg.iov;
2492 io_wq_submit_work(workptr);
2497 static int io_sendmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2499 #if defined(CONFIG_NET)
2500 struct io_sr_msg *sr = &req->sr_msg;
2501 struct io_async_ctx *io = req->io;
2503 sr->msg_flags = READ_ONCE(sqe->msg_flags);
2504 sr->msg = u64_to_user_ptr(READ_ONCE(sqe->addr));
2509 io->msg.iov = io->msg.fast_iov;
2510 return sendmsg_copy_msghdr(&io->msg.msg, sr->msg, sr->msg_flags,
2517 static int io_sendmsg(struct io_kiocb *req, struct io_kiocb **nxt,
2518 bool force_nonblock)
2520 #if defined(CONFIG_NET)
2521 struct io_async_msghdr *kmsg = NULL;
2522 struct socket *sock;
2525 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2528 sock = sock_from_file(req->file, &ret);
2530 struct io_async_ctx io;
2531 struct sockaddr_storage addr;
2535 kmsg = &req->io->msg;
2536 kmsg->msg.msg_name = &addr;
2537 /* if iov is set, it's allocated already */
2539 kmsg->iov = kmsg->fast_iov;
2540 kmsg->msg.msg_iter.iov = kmsg->iov;
2542 struct io_sr_msg *sr = &req->sr_msg;
2545 kmsg->msg.msg_name = &addr;
2547 io.msg.iov = io.msg.fast_iov;
2548 ret = sendmsg_copy_msghdr(&io.msg.msg, sr->msg,
2549 sr->msg_flags, &io.msg.iov);
2554 flags = req->sr_msg.msg_flags;
2555 if (flags & MSG_DONTWAIT)
2556 req->flags |= REQ_F_NOWAIT;
2557 else if (force_nonblock)
2558 flags |= MSG_DONTWAIT;
2560 ret = __sys_sendmsg_sock(sock, &kmsg->msg, flags);
2561 if (force_nonblock && ret == -EAGAIN) {
2564 if (io_alloc_async_ctx(req))
2566 memcpy(&req->io->msg, &io.msg, sizeof(io.msg));
2567 req->work.func = io_sendrecv_async;
2570 if (ret == -ERESTARTSYS)
2574 if (!io_wq_current_is_worker() && kmsg && kmsg->iov != kmsg->fast_iov)
2576 io_cqring_add_event(req, ret);
2578 req_set_fail_links(req);
2579 io_put_req_find_next(req, nxt);
2586 static int io_recvmsg_prep(struct io_kiocb *req,
2587 const struct io_uring_sqe *sqe)
2589 #if defined(CONFIG_NET)
2590 struct io_sr_msg *sr = &req->sr_msg;
2591 struct io_async_ctx *io = req->io;
2593 sr->msg_flags = READ_ONCE(sqe->msg_flags);
2594 sr->msg = u64_to_user_ptr(READ_ONCE(sqe->addr));
2599 io->msg.iov = io->msg.fast_iov;
2600 return recvmsg_copy_msghdr(&io->msg.msg, sr->msg, sr->msg_flags,
2601 &io->msg.uaddr, &io->msg.iov);
2607 static int io_recvmsg(struct io_kiocb *req, struct io_kiocb **nxt,
2608 bool force_nonblock)
2610 #if defined(CONFIG_NET)
2611 struct io_async_msghdr *kmsg = NULL;
2612 struct socket *sock;
2615 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2618 sock = sock_from_file(req->file, &ret);
2620 struct io_async_ctx io;
2621 struct sockaddr_storage addr;
2625 kmsg = &req->io->msg;
2626 kmsg->msg.msg_name = &addr;
2627 /* if iov is set, it's allocated already */
2629 kmsg->iov = kmsg->fast_iov;
2630 kmsg->msg.msg_iter.iov = kmsg->iov;
2632 struct io_sr_msg *sr = &req->sr_msg;
2635 kmsg->msg.msg_name = &addr;
2637 io.msg.iov = io.msg.fast_iov;
2638 ret = recvmsg_copy_msghdr(&io.msg.msg, sr->msg,
2639 sr->msg_flags, &io.msg.uaddr,
2645 flags = req->sr_msg.msg_flags;
2646 if (flags & MSG_DONTWAIT)
2647 req->flags |= REQ_F_NOWAIT;
2648 else if (force_nonblock)
2649 flags |= MSG_DONTWAIT;
2651 ret = __sys_recvmsg_sock(sock, &kmsg->msg, req->sr_msg.msg,
2652 kmsg->uaddr, flags);
2653 if (force_nonblock && ret == -EAGAIN) {
2656 if (io_alloc_async_ctx(req))
2658 memcpy(&req->io->msg, &io.msg, sizeof(io.msg));
2659 req->work.func = io_sendrecv_async;
2662 if (ret == -ERESTARTSYS)
2666 if (!io_wq_current_is_worker() && kmsg && kmsg->iov != kmsg->fast_iov)
2668 io_cqring_add_event(req, ret);
2670 req_set_fail_links(req);
2671 io_put_req_find_next(req, nxt);
2678 static int io_accept_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2680 #if defined(CONFIG_NET)
2681 struct io_accept *accept = &req->accept;
2683 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
2685 if (sqe->ioprio || sqe->len || sqe->buf_index)
2688 accept->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
2689 accept->addr_len = u64_to_user_ptr(READ_ONCE(sqe->addr2));
2690 accept->flags = READ_ONCE(sqe->accept_flags);
2697 #if defined(CONFIG_NET)
2698 static int __io_accept(struct io_kiocb *req, struct io_kiocb **nxt,
2699 bool force_nonblock)
2701 struct io_accept *accept = &req->accept;
2702 unsigned file_flags;
2705 file_flags = force_nonblock ? O_NONBLOCK : 0;
2706 ret = __sys_accept4_file(req->file, file_flags, accept->addr,
2707 accept->addr_len, accept->flags);
2708 if (ret == -EAGAIN && force_nonblock)
2710 if (ret == -ERESTARTSYS)
2713 req_set_fail_links(req);
2714 io_cqring_add_event(req, ret);
2715 io_put_req_find_next(req, nxt);
2719 static void io_accept_finish(struct io_wq_work **workptr)
2721 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2722 struct io_kiocb *nxt = NULL;
2724 if (io_req_cancelled(req))
2726 __io_accept(req, &nxt, false);
2728 io_wq_assign_next(workptr, nxt);
2732 static int io_accept(struct io_kiocb *req, struct io_kiocb **nxt,
2733 bool force_nonblock)
2735 #if defined(CONFIG_NET)
2738 ret = __io_accept(req, nxt, force_nonblock);
2739 if (ret == -EAGAIN && force_nonblock) {
2740 req->work.func = io_accept_finish;
2741 req->work.flags |= IO_WQ_WORK_NEEDS_FILES;
2751 static int io_connect_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
2753 #if defined(CONFIG_NET)
2754 struct io_connect *conn = &req->connect;
2755 struct io_async_ctx *io = req->io;
2757 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
2759 if (sqe->ioprio || sqe->len || sqe->buf_index || sqe->rw_flags)
2762 conn->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
2763 conn->addr_len = READ_ONCE(sqe->addr2);
2768 return move_addr_to_kernel(conn->addr, conn->addr_len,
2769 &io->connect.address);
2775 static int io_connect(struct io_kiocb *req, struct io_kiocb **nxt,
2776 bool force_nonblock)
2778 #if defined(CONFIG_NET)
2779 struct io_async_ctx __io, *io;
2780 unsigned file_flags;
2786 ret = move_addr_to_kernel(req->connect.addr,
2787 req->connect.addr_len,
2788 &__io.connect.address);
2794 file_flags = force_nonblock ? O_NONBLOCK : 0;
2796 ret = __sys_connect_file(req->file, &io->connect.address,
2797 req->connect.addr_len, file_flags);
2798 if ((ret == -EAGAIN || ret == -EINPROGRESS) && force_nonblock) {
2801 if (io_alloc_async_ctx(req)) {
2805 memcpy(&req->io->connect, &__io.connect, sizeof(__io.connect));
2808 if (ret == -ERESTARTSYS)
2812 req_set_fail_links(req);
2813 io_cqring_add_event(req, ret);
2814 io_put_req_find_next(req, nxt);
2821 static void io_poll_remove_one(struct io_kiocb *req)
2823 struct io_poll_iocb *poll = &req->poll;
2825 spin_lock(&poll->head->lock);
2826 WRITE_ONCE(poll->canceled, true);
2827 if (!list_empty(&poll->wait.entry)) {
2828 list_del_init(&poll->wait.entry);
2829 io_queue_async_work(req);
2831 spin_unlock(&poll->head->lock);
2832 hash_del(&req->hash_node);
2835 static void io_poll_remove_all(struct io_ring_ctx *ctx)
2837 struct hlist_node *tmp;
2838 struct io_kiocb *req;
2841 spin_lock_irq(&ctx->completion_lock);
2842 for (i = 0; i < (1U << ctx->cancel_hash_bits); i++) {
2843 struct hlist_head *list;
2845 list = &ctx->cancel_hash[i];
2846 hlist_for_each_entry_safe(req, tmp, list, hash_node)
2847 io_poll_remove_one(req);
2849 spin_unlock_irq(&ctx->completion_lock);
2852 static int io_poll_cancel(struct io_ring_ctx *ctx, __u64 sqe_addr)
2854 struct hlist_head *list;
2855 struct io_kiocb *req;
2857 list = &ctx->cancel_hash[hash_long(sqe_addr, ctx->cancel_hash_bits)];
2858 hlist_for_each_entry(req, list, hash_node) {
2859 if (sqe_addr == req->user_data) {
2860 io_poll_remove_one(req);
2868 static int io_poll_remove_prep(struct io_kiocb *req,
2869 const struct io_uring_sqe *sqe)
2871 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2873 if (sqe->ioprio || sqe->off || sqe->len || sqe->buf_index ||
2877 req->poll.addr = READ_ONCE(sqe->addr);
2882 * Find a running poll command that matches one specified in sqe->addr,
2883 * and remove it if found.
2885 static int io_poll_remove(struct io_kiocb *req)
2887 struct io_ring_ctx *ctx = req->ctx;
2891 addr = req->poll.addr;
2892 spin_lock_irq(&ctx->completion_lock);
2893 ret = io_poll_cancel(ctx, addr);
2894 spin_unlock_irq(&ctx->completion_lock);
2896 io_cqring_add_event(req, ret);
2898 req_set_fail_links(req);
2903 static void io_poll_complete(struct io_kiocb *req, __poll_t mask, int error)
2905 struct io_ring_ctx *ctx = req->ctx;
2907 req->poll.done = true;
2909 io_cqring_fill_event(req, error);
2911 io_cqring_fill_event(req, mangle_poll(mask));
2912 io_commit_cqring(ctx);
2915 static void io_poll_complete_work(struct io_wq_work **workptr)
2917 struct io_wq_work *work = *workptr;
2918 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
2919 struct io_poll_iocb *poll = &req->poll;
2920 struct poll_table_struct pt = { ._key = poll->events };
2921 struct io_ring_ctx *ctx = req->ctx;
2922 struct io_kiocb *nxt = NULL;
2926 if (work->flags & IO_WQ_WORK_CANCEL) {
2927 WRITE_ONCE(poll->canceled, true);
2929 } else if (READ_ONCE(poll->canceled)) {
2933 if (ret != -ECANCELED)
2934 mask = vfs_poll(poll->file, &pt) & poll->events;
2937 * Note that ->ki_cancel callers also delete iocb from active_reqs after
2938 * calling ->ki_cancel. We need the ctx_lock roundtrip here to
2939 * synchronize with them. In the cancellation case the list_del_init
2940 * itself is not actually needed, but harmless so we keep it in to
2941 * avoid further branches in the fast path.
2943 spin_lock_irq(&ctx->completion_lock);
2944 if (!mask && ret != -ECANCELED) {
2945 add_wait_queue(poll->head, &poll->wait);
2946 spin_unlock_irq(&ctx->completion_lock);
2949 hash_del(&req->hash_node);
2950 io_poll_complete(req, mask, ret);
2951 spin_unlock_irq(&ctx->completion_lock);
2953 io_cqring_ev_posted(ctx);
2956 req_set_fail_links(req);
2957 io_put_req_find_next(req, &nxt);
2959 io_wq_assign_next(workptr, nxt);
2962 static int io_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
2965 struct io_poll_iocb *poll = wait->private;
2966 struct io_kiocb *req = container_of(poll, struct io_kiocb, poll);
2967 struct io_ring_ctx *ctx = req->ctx;
2968 __poll_t mask = key_to_poll(key);
2969 unsigned long flags;
2971 /* for instances that support it check for an event match first: */
2972 if (mask && !(mask & poll->events))
2975 list_del_init(&poll->wait.entry);
2978 * Run completion inline if we can. We're using trylock here because
2979 * we are violating the completion_lock -> poll wq lock ordering.
2980 * If we have a link timeout we're going to need the completion_lock
2981 * for finalizing the request, mark us as having grabbed that already.
2983 if (mask && spin_trylock_irqsave(&ctx->completion_lock, flags)) {
2984 hash_del(&req->hash_node);
2985 io_poll_complete(req, mask, 0);
2986 req->flags |= REQ_F_COMP_LOCKED;
2988 spin_unlock_irqrestore(&ctx->completion_lock, flags);
2990 io_cqring_ev_posted(ctx);
2992 io_queue_async_work(req);
2998 struct io_poll_table {
2999 struct poll_table_struct pt;
3000 struct io_kiocb *req;
3004 static void io_poll_queue_proc(struct file *file, struct wait_queue_head *head,
3005 struct poll_table_struct *p)
3007 struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
3009 if (unlikely(pt->req->poll.head)) {
3010 pt->error = -EINVAL;
3015 pt->req->poll.head = head;
3016 add_wait_queue(head, &pt->req->poll.wait);
3019 static void io_poll_req_insert(struct io_kiocb *req)
3021 struct io_ring_ctx *ctx = req->ctx;
3022 struct hlist_head *list;
3024 list = &ctx->cancel_hash[hash_long(req->user_data, ctx->cancel_hash_bits)];
3025 hlist_add_head(&req->hash_node, list);
3028 static int io_poll_add_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3030 struct io_poll_iocb *poll = &req->poll;
3033 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3035 if (sqe->addr || sqe->ioprio || sqe->off || sqe->len || sqe->buf_index)
3040 events = READ_ONCE(sqe->poll_events);
3041 poll->events = demangle_poll(events) | EPOLLERR | EPOLLHUP;
3045 static int io_poll_add(struct io_kiocb *req, struct io_kiocb **nxt)
3047 struct io_poll_iocb *poll = &req->poll;
3048 struct io_ring_ctx *ctx = req->ctx;
3049 struct io_poll_table ipt;
3050 bool cancel = false;
3053 INIT_IO_WORK(&req->work, io_poll_complete_work);
3054 INIT_HLIST_NODE(&req->hash_node);
3058 poll->canceled = false;
3060 ipt.pt._qproc = io_poll_queue_proc;
3061 ipt.pt._key = poll->events;
3063 ipt.error = -EINVAL; /* same as no support for IOCB_CMD_POLL */
3065 /* initialized the list so that we can do list_empty checks */
3066 INIT_LIST_HEAD(&poll->wait.entry);
3067 init_waitqueue_func_entry(&poll->wait, io_poll_wake);
3068 poll->wait.private = poll;
3070 INIT_LIST_HEAD(&req->list);
3072 mask = vfs_poll(poll->file, &ipt.pt) & poll->events;
3074 spin_lock_irq(&ctx->completion_lock);
3075 if (likely(poll->head)) {
3076 spin_lock(&poll->head->lock);
3077 if (unlikely(list_empty(&poll->wait.entry))) {
3083 if (mask || ipt.error)
3084 list_del_init(&poll->wait.entry);
3086 WRITE_ONCE(poll->canceled, true);
3087 else if (!poll->done) /* actually waiting for an event */
3088 io_poll_req_insert(req);
3089 spin_unlock(&poll->head->lock);
3091 if (mask) { /* no async, we'd stolen it */
3093 io_poll_complete(req, mask, 0);
3095 spin_unlock_irq(&ctx->completion_lock);
3098 io_cqring_ev_posted(ctx);
3099 io_put_req_find_next(req, nxt);
3104 static enum hrtimer_restart io_timeout_fn(struct hrtimer *timer)
3106 struct io_timeout_data *data = container_of(timer,
3107 struct io_timeout_data, timer);
3108 struct io_kiocb *req = data->req;
3109 struct io_ring_ctx *ctx = req->ctx;
3110 unsigned long flags;
3112 atomic_inc(&ctx->cq_timeouts);
3114 spin_lock_irqsave(&ctx->completion_lock, flags);
3116 * We could be racing with timeout deletion. If the list is empty,
3117 * then timeout lookup already found it and will be handling it.
3119 if (!list_empty(&req->list)) {
3120 struct io_kiocb *prev;
3123 * Adjust the reqs sequence before the current one because it
3124 * will consume a slot in the cq_ring and the cq_tail
3125 * pointer will be increased, otherwise other timeout reqs may
3126 * return in advance without waiting for enough wait_nr.
3129 list_for_each_entry_continue_reverse(prev, &ctx->timeout_list, list)
3131 list_del_init(&req->list);
3134 io_cqring_fill_event(req, -ETIME);
3135 io_commit_cqring(ctx);
3136 spin_unlock_irqrestore(&ctx->completion_lock, flags);
3138 io_cqring_ev_posted(ctx);
3139 req_set_fail_links(req);
3141 return HRTIMER_NORESTART;
3144 static int io_timeout_cancel(struct io_ring_ctx *ctx, __u64 user_data)
3146 struct io_kiocb *req;
3149 list_for_each_entry(req, &ctx->timeout_list, list) {
3150 if (user_data == req->user_data) {
3151 list_del_init(&req->list);
3160 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
3164 req_set_fail_links(req);
3165 io_cqring_fill_event(req, -ECANCELED);
3170 static int io_timeout_remove_prep(struct io_kiocb *req,
3171 const struct io_uring_sqe *sqe)
3173 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3175 if (sqe->flags || sqe->ioprio || sqe->buf_index || sqe->len)
3178 req->timeout.addr = READ_ONCE(sqe->addr);
3179 req->timeout.flags = READ_ONCE(sqe->timeout_flags);
3180 if (req->timeout.flags)
3187 * Remove or update an existing timeout command
3189 static int io_timeout_remove(struct io_kiocb *req)
3191 struct io_ring_ctx *ctx = req->ctx;
3194 spin_lock_irq(&ctx->completion_lock);
3195 ret = io_timeout_cancel(ctx, req->timeout.addr);
3197 io_cqring_fill_event(req, ret);
3198 io_commit_cqring(ctx);
3199 spin_unlock_irq(&ctx->completion_lock);
3200 io_cqring_ev_posted(ctx);
3202 req_set_fail_links(req);
3207 static int io_timeout_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
3208 bool is_timeout_link)
3210 struct io_timeout_data *data;
3213 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3215 if (sqe->ioprio || sqe->buf_index || sqe->len != 1)
3217 if (sqe->off && is_timeout_link)
3219 flags = READ_ONCE(sqe->timeout_flags);
3220 if (flags & ~IORING_TIMEOUT_ABS)
3223 req->timeout.count = READ_ONCE(sqe->off);
3225 if (!req->io && io_alloc_async_ctx(req))
3228 data = &req->io->timeout;
3230 req->flags |= REQ_F_TIMEOUT;
3232 if (get_timespec64(&data->ts, u64_to_user_ptr(sqe->addr)))
3235 if (flags & IORING_TIMEOUT_ABS)
3236 data->mode = HRTIMER_MODE_ABS;
3238 data->mode = HRTIMER_MODE_REL;
3240 hrtimer_init(&data->timer, CLOCK_MONOTONIC, data->mode);
3244 static int io_timeout(struct io_kiocb *req)
3247 struct io_ring_ctx *ctx = req->ctx;
3248 struct io_timeout_data *data;
3249 struct list_head *entry;
3252 data = &req->io->timeout;
3255 * sqe->off holds how many events that need to occur for this
3256 * timeout event to be satisfied. If it isn't set, then this is
3257 * a pure timeout request, sequence isn't used.
3259 count = req->timeout.count;
3261 req->flags |= REQ_F_TIMEOUT_NOSEQ;
3262 spin_lock_irq(&ctx->completion_lock);
3263 entry = ctx->timeout_list.prev;
3267 req->sequence = ctx->cached_sq_head + count - 1;
3268 data->seq_offset = count;
3271 * Insertion sort, ensuring the first entry in the list is always
3272 * the one we need first.
3274 spin_lock_irq(&ctx->completion_lock);
3275 list_for_each_prev(entry, &ctx->timeout_list) {
3276 struct io_kiocb *nxt = list_entry(entry, struct io_kiocb, list);
3277 unsigned nxt_sq_head;
3278 long long tmp, tmp_nxt;
3279 u32 nxt_offset = nxt->io->timeout.seq_offset;
3281 if (nxt->flags & REQ_F_TIMEOUT_NOSEQ)
3285 * Since cached_sq_head + count - 1 can overflow, use type long
3288 tmp = (long long)ctx->cached_sq_head + count - 1;
3289 nxt_sq_head = nxt->sequence - nxt_offset + 1;
3290 tmp_nxt = (long long)nxt_sq_head + nxt_offset - 1;
3293 * cached_sq_head may overflow, and it will never overflow twice
3294 * once there is some timeout req still be valid.
3296 if (ctx->cached_sq_head < nxt_sq_head)
3303 * Sequence of reqs after the insert one and itself should
3304 * be adjusted because each timeout req consumes a slot.
3309 req->sequence -= span;
3311 list_add(&req->list, entry);
3312 data->timer.function = io_timeout_fn;
3313 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts), data->mode);
3314 spin_unlock_irq(&ctx->completion_lock);
3318 static bool io_cancel_cb(struct io_wq_work *work, void *data)
3320 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
3322 return req->user_data == (unsigned long) data;
3325 static int io_async_cancel_one(struct io_ring_ctx *ctx, void *sqe_addr)
3327 enum io_wq_cancel cancel_ret;
3330 cancel_ret = io_wq_cancel_cb(ctx->io_wq, io_cancel_cb, sqe_addr);
3331 switch (cancel_ret) {
3332 case IO_WQ_CANCEL_OK:
3335 case IO_WQ_CANCEL_RUNNING:
3338 case IO_WQ_CANCEL_NOTFOUND:
3346 static void io_async_find_and_cancel(struct io_ring_ctx *ctx,
3347 struct io_kiocb *req, __u64 sqe_addr,
3348 struct io_kiocb **nxt, int success_ret)
3350 unsigned long flags;
3353 ret = io_async_cancel_one(ctx, (void *) (unsigned long) sqe_addr);
3354 if (ret != -ENOENT) {
3355 spin_lock_irqsave(&ctx->completion_lock, flags);
3359 spin_lock_irqsave(&ctx->completion_lock, flags);
3360 ret = io_timeout_cancel(ctx, sqe_addr);
3363 ret = io_poll_cancel(ctx, sqe_addr);
3367 io_cqring_fill_event(req, ret);
3368 io_commit_cqring(ctx);
3369 spin_unlock_irqrestore(&ctx->completion_lock, flags);
3370 io_cqring_ev_posted(ctx);
3373 req_set_fail_links(req);
3374 io_put_req_find_next(req, nxt);
3377 static int io_async_cancel_prep(struct io_kiocb *req,
3378 const struct io_uring_sqe *sqe)
3380 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
3382 if (sqe->flags || sqe->ioprio || sqe->off || sqe->len ||
3386 req->cancel.addr = READ_ONCE(sqe->addr);
3390 static int io_async_cancel(struct io_kiocb *req, struct io_kiocb **nxt)
3392 struct io_ring_ctx *ctx = req->ctx;
3394 io_async_find_and_cancel(ctx, req, req->cancel.addr, nxt, 0);
3398 static int io_files_update_prep(struct io_kiocb *req,
3399 const struct io_uring_sqe *sqe)
3401 if (sqe->flags || sqe->ioprio || sqe->rw_flags)
3404 req->files_update.offset = READ_ONCE(sqe->off);
3405 req->files_update.nr_args = READ_ONCE(sqe->len);
3406 if (!req->files_update.nr_args)
3408 req->files_update.arg = READ_ONCE(sqe->addr);
3412 static int io_files_update(struct io_kiocb *req, bool force_nonblock)
3414 struct io_ring_ctx *ctx = req->ctx;
3415 struct io_uring_files_update up;
3418 if (force_nonblock) {
3419 req->work.flags |= IO_WQ_WORK_NEEDS_FILES;
3423 up.offset = req->files_update.offset;
3424 up.fds = req->files_update.arg;
3426 mutex_lock(&ctx->uring_lock);
3427 ret = __io_sqe_files_update(ctx, &up, req->files_update.nr_args);
3428 mutex_unlock(&ctx->uring_lock);
3431 req_set_fail_links(req);
3432 io_cqring_add_event(req, ret);
3437 static int io_req_defer_prep(struct io_kiocb *req,
3438 const struct io_uring_sqe *sqe)
3442 switch (req->opcode) {
3445 case IORING_OP_READV:
3446 case IORING_OP_READ_FIXED:
3447 ret = io_read_prep(req, sqe, true);
3449 case IORING_OP_WRITEV:
3450 case IORING_OP_WRITE_FIXED:
3451 ret = io_write_prep(req, sqe, true);
3453 case IORING_OP_POLL_ADD:
3454 ret = io_poll_add_prep(req, sqe);
3456 case IORING_OP_POLL_REMOVE:
3457 ret = io_poll_remove_prep(req, sqe);
3459 case IORING_OP_FSYNC:
3460 ret = io_prep_fsync(req, sqe);
3462 case IORING_OP_SYNC_FILE_RANGE:
3463 ret = io_prep_sfr(req, sqe);
3465 case IORING_OP_SENDMSG:
3466 ret = io_sendmsg_prep(req, sqe);
3468 case IORING_OP_RECVMSG:
3469 ret = io_recvmsg_prep(req, sqe);
3471 case IORING_OP_CONNECT:
3472 ret = io_connect_prep(req, sqe);
3474 case IORING_OP_TIMEOUT:
3475 ret = io_timeout_prep(req, sqe, false);
3477 case IORING_OP_TIMEOUT_REMOVE:
3478 ret = io_timeout_remove_prep(req, sqe);
3480 case IORING_OP_ASYNC_CANCEL:
3481 ret = io_async_cancel_prep(req, sqe);
3483 case IORING_OP_LINK_TIMEOUT:
3484 ret = io_timeout_prep(req, sqe, true);
3486 case IORING_OP_ACCEPT:
3487 ret = io_accept_prep(req, sqe);
3489 case IORING_OP_FALLOCATE:
3490 ret = io_fallocate_prep(req, sqe);
3492 case IORING_OP_OPENAT:
3493 ret = io_openat_prep(req, sqe);
3495 case IORING_OP_CLOSE:
3496 ret = io_close_prep(req, sqe);
3498 case IORING_OP_FILES_UPDATE:
3499 ret = io_files_update_prep(req, sqe);
3501 case IORING_OP_STATX:
3502 ret = io_statx_prep(req, sqe);
3505 printk_once(KERN_WARNING "io_uring: unhandled opcode %d\n",
3514 static int io_req_defer(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3516 struct io_ring_ctx *ctx = req->ctx;
3519 /* Still need defer if there is pending req in defer list. */
3520 if (!req_need_defer(req) && list_empty(&ctx->defer_list))
3523 if (!req->io && io_alloc_async_ctx(req))
3526 ret = io_req_defer_prep(req, sqe);
3530 spin_lock_irq(&ctx->completion_lock);
3531 if (!req_need_defer(req) && list_empty(&ctx->defer_list)) {
3532 spin_unlock_irq(&ctx->completion_lock);
3536 trace_io_uring_defer(ctx, req, req->user_data);
3537 list_add_tail(&req->list, &ctx->defer_list);
3538 spin_unlock_irq(&ctx->completion_lock);
3539 return -EIOCBQUEUED;
3542 static int io_issue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
3543 struct io_kiocb **nxt, bool force_nonblock)
3545 struct io_ring_ctx *ctx = req->ctx;
3548 switch (req->opcode) {
3552 case IORING_OP_READV:
3553 case IORING_OP_READ_FIXED:
3555 ret = io_read_prep(req, sqe, force_nonblock);
3559 ret = io_read(req, nxt, force_nonblock);
3561 case IORING_OP_WRITEV:
3562 case IORING_OP_WRITE_FIXED:
3564 ret = io_write_prep(req, sqe, force_nonblock);
3568 ret = io_write(req, nxt, force_nonblock);
3570 case IORING_OP_FSYNC:
3572 ret = io_prep_fsync(req, sqe);
3576 ret = io_fsync(req, nxt, force_nonblock);
3578 case IORING_OP_POLL_ADD:
3580 ret = io_poll_add_prep(req, sqe);
3584 ret = io_poll_add(req, nxt);
3586 case IORING_OP_POLL_REMOVE:
3588 ret = io_poll_remove_prep(req, sqe);
3592 ret = io_poll_remove(req);
3594 case IORING_OP_SYNC_FILE_RANGE:
3596 ret = io_prep_sfr(req, sqe);
3600 ret = io_sync_file_range(req, nxt, force_nonblock);
3602 case IORING_OP_SENDMSG:
3604 ret = io_sendmsg_prep(req, sqe);
3608 ret = io_sendmsg(req, nxt, force_nonblock);
3610 case IORING_OP_RECVMSG:
3612 ret = io_recvmsg_prep(req, sqe);
3616 ret = io_recvmsg(req, nxt, force_nonblock);
3618 case IORING_OP_TIMEOUT:
3620 ret = io_timeout_prep(req, sqe, false);
3624 ret = io_timeout(req);
3626 case IORING_OP_TIMEOUT_REMOVE:
3628 ret = io_timeout_remove_prep(req, sqe);
3632 ret = io_timeout_remove(req);
3634 case IORING_OP_ACCEPT:
3636 ret = io_accept_prep(req, sqe);
3640 ret = io_accept(req, nxt, force_nonblock);
3642 case IORING_OP_CONNECT:
3644 ret = io_connect_prep(req, sqe);
3648 ret = io_connect(req, nxt, force_nonblock);
3650 case IORING_OP_ASYNC_CANCEL:
3652 ret = io_async_cancel_prep(req, sqe);
3656 ret = io_async_cancel(req, nxt);
3658 case IORING_OP_FALLOCATE:
3660 ret = io_fallocate_prep(req, sqe);
3664 ret = io_fallocate(req, nxt, force_nonblock);
3666 case IORING_OP_OPENAT:
3668 ret = io_openat_prep(req, sqe);
3672 ret = io_openat(req, nxt, force_nonblock);
3674 case IORING_OP_CLOSE:
3676 ret = io_close_prep(req, sqe);
3680 ret = io_close(req, nxt, force_nonblock);
3682 case IORING_OP_FILES_UPDATE:
3684 ret = io_files_update_prep(req, sqe);
3688 ret = io_files_update(req, force_nonblock);
3690 case IORING_OP_STATX:
3692 ret = io_statx_prep(req, sqe);
3696 ret = io_statx(req, nxt, force_nonblock);
3706 if (ctx->flags & IORING_SETUP_IOPOLL) {
3707 const bool in_async = io_wq_current_is_worker();
3709 if (req->result == -EAGAIN)
3712 /* workqueue context doesn't hold uring_lock, grab it now */
3714 mutex_lock(&ctx->uring_lock);
3716 io_iopoll_req_issued(req);
3719 mutex_unlock(&ctx->uring_lock);
3725 static void io_wq_submit_work(struct io_wq_work **workptr)
3727 struct io_wq_work *work = *workptr;
3728 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
3729 struct io_kiocb *nxt = NULL;
3732 /* if NO_CANCEL is set, we must still run the work */
3733 if ((work->flags & (IO_WQ_WORK_CANCEL|IO_WQ_WORK_NO_CANCEL)) ==
3734 IO_WQ_WORK_CANCEL) {
3739 req->has_user = (work->flags & IO_WQ_WORK_HAS_MM) != 0;
3740 req->in_async = true;
3742 ret = io_issue_sqe(req, NULL, &nxt, false);
3744 * We can get EAGAIN for polled IO even though we're
3745 * forcing a sync submission from here, since we can't
3746 * wait for request slots on the block side.
3754 /* drop submission reference */
3758 req_set_fail_links(req);
3759 io_cqring_add_event(req, ret);
3763 /* if a dependent link is ready, pass it back */
3765 io_wq_assign_next(workptr, nxt);
3768 static bool io_req_op_valid(int op)
3770 return op >= IORING_OP_NOP && op < IORING_OP_LAST;
3773 static int io_req_needs_file(struct io_kiocb *req, int fd)
3775 switch (req->opcode) {
3777 case IORING_OP_POLL_REMOVE:
3778 case IORING_OP_TIMEOUT:
3779 case IORING_OP_TIMEOUT_REMOVE:
3780 case IORING_OP_ASYNC_CANCEL:
3781 case IORING_OP_LINK_TIMEOUT:
3783 case IORING_OP_OPENAT:
3784 case IORING_OP_STATX:
3787 if (io_req_op_valid(req->opcode))
3793 static inline struct file *io_file_from_index(struct io_ring_ctx *ctx,
3796 struct fixed_file_table *table;
3798 table = &ctx->file_data->table[index >> IORING_FILE_TABLE_SHIFT];
3799 return table->files[index & IORING_FILE_TABLE_MASK];;
3802 static int io_req_set_file(struct io_submit_state *state, struct io_kiocb *req,
3803 const struct io_uring_sqe *sqe)
3805 struct io_ring_ctx *ctx = req->ctx;
3809 flags = READ_ONCE(sqe->flags);
3810 fd = READ_ONCE(sqe->fd);
3812 if (flags & IOSQE_IO_DRAIN)
3813 req->flags |= REQ_F_IO_DRAIN;
3815 ret = io_req_needs_file(req, fd);
3819 if (flags & IOSQE_FIXED_FILE) {
3820 if (unlikely(!ctx->file_data ||
3821 (unsigned) fd >= ctx->nr_user_files))
3823 fd = array_index_nospec(fd, ctx->nr_user_files);
3824 req->file = io_file_from_index(ctx, fd);
3827 req->flags |= REQ_F_FIXED_FILE;
3828 percpu_ref_get(&ctx->file_data->refs);
3830 if (req->needs_fixed_file)
3832 trace_io_uring_file_get(ctx, fd);
3833 req->file = io_file_get(state, fd);
3834 if (unlikely(!req->file))
3841 static int io_grab_files(struct io_kiocb *req)
3844 struct io_ring_ctx *ctx = req->ctx;
3846 if (!req->ring_file)
3850 spin_lock_irq(&ctx->inflight_lock);
3852 * We use the f_ops->flush() handler to ensure that we can flush
3853 * out work accessing these files if the fd is closed. Check if
3854 * the fd has changed since we started down this path, and disallow
3855 * this operation if it has.
3857 if (fcheck(req->ring_fd) == req->ring_file) {
3858 list_add(&req->inflight_entry, &ctx->inflight_list);
3859 req->flags |= REQ_F_INFLIGHT;
3860 req->work.files = current->files;
3863 spin_unlock_irq(&ctx->inflight_lock);
3869 static enum hrtimer_restart io_link_timeout_fn(struct hrtimer *timer)
3871 struct io_timeout_data *data = container_of(timer,
3872 struct io_timeout_data, timer);
3873 struct io_kiocb *req = data->req;
3874 struct io_ring_ctx *ctx = req->ctx;
3875 struct io_kiocb *prev = NULL;
3876 unsigned long flags;
3878 spin_lock_irqsave(&ctx->completion_lock, flags);
3881 * We don't expect the list to be empty, that will only happen if we
3882 * race with the completion of the linked work.
3884 if (!list_empty(&req->link_list)) {
3885 prev = list_entry(req->link_list.prev, struct io_kiocb,
3887 if (refcount_inc_not_zero(&prev->refs)) {
3888 list_del_init(&req->link_list);
3889 prev->flags &= ~REQ_F_LINK_TIMEOUT;
3894 spin_unlock_irqrestore(&ctx->completion_lock, flags);
3897 req_set_fail_links(prev);
3898 io_async_find_and_cancel(ctx, req, prev->user_data, NULL,
3902 io_cqring_add_event(req, -ETIME);
3905 return HRTIMER_NORESTART;
3908 static void io_queue_linked_timeout(struct io_kiocb *req)
3910 struct io_ring_ctx *ctx = req->ctx;
3913 * If the list is now empty, then our linked request finished before
3914 * we got a chance to setup the timer
3916 spin_lock_irq(&ctx->completion_lock);
3917 if (!list_empty(&req->link_list)) {
3918 struct io_timeout_data *data = &req->io->timeout;
3920 data->timer.function = io_link_timeout_fn;
3921 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts),
3924 spin_unlock_irq(&ctx->completion_lock);
3926 /* drop submission reference */
3930 static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req)
3932 struct io_kiocb *nxt;
3934 if (!(req->flags & REQ_F_LINK))
3937 nxt = list_first_entry_or_null(&req->link_list, struct io_kiocb,
3939 if (!nxt || nxt->opcode != IORING_OP_LINK_TIMEOUT)
3942 req->flags |= REQ_F_LINK_TIMEOUT;
3946 static void __io_queue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe)
3948 struct io_kiocb *linked_timeout;
3949 struct io_kiocb *nxt = NULL;
3953 linked_timeout = io_prep_linked_timeout(req);
3955 ret = io_issue_sqe(req, sqe, &nxt, true);
3958 * We async punt it if the file wasn't marked NOWAIT, or if the file
3959 * doesn't support non-blocking read/write attempts
3961 if (ret == -EAGAIN && (!(req->flags & REQ_F_NOWAIT) ||
3962 (req->flags & REQ_F_MUST_PUNT))) {
3963 if (req->work.flags & IO_WQ_WORK_NEEDS_FILES) {
3964 ret = io_grab_files(req);
3970 * Queued up for async execution, worker will release
3971 * submit reference when the iocb is actually submitted.
3973 io_queue_async_work(req);
3978 /* drop submission reference */
3981 if (linked_timeout) {
3983 io_queue_linked_timeout(linked_timeout);
3985 io_put_req(linked_timeout);
3988 /* and drop final reference, if we failed */
3990 io_cqring_add_event(req, ret);
3991 req_set_fail_links(req);
4002 static void io_queue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe)
4006 if (unlikely(req->ctx->drain_next)) {
4007 req->flags |= REQ_F_IO_DRAIN;
4008 req->ctx->drain_next = false;
4010 req->ctx->drain_next = (req->flags & REQ_F_DRAIN_LINK);
4012 ret = io_req_defer(req, sqe);
4014 if (ret != -EIOCBQUEUED) {
4015 io_cqring_add_event(req, ret);
4016 req_set_fail_links(req);
4017 io_double_put_req(req);
4019 } else if ((req->flags & REQ_F_FORCE_ASYNC) &&
4020 !io_wq_current_is_worker()) {
4022 * Never try inline submit of IOSQE_ASYNC is set, go straight
4023 * to async execution.
4025 req->work.flags |= IO_WQ_WORK_CONCURRENT;
4026 io_queue_async_work(req);
4028 __io_queue_sqe(req, sqe);
4032 static inline void io_queue_link_head(struct io_kiocb *req)
4034 if (unlikely(req->flags & REQ_F_FAIL_LINK)) {
4035 io_cqring_add_event(req, -ECANCELED);
4036 io_double_put_req(req);
4038 io_queue_sqe(req, NULL);
4041 #define SQE_VALID_FLAGS (IOSQE_FIXED_FILE|IOSQE_IO_DRAIN|IOSQE_IO_LINK| \
4042 IOSQE_IO_HARDLINK | IOSQE_ASYNC)
4044 static bool io_submit_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
4045 struct io_submit_state *state, struct io_kiocb **link)
4047 struct io_ring_ctx *ctx = req->ctx;
4048 unsigned int sqe_flags;
4051 sqe_flags = READ_ONCE(sqe->flags);
4053 /* enforce forwards compatibility on users */
4054 if (unlikely(sqe_flags & ~SQE_VALID_FLAGS)) {
4058 if (sqe_flags & IOSQE_ASYNC)
4059 req->flags |= REQ_F_FORCE_ASYNC;
4061 ret = io_req_set_file(state, req, sqe);
4062 if (unlikely(ret)) {
4064 io_cqring_add_event(req, ret);
4065 io_double_put_req(req);
4070 * If we already have a head request, queue this one for async
4071 * submittal once the head completes. If we don't have a head but
4072 * IOSQE_IO_LINK is set in the sqe, start a new head. This one will be
4073 * submitted sync once the chain is complete. If none of those
4074 * conditions are true (normal request), then just queue it.
4077 struct io_kiocb *head = *link;
4079 if (sqe_flags & IOSQE_IO_DRAIN)
4080 head->flags |= REQ_F_DRAIN_LINK | REQ_F_IO_DRAIN;
4082 if (sqe_flags & IOSQE_IO_HARDLINK)
4083 req->flags |= REQ_F_HARDLINK;
4085 if (io_alloc_async_ctx(req)) {
4090 ret = io_req_defer_prep(req, sqe);
4092 /* fail even hard links since we don't submit */
4093 head->flags |= REQ_F_FAIL_LINK;
4096 trace_io_uring_link(ctx, req, head);
4097 list_add_tail(&req->link_list, &head->link_list);
4099 /* last request of a link, enqueue the link */
4100 if (!(sqe_flags & (IOSQE_IO_LINK|IOSQE_IO_HARDLINK))) {
4101 io_queue_link_head(head);
4104 } else if (sqe_flags & (IOSQE_IO_LINK|IOSQE_IO_HARDLINK)) {
4105 req->flags |= REQ_F_LINK;
4106 if (sqe_flags & IOSQE_IO_HARDLINK)
4107 req->flags |= REQ_F_HARDLINK;
4109 INIT_LIST_HEAD(&req->link_list);
4110 ret = io_req_defer_prep(req, sqe);
4112 req->flags |= REQ_F_FAIL_LINK;
4115 io_queue_sqe(req, sqe);
4122 * Batched submission is done, ensure local IO is flushed out.
4124 static void io_submit_state_end(struct io_submit_state *state)
4126 blk_finish_plug(&state->plug);
4128 if (state->free_reqs)
4129 kmem_cache_free_bulk(req_cachep, state->free_reqs,
4130 &state->reqs[state->cur_req]);
4134 * Start submission side cache.
4136 static void io_submit_state_start(struct io_submit_state *state,
4137 unsigned int max_ios)
4139 blk_start_plug(&state->plug);
4140 state->free_reqs = 0;
4142 state->ios_left = max_ios;
4145 static void io_commit_sqring(struct io_ring_ctx *ctx)
4147 struct io_rings *rings = ctx->rings;
4149 if (ctx->cached_sq_head != READ_ONCE(rings->sq.head)) {
4151 * Ensure any loads from the SQEs are done at this point,
4152 * since once we write the new head, the application could
4153 * write new data to them.
4155 smp_store_release(&rings->sq.head, ctx->cached_sq_head);
4160 * Fetch an sqe, if one is available. Note that sqe_ptr will point to memory
4161 * that is mapped by userspace. This means that care needs to be taken to
4162 * ensure that reads are stable, as we cannot rely on userspace always
4163 * being a good citizen. If members of the sqe are validated and then later
4164 * used, it's important that those reads are done through READ_ONCE() to
4165 * prevent a re-load down the line.
4167 static bool io_get_sqring(struct io_ring_ctx *ctx, struct io_kiocb *req,
4168 const struct io_uring_sqe **sqe_ptr)
4170 struct io_rings *rings = ctx->rings;
4171 u32 *sq_array = ctx->sq_array;
4175 * The cached sq head (or cq tail) serves two purposes:
4177 * 1) allows us to batch the cost of updating the user visible
4179 * 2) allows the kernel side to track the head on its own, even
4180 * though the application is the one updating it.
4182 head = ctx->cached_sq_head;
4183 /* make sure SQ entry isn't read before tail */
4184 if (unlikely(head == smp_load_acquire(&rings->sq.tail)))
4187 head = READ_ONCE(sq_array[head & ctx->sq_mask]);
4188 if (likely(head < ctx->sq_entries)) {
4190 * All io need record the previous position, if LINK vs DARIN,
4191 * it can be used to mark the position of the first IO in the
4194 req->sequence = ctx->cached_sq_head;
4195 *sqe_ptr = &ctx->sq_sqes[head];
4196 req->opcode = READ_ONCE((*sqe_ptr)->opcode);
4197 req->user_data = READ_ONCE((*sqe_ptr)->user_data);
4198 ctx->cached_sq_head++;
4202 /* drop invalid entries */
4203 ctx->cached_sq_head++;
4204 ctx->cached_sq_dropped++;
4205 WRITE_ONCE(rings->sq_dropped, ctx->cached_sq_dropped);
4209 static int io_submit_sqes(struct io_ring_ctx *ctx, unsigned int nr,
4210 struct file *ring_file, int ring_fd,
4211 struct mm_struct **mm, bool async)
4213 struct io_submit_state state, *statep = NULL;
4214 struct io_kiocb *link = NULL;
4215 int i, submitted = 0;
4216 bool mm_fault = false;
4218 /* if we have a backlog and couldn't flush it all, return BUSY */
4219 if (!list_empty(&ctx->cq_overflow_list) &&
4220 !io_cqring_overflow_flush(ctx, false))
4223 if (nr > IO_PLUG_THRESHOLD) {
4224 io_submit_state_start(&state, nr);
4228 for (i = 0; i < nr; i++) {
4229 const struct io_uring_sqe *sqe;
4230 struct io_kiocb *req;
4232 req = io_get_req(ctx, statep);
4233 if (unlikely(!req)) {
4235 submitted = -EAGAIN;
4238 if (!io_get_sqring(ctx, req, &sqe)) {
4243 if (io_req_needs_user(req) && !*mm) {
4244 mm_fault = mm_fault || !mmget_not_zero(ctx->sqo_mm);
4246 use_mm(ctx->sqo_mm);
4252 req->ring_file = ring_file;
4253 req->ring_fd = ring_fd;
4254 req->has_user = *mm != NULL;
4255 req->in_async = async;
4256 req->needs_fixed_file = async;
4257 trace_io_uring_submit_sqe(ctx, req->user_data, true, async);
4258 if (!io_submit_sqe(req, sqe, statep, &link))
4263 io_queue_link_head(link);
4265 io_submit_state_end(&state);
4267 /* Commit SQ ring head once we've consumed and submitted all SQEs */
4268 io_commit_sqring(ctx);
4273 static int io_sq_thread(void *data)
4275 struct io_ring_ctx *ctx = data;
4276 struct mm_struct *cur_mm = NULL;
4277 const struct cred *old_cred;
4278 mm_segment_t old_fs;
4281 unsigned long timeout;
4284 complete(&ctx->completions[1]);
4288 old_cred = override_creds(ctx->creds);
4290 ret = timeout = inflight = 0;
4291 while (!kthread_should_park()) {
4292 unsigned int to_submit;
4295 unsigned nr_events = 0;
4297 if (ctx->flags & IORING_SETUP_IOPOLL) {
4299 * inflight is the count of the maximum possible
4300 * entries we submitted, but it can be smaller
4301 * if we dropped some of them. If we don't have
4302 * poll entries available, then we know that we
4303 * have nothing left to poll for. Reset the
4304 * inflight count to zero in that case.
4306 mutex_lock(&ctx->uring_lock);
4307 if (!list_empty(&ctx->poll_list))
4308 __io_iopoll_check(ctx, &nr_events, 0);
4311 mutex_unlock(&ctx->uring_lock);
4314 * Normal IO, just pretend everything completed.
4315 * We don't have to poll completions for that.
4317 nr_events = inflight;
4320 inflight -= nr_events;
4322 timeout = jiffies + ctx->sq_thread_idle;
4325 to_submit = io_sqring_entries(ctx);
4328 * If submit got -EBUSY, flag us as needing the application
4329 * to enter the kernel to reap and flush events.
4331 if (!to_submit || ret == -EBUSY) {
4333 * We're polling. If we're within the defined idle
4334 * period, then let us spin without work before going
4335 * to sleep. The exception is if we got EBUSY doing
4336 * more IO, we should wait for the application to
4337 * reap events and wake us up.
4340 (!time_after(jiffies, timeout) && ret != -EBUSY)) {
4346 * Drop cur_mm before scheduling, we can't hold it for
4347 * long periods (or over schedule()). Do this before
4348 * adding ourselves to the waitqueue, as the unuse/drop
4357 prepare_to_wait(&ctx->sqo_wait, &wait,
4358 TASK_INTERRUPTIBLE);
4360 /* Tell userspace we may need a wakeup call */
4361 ctx->rings->sq_flags |= IORING_SQ_NEED_WAKEUP;
4362 /* make sure to read SQ tail after writing flags */
4365 to_submit = io_sqring_entries(ctx);
4366 if (!to_submit || ret == -EBUSY) {
4367 if (kthread_should_park()) {
4368 finish_wait(&ctx->sqo_wait, &wait);
4371 if (signal_pending(current))
4372 flush_signals(current);
4374 finish_wait(&ctx->sqo_wait, &wait);
4376 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
4379 finish_wait(&ctx->sqo_wait, &wait);
4381 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
4384 to_submit = min(to_submit, ctx->sq_entries);
4385 mutex_lock(&ctx->uring_lock);
4386 ret = io_submit_sqes(ctx, to_submit, NULL, -1, &cur_mm, true);
4387 mutex_unlock(&ctx->uring_lock);
4397 revert_creds(old_cred);
4404 struct io_wait_queue {
4405 struct wait_queue_entry wq;
4406 struct io_ring_ctx *ctx;
4408 unsigned nr_timeouts;
4411 static inline bool io_should_wake(struct io_wait_queue *iowq, bool noflush)
4413 struct io_ring_ctx *ctx = iowq->ctx;
4416 * Wake up if we have enough events, or if a timeout occurred since we
4417 * started waiting. For timeouts, we always want to return to userspace,
4418 * regardless of event count.
4420 return io_cqring_events(ctx, noflush) >= iowq->to_wait ||
4421 atomic_read(&ctx->cq_timeouts) != iowq->nr_timeouts;
4424 static int io_wake_function(struct wait_queue_entry *curr, unsigned int mode,
4425 int wake_flags, void *key)
4427 struct io_wait_queue *iowq = container_of(curr, struct io_wait_queue,
4430 /* use noflush == true, as we can't safely rely on locking context */
4431 if (!io_should_wake(iowq, true))
4434 return autoremove_wake_function(curr, mode, wake_flags, key);
4438 * Wait until events become available, if we don't already have some. The
4439 * application must reap them itself, as they reside on the shared cq ring.
4441 static int io_cqring_wait(struct io_ring_ctx *ctx, int min_events,
4442 const sigset_t __user *sig, size_t sigsz)
4444 struct io_wait_queue iowq = {
4447 .func = io_wake_function,
4448 .entry = LIST_HEAD_INIT(iowq.wq.entry),
4451 .to_wait = min_events,
4453 struct io_rings *rings = ctx->rings;
4456 if (io_cqring_events(ctx, false) >= min_events)
4460 #ifdef CONFIG_COMPAT
4461 if (in_compat_syscall())
4462 ret = set_compat_user_sigmask((const compat_sigset_t __user *)sig,
4466 ret = set_user_sigmask(sig, sigsz);
4472 iowq.nr_timeouts = atomic_read(&ctx->cq_timeouts);
4473 trace_io_uring_cqring_wait(ctx, min_events);
4475 prepare_to_wait_exclusive(&ctx->wait, &iowq.wq,
4476 TASK_INTERRUPTIBLE);
4477 if (io_should_wake(&iowq, false))
4480 if (signal_pending(current)) {
4485 finish_wait(&ctx->wait, &iowq.wq);
4487 restore_saved_sigmask_unless(ret == -EINTR);
4489 return READ_ONCE(rings->cq.head) == READ_ONCE(rings->cq.tail) ? ret : 0;
4492 static void __io_sqe_files_unregister(struct io_ring_ctx *ctx)
4494 #if defined(CONFIG_UNIX)
4495 if (ctx->ring_sock) {
4496 struct sock *sock = ctx->ring_sock->sk;
4497 struct sk_buff *skb;
4499 while ((skb = skb_dequeue(&sock->sk_receive_queue)) != NULL)
4505 for (i = 0; i < ctx->nr_user_files; i++) {
4508 file = io_file_from_index(ctx, i);
4515 static void io_file_ref_kill(struct percpu_ref *ref)
4517 struct fixed_file_data *data;
4519 data = container_of(ref, struct fixed_file_data, refs);
4520 complete(&data->done);
4523 static int io_sqe_files_unregister(struct io_ring_ctx *ctx)
4525 struct fixed_file_data *data = ctx->file_data;
4526 unsigned nr_tables, i;
4531 /* protect against inflight atomic switch, which drops the ref */
4532 flush_work(&data->ref_work);
4533 percpu_ref_get(&data->refs);
4534 percpu_ref_kill_and_confirm(&data->refs, io_file_ref_kill);
4535 wait_for_completion(&data->done);
4536 percpu_ref_put(&data->refs);
4537 percpu_ref_exit(&data->refs);
4539 __io_sqe_files_unregister(ctx);
4540 nr_tables = DIV_ROUND_UP(ctx->nr_user_files, IORING_MAX_FILES_TABLE);
4541 for (i = 0; i < nr_tables; i++)
4542 kfree(data->table[i].files);
4545 ctx->file_data = NULL;
4546 ctx->nr_user_files = 0;
4550 static void io_sq_thread_stop(struct io_ring_ctx *ctx)
4552 if (ctx->sqo_thread) {
4553 wait_for_completion(&ctx->completions[1]);
4555 * The park is a bit of a work-around, without it we get
4556 * warning spews on shutdown with SQPOLL set and affinity
4557 * set to a single CPU.
4559 kthread_park(ctx->sqo_thread);
4560 kthread_stop(ctx->sqo_thread);
4561 ctx->sqo_thread = NULL;
4565 static void io_finish_async(struct io_ring_ctx *ctx)
4567 io_sq_thread_stop(ctx);
4570 io_wq_destroy(ctx->io_wq);
4575 #if defined(CONFIG_UNIX)
4577 * Ensure the UNIX gc is aware of our file set, so we are certain that
4578 * the io_uring can be safely unregistered on process exit, even if we have
4579 * loops in the file referencing.
4581 static int __io_sqe_files_scm(struct io_ring_ctx *ctx, int nr, int offset)
4583 struct sock *sk = ctx->ring_sock->sk;
4584 struct scm_fp_list *fpl;
4585 struct sk_buff *skb;
4588 if (!capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) {
4589 unsigned long inflight = ctx->user->unix_inflight + nr;
4591 if (inflight > task_rlimit(current, RLIMIT_NOFILE))
4595 fpl = kzalloc(sizeof(*fpl), GFP_KERNEL);
4599 skb = alloc_skb(0, GFP_KERNEL);
4608 fpl->user = get_uid(ctx->user);
4609 for (i = 0; i < nr; i++) {
4610 struct file *file = io_file_from_index(ctx, i + offset);
4614 fpl->fp[nr_files] = get_file(file);
4615 unix_inflight(fpl->user, fpl->fp[nr_files]);
4620 fpl->max = SCM_MAX_FD;
4621 fpl->count = nr_files;
4622 UNIXCB(skb).fp = fpl;
4623 skb->destructor = unix_destruct_scm;
4624 refcount_add(skb->truesize, &sk->sk_wmem_alloc);
4625 skb_queue_head(&sk->sk_receive_queue, skb);
4627 for (i = 0; i < nr_files; i++)
4638 * If UNIX sockets are enabled, fd passing can cause a reference cycle which
4639 * causes regular reference counting to break down. We rely on the UNIX
4640 * garbage collection to take care of this problem for us.
4642 static int io_sqe_files_scm(struct io_ring_ctx *ctx)
4644 unsigned left, total;
4648 left = ctx->nr_user_files;
4650 unsigned this_files = min_t(unsigned, left, SCM_MAX_FD);
4652 ret = __io_sqe_files_scm(ctx, this_files, total);
4656 total += this_files;
4662 while (total < ctx->nr_user_files) {
4663 struct file *file = io_file_from_index(ctx, total);
4673 static int io_sqe_files_scm(struct io_ring_ctx *ctx)
4679 static int io_sqe_alloc_file_tables(struct io_ring_ctx *ctx, unsigned nr_tables,
4684 for (i = 0; i < nr_tables; i++) {
4685 struct fixed_file_table *table = &ctx->file_data->table[i];
4686 unsigned this_files;
4688 this_files = min(nr_files, IORING_MAX_FILES_TABLE);
4689 table->files = kcalloc(this_files, sizeof(struct file *),
4693 nr_files -= this_files;
4699 for (i = 0; i < nr_tables; i++) {
4700 struct fixed_file_table *table = &ctx->file_data->table[i];
4701 kfree(table->files);
4706 static void io_ring_file_put(struct io_ring_ctx *ctx, struct file *file)
4708 #if defined(CONFIG_UNIX)
4709 struct sock *sock = ctx->ring_sock->sk;
4710 struct sk_buff_head list, *head = &sock->sk_receive_queue;
4711 struct sk_buff *skb;
4714 __skb_queue_head_init(&list);
4717 * Find the skb that holds this file in its SCM_RIGHTS. When found,
4718 * remove this entry and rearrange the file array.
4720 skb = skb_dequeue(head);
4722 struct scm_fp_list *fp;
4724 fp = UNIXCB(skb).fp;
4725 for (i = 0; i < fp->count; i++) {
4728 if (fp->fp[i] != file)
4731 unix_notinflight(fp->user, fp->fp[i]);
4732 left = fp->count - 1 - i;
4734 memmove(&fp->fp[i], &fp->fp[i + 1],
4735 left * sizeof(struct file *));
4742 __skb_queue_tail(&list, skb);
4752 __skb_queue_tail(&list, skb);
4754 skb = skb_dequeue(head);
4757 if (skb_peek(&list)) {
4758 spin_lock_irq(&head->lock);
4759 while ((skb = __skb_dequeue(&list)) != NULL)
4760 __skb_queue_tail(head, skb);
4761 spin_unlock_irq(&head->lock);
4768 struct io_file_put {
4769 struct llist_node llist;
4771 struct completion *done;
4774 static void io_ring_file_ref_switch(struct work_struct *work)
4776 struct io_file_put *pfile, *tmp;
4777 struct fixed_file_data *data;
4778 struct llist_node *node;
4780 data = container_of(work, struct fixed_file_data, ref_work);
4782 while ((node = llist_del_all(&data->put_llist)) != NULL) {
4783 llist_for_each_entry_safe(pfile, tmp, node, llist) {
4784 io_ring_file_put(data->ctx, pfile->file);
4786 complete(pfile->done);
4792 percpu_ref_get(&data->refs);
4793 percpu_ref_switch_to_percpu(&data->refs);
4796 static void io_file_data_ref_zero(struct percpu_ref *ref)
4798 struct fixed_file_data *data;
4800 data = container_of(ref, struct fixed_file_data, refs);
4802 /* we can't safely switch from inside this context, punt to wq */
4803 queue_work(system_wq, &data->ref_work);
4806 static int io_sqe_files_register(struct io_ring_ctx *ctx, void __user *arg,
4809 __s32 __user *fds = (__s32 __user *) arg;
4819 if (nr_args > IORING_MAX_FIXED_FILES)
4822 ctx->file_data = kzalloc(sizeof(*ctx->file_data), GFP_KERNEL);
4823 if (!ctx->file_data)
4825 ctx->file_data->ctx = ctx;
4826 init_completion(&ctx->file_data->done);
4828 nr_tables = DIV_ROUND_UP(nr_args, IORING_MAX_FILES_TABLE);
4829 ctx->file_data->table = kcalloc(nr_tables,
4830 sizeof(struct fixed_file_table),
4832 if (!ctx->file_data->table) {
4833 kfree(ctx->file_data);
4834 ctx->file_data = NULL;
4838 if (percpu_ref_init(&ctx->file_data->refs, io_file_data_ref_zero,
4839 PERCPU_REF_ALLOW_REINIT, GFP_KERNEL)) {
4840 kfree(ctx->file_data->table);
4841 kfree(ctx->file_data);
4842 ctx->file_data = NULL;
4845 ctx->file_data->put_llist.first = NULL;
4846 INIT_WORK(&ctx->file_data->ref_work, io_ring_file_ref_switch);
4848 if (io_sqe_alloc_file_tables(ctx, nr_tables, nr_args)) {
4849 percpu_ref_exit(&ctx->file_data->refs);
4850 kfree(ctx->file_data->table);
4851 kfree(ctx->file_data);
4852 ctx->file_data = NULL;
4856 for (i = 0; i < nr_args; i++, ctx->nr_user_files++) {
4857 struct fixed_file_table *table;
4861 if (copy_from_user(&fd, &fds[i], sizeof(fd)))
4863 /* allow sparse sets */
4869 table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];
4870 index = i & IORING_FILE_TABLE_MASK;
4878 * Don't allow io_uring instances to be registered. If UNIX
4879 * isn't enabled, then this causes a reference cycle and this
4880 * instance can never get freed. If UNIX is enabled we'll
4881 * handle it just fine, but there's still no point in allowing
4882 * a ring fd as it doesn't support regular read/write anyway.
4884 if (file->f_op == &io_uring_fops) {
4889 table->files[index] = file;
4893 for (i = 0; i < ctx->nr_user_files; i++) {
4894 file = io_file_from_index(ctx, i);
4898 for (i = 0; i < nr_tables; i++)
4899 kfree(ctx->file_data->table[i].files);
4901 kfree(ctx->file_data->table);
4902 kfree(ctx->file_data);
4903 ctx->file_data = NULL;
4904 ctx->nr_user_files = 0;
4908 ret = io_sqe_files_scm(ctx);
4910 io_sqe_files_unregister(ctx);
4915 static int io_sqe_file_register(struct io_ring_ctx *ctx, struct file *file,
4918 #if defined(CONFIG_UNIX)
4919 struct sock *sock = ctx->ring_sock->sk;
4920 struct sk_buff_head *head = &sock->sk_receive_queue;
4921 struct sk_buff *skb;
4924 * See if we can merge this file into an existing skb SCM_RIGHTS
4925 * file set. If there's no room, fall back to allocating a new skb
4926 * and filling it in.
4928 spin_lock_irq(&head->lock);
4929 skb = skb_peek(head);
4931 struct scm_fp_list *fpl = UNIXCB(skb).fp;
4933 if (fpl->count < SCM_MAX_FD) {
4934 __skb_unlink(skb, head);
4935 spin_unlock_irq(&head->lock);
4936 fpl->fp[fpl->count] = get_file(file);
4937 unix_inflight(fpl->user, fpl->fp[fpl->count]);
4939 spin_lock_irq(&head->lock);
4940 __skb_queue_head(head, skb);
4945 spin_unlock_irq(&head->lock);
4952 return __io_sqe_files_scm(ctx, 1, index);
4958 static void io_atomic_switch(struct percpu_ref *ref)
4960 struct fixed_file_data *data;
4962 data = container_of(ref, struct fixed_file_data, refs);
4963 clear_bit(FFD_F_ATOMIC, &data->state);
4966 static bool io_queue_file_removal(struct fixed_file_data *data,
4969 struct io_file_put *pfile, pfile_stack;
4970 DECLARE_COMPLETION_ONSTACK(done);
4973 * If we fail allocating the struct we need for doing async reomval
4974 * of this file, just punt to sync and wait for it.
4976 pfile = kzalloc(sizeof(*pfile), GFP_KERNEL);
4978 pfile = &pfile_stack;
4979 pfile->done = &done;
4983 llist_add(&pfile->llist, &data->put_llist);
4985 if (pfile == &pfile_stack) {
4986 if (!test_and_set_bit(FFD_F_ATOMIC, &data->state)) {
4987 percpu_ref_put(&data->refs);
4988 percpu_ref_switch_to_atomic(&data->refs,
4991 wait_for_completion(&done);
4992 flush_work(&data->ref_work);
4999 static int __io_sqe_files_update(struct io_ring_ctx *ctx,
5000 struct io_uring_files_update *up,
5003 struct fixed_file_data *data = ctx->file_data;
5004 bool ref_switch = false;
5010 if (check_add_overflow(up->offset, nr_args, &done))
5012 if (done > ctx->nr_user_files)
5016 fds = u64_to_user_ptr(up->fds);
5018 struct fixed_file_table *table;
5022 if (copy_from_user(&fd, &fds[done], sizeof(fd))) {
5026 i = array_index_nospec(up->offset, ctx->nr_user_files);
5027 table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT];
5028 index = i & IORING_FILE_TABLE_MASK;
5029 if (table->files[index]) {
5030 file = io_file_from_index(ctx, index);
5031 table->files[index] = NULL;
5032 if (io_queue_file_removal(data, file))
5042 * Don't allow io_uring instances to be registered. If
5043 * UNIX isn't enabled, then this causes a reference
5044 * cycle and this instance can never get freed. If UNIX
5045 * is enabled we'll handle it just fine, but there's
5046 * still no point in allowing a ring fd as it doesn't
5047 * support regular read/write anyway.
5049 if (file->f_op == &io_uring_fops) {
5054 table->files[index] = file;
5055 err = io_sqe_file_register(ctx, file, i);
5064 if (ref_switch && !test_and_set_bit(FFD_F_ATOMIC, &data->state)) {
5065 percpu_ref_put(&data->refs);
5066 percpu_ref_switch_to_atomic(&data->refs, io_atomic_switch);
5069 return done ? done : err;
5071 static int io_sqe_files_update(struct io_ring_ctx *ctx, void __user *arg,
5074 struct io_uring_files_update up;
5076 if (!ctx->file_data)
5080 if (copy_from_user(&up, arg, sizeof(up)))
5085 return __io_sqe_files_update(ctx, &up, nr_args);
5088 static void io_put_work(struct io_wq_work *work)
5090 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
5095 static void io_get_work(struct io_wq_work *work)
5097 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
5099 refcount_inc(&req->refs);
5102 static int io_sq_offload_start(struct io_ring_ctx *ctx,
5103 struct io_uring_params *p)
5105 struct io_wq_data data;
5106 unsigned concurrency;
5109 init_waitqueue_head(&ctx->sqo_wait);
5110 mmgrab(current->mm);
5111 ctx->sqo_mm = current->mm;
5113 if (ctx->flags & IORING_SETUP_SQPOLL) {
5115 if (!capable(CAP_SYS_ADMIN))
5118 ctx->sq_thread_idle = msecs_to_jiffies(p->sq_thread_idle);
5119 if (!ctx->sq_thread_idle)
5120 ctx->sq_thread_idle = HZ;
5122 if (p->flags & IORING_SETUP_SQ_AFF) {
5123 int cpu = p->sq_thread_cpu;
5126 if (cpu >= nr_cpu_ids)
5128 if (!cpu_online(cpu))
5131 ctx->sqo_thread = kthread_create_on_cpu(io_sq_thread,
5135 ctx->sqo_thread = kthread_create(io_sq_thread, ctx,
5138 if (IS_ERR(ctx->sqo_thread)) {
5139 ret = PTR_ERR(ctx->sqo_thread);
5140 ctx->sqo_thread = NULL;
5143 wake_up_process(ctx->sqo_thread);
5144 } else if (p->flags & IORING_SETUP_SQ_AFF) {
5145 /* Can't have SQ_AFF without SQPOLL */
5150 data.mm = ctx->sqo_mm;
5151 data.user = ctx->user;
5152 data.creds = ctx->creds;
5153 data.get_work = io_get_work;
5154 data.put_work = io_put_work;
5156 /* Do QD, or 4 * CPUS, whatever is smallest */
5157 concurrency = min(ctx->sq_entries, 4 * num_online_cpus());
5158 ctx->io_wq = io_wq_create(concurrency, &data);
5159 if (IS_ERR(ctx->io_wq)) {
5160 ret = PTR_ERR(ctx->io_wq);
5167 io_finish_async(ctx);
5168 mmdrop(ctx->sqo_mm);
5173 static void io_unaccount_mem(struct user_struct *user, unsigned long nr_pages)
5175 atomic_long_sub(nr_pages, &user->locked_vm);
5178 static int io_account_mem(struct user_struct *user, unsigned long nr_pages)
5180 unsigned long page_limit, cur_pages, new_pages;
5182 /* Don't allow more pages than we can safely lock */
5183 page_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
5186 cur_pages = atomic_long_read(&user->locked_vm);
5187 new_pages = cur_pages + nr_pages;
5188 if (new_pages > page_limit)
5190 } while (atomic_long_cmpxchg(&user->locked_vm, cur_pages,
5191 new_pages) != cur_pages);
5196 static void io_mem_free(void *ptr)
5203 page = virt_to_head_page(ptr);
5204 if (put_page_testzero(page))
5205 free_compound_page(page);
5208 static void *io_mem_alloc(size_t size)
5210 gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO | __GFP_NOWARN | __GFP_COMP |
5213 return (void *) __get_free_pages(gfp_flags, get_order(size));
5216 static unsigned long rings_size(unsigned sq_entries, unsigned cq_entries,
5219 struct io_rings *rings;
5220 size_t off, sq_array_size;
5222 off = struct_size(rings, cqes, cq_entries);
5223 if (off == SIZE_MAX)
5227 off = ALIGN(off, SMP_CACHE_BYTES);
5232 sq_array_size = array_size(sizeof(u32), sq_entries);
5233 if (sq_array_size == SIZE_MAX)
5236 if (check_add_overflow(off, sq_array_size, &off))
5245 static unsigned long ring_pages(unsigned sq_entries, unsigned cq_entries)
5249 pages = (size_t)1 << get_order(
5250 rings_size(sq_entries, cq_entries, NULL));
5251 pages += (size_t)1 << get_order(
5252 array_size(sizeof(struct io_uring_sqe), sq_entries));
5257 static int io_sqe_buffer_unregister(struct io_ring_ctx *ctx)
5261 if (!ctx->user_bufs)
5264 for (i = 0; i < ctx->nr_user_bufs; i++) {
5265 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
5267 for (j = 0; j < imu->nr_bvecs; j++)
5268 put_user_page(imu->bvec[j].bv_page);
5270 if (ctx->account_mem)
5271 io_unaccount_mem(ctx->user, imu->nr_bvecs);
5276 kfree(ctx->user_bufs);
5277 ctx->user_bufs = NULL;
5278 ctx->nr_user_bufs = 0;
5282 static int io_copy_iov(struct io_ring_ctx *ctx, struct iovec *dst,
5283 void __user *arg, unsigned index)
5285 struct iovec __user *src;
5287 #ifdef CONFIG_COMPAT
5289 struct compat_iovec __user *ciovs;
5290 struct compat_iovec ciov;
5292 ciovs = (struct compat_iovec __user *) arg;
5293 if (copy_from_user(&ciov, &ciovs[index], sizeof(ciov)))
5296 dst->iov_base = u64_to_user_ptr((u64)ciov.iov_base);
5297 dst->iov_len = ciov.iov_len;
5301 src = (struct iovec __user *) arg;
5302 if (copy_from_user(dst, &src[index], sizeof(*dst)))
5307 static int io_sqe_buffer_register(struct io_ring_ctx *ctx, void __user *arg,
5310 struct vm_area_struct **vmas = NULL;
5311 struct page **pages = NULL;
5312 int i, j, got_pages = 0;
5317 if (!nr_args || nr_args > UIO_MAXIOV)
5320 ctx->user_bufs = kcalloc(nr_args, sizeof(struct io_mapped_ubuf),
5322 if (!ctx->user_bufs)
5325 for (i = 0; i < nr_args; i++) {
5326 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
5327 unsigned long off, start, end, ubuf;
5332 ret = io_copy_iov(ctx, &iov, arg, i);
5337 * Don't impose further limits on the size and buffer
5338 * constraints here, we'll -EINVAL later when IO is
5339 * submitted if they are wrong.
5342 if (!iov.iov_base || !iov.iov_len)
5345 /* arbitrary limit, but we need something */
5346 if (iov.iov_len > SZ_1G)
5349 ubuf = (unsigned long) iov.iov_base;
5350 end = (ubuf + iov.iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT;
5351 start = ubuf >> PAGE_SHIFT;
5352 nr_pages = end - start;
5354 if (ctx->account_mem) {
5355 ret = io_account_mem(ctx->user, nr_pages);
5361 if (!pages || nr_pages > got_pages) {
5364 pages = kvmalloc_array(nr_pages, sizeof(struct page *),
5366 vmas = kvmalloc_array(nr_pages,
5367 sizeof(struct vm_area_struct *),
5369 if (!pages || !vmas) {
5371 if (ctx->account_mem)
5372 io_unaccount_mem(ctx->user, nr_pages);
5375 got_pages = nr_pages;
5378 imu->bvec = kvmalloc_array(nr_pages, sizeof(struct bio_vec),
5382 if (ctx->account_mem)
5383 io_unaccount_mem(ctx->user, nr_pages);
5388 down_read(¤t->mm->mmap_sem);
5389 pret = get_user_pages(ubuf, nr_pages,
5390 FOLL_WRITE | FOLL_LONGTERM,
5392 if (pret == nr_pages) {
5393 /* don't support file backed memory */
5394 for (j = 0; j < nr_pages; j++) {
5395 struct vm_area_struct *vma = vmas[j];
5398 !is_file_hugepages(vma->vm_file)) {
5404 ret = pret < 0 ? pret : -EFAULT;
5406 up_read(¤t->mm->mmap_sem);
5409 * if we did partial map, or found file backed vmas,
5410 * release any pages we did get
5413 put_user_pages(pages, pret);
5414 if (ctx->account_mem)
5415 io_unaccount_mem(ctx->user, nr_pages);
5420 off = ubuf & ~PAGE_MASK;
5422 for (j = 0; j < nr_pages; j++) {
5425 vec_len = min_t(size_t, size, PAGE_SIZE - off);
5426 imu->bvec[j].bv_page = pages[j];
5427 imu->bvec[j].bv_len = vec_len;
5428 imu->bvec[j].bv_offset = off;
5432 /* store original address for later verification */
5434 imu->len = iov.iov_len;
5435 imu->nr_bvecs = nr_pages;
5437 ctx->nr_user_bufs++;
5445 io_sqe_buffer_unregister(ctx);
5449 static int io_eventfd_register(struct io_ring_ctx *ctx, void __user *arg)
5451 __s32 __user *fds = arg;
5457 if (copy_from_user(&fd, fds, sizeof(*fds)))
5460 ctx->cq_ev_fd = eventfd_ctx_fdget(fd);
5461 if (IS_ERR(ctx->cq_ev_fd)) {
5462 int ret = PTR_ERR(ctx->cq_ev_fd);
5463 ctx->cq_ev_fd = NULL;
5470 static int io_eventfd_unregister(struct io_ring_ctx *ctx)
5472 if (ctx->cq_ev_fd) {
5473 eventfd_ctx_put(ctx->cq_ev_fd);
5474 ctx->cq_ev_fd = NULL;
5481 static void io_ring_ctx_free(struct io_ring_ctx *ctx)
5483 io_finish_async(ctx);
5485 mmdrop(ctx->sqo_mm);
5487 io_iopoll_reap_events(ctx);
5488 io_sqe_buffer_unregister(ctx);
5489 io_sqe_files_unregister(ctx);
5490 io_eventfd_unregister(ctx);
5492 #if defined(CONFIG_UNIX)
5493 if (ctx->ring_sock) {
5494 ctx->ring_sock->file = NULL; /* so that iput() is called */
5495 sock_release(ctx->ring_sock);
5499 io_mem_free(ctx->rings);
5500 io_mem_free(ctx->sq_sqes);
5502 percpu_ref_exit(&ctx->refs);
5503 if (ctx->account_mem)
5504 io_unaccount_mem(ctx->user,
5505 ring_pages(ctx->sq_entries, ctx->cq_entries));
5506 free_uid(ctx->user);
5507 put_cred(ctx->creds);
5508 kfree(ctx->completions);
5509 kfree(ctx->cancel_hash);
5510 kmem_cache_free(req_cachep, ctx->fallback_req);
5514 static __poll_t io_uring_poll(struct file *file, poll_table *wait)
5516 struct io_ring_ctx *ctx = file->private_data;
5519 poll_wait(file, &ctx->cq_wait, wait);
5521 * synchronizes with barrier from wq_has_sleeper call in
5525 if (READ_ONCE(ctx->rings->sq.tail) - ctx->cached_sq_head !=
5526 ctx->rings->sq_ring_entries)
5527 mask |= EPOLLOUT | EPOLLWRNORM;
5528 if (READ_ONCE(ctx->rings->cq.head) != ctx->cached_cq_tail)
5529 mask |= EPOLLIN | EPOLLRDNORM;
5534 static int io_uring_fasync(int fd, struct file *file, int on)
5536 struct io_ring_ctx *ctx = file->private_data;
5538 return fasync_helper(fd, file, on, &ctx->cq_fasync);
5541 static void io_ring_ctx_wait_and_kill(struct io_ring_ctx *ctx)
5543 mutex_lock(&ctx->uring_lock);
5544 percpu_ref_kill(&ctx->refs);
5545 mutex_unlock(&ctx->uring_lock);
5547 io_kill_timeouts(ctx);
5548 io_poll_remove_all(ctx);
5551 io_wq_cancel_all(ctx->io_wq);
5553 io_iopoll_reap_events(ctx);
5554 /* if we failed setting up the ctx, we might not have any rings */
5556 io_cqring_overflow_flush(ctx, true);
5557 wait_for_completion(&ctx->completions[0]);
5558 io_ring_ctx_free(ctx);
5561 static int io_uring_release(struct inode *inode, struct file *file)
5563 struct io_ring_ctx *ctx = file->private_data;
5565 file->private_data = NULL;
5566 io_ring_ctx_wait_and_kill(ctx);
5570 static void io_uring_cancel_files(struct io_ring_ctx *ctx,
5571 struct files_struct *files)
5573 struct io_kiocb *req;
5576 while (!list_empty_careful(&ctx->inflight_list)) {
5577 struct io_kiocb *cancel_req = NULL;
5579 spin_lock_irq(&ctx->inflight_lock);
5580 list_for_each_entry(req, &ctx->inflight_list, inflight_entry) {
5581 if (req->work.files != files)
5583 /* req is being completed, ignore */
5584 if (!refcount_inc_not_zero(&req->refs))
5590 prepare_to_wait(&ctx->inflight_wait, &wait,
5591 TASK_UNINTERRUPTIBLE);
5592 spin_unlock_irq(&ctx->inflight_lock);
5594 /* We need to keep going until we don't find a matching req */
5598 io_wq_cancel_work(ctx->io_wq, &cancel_req->work);
5599 io_put_req(cancel_req);
5602 finish_wait(&ctx->inflight_wait, &wait);
5605 static int io_uring_flush(struct file *file, void *data)
5607 struct io_ring_ctx *ctx = file->private_data;
5609 io_uring_cancel_files(ctx, data);
5610 if (fatal_signal_pending(current) || (current->flags & PF_EXITING)) {
5611 io_cqring_overflow_flush(ctx, true);
5612 io_wq_cancel_all(ctx->io_wq);
5617 static void *io_uring_validate_mmap_request(struct file *file,
5618 loff_t pgoff, size_t sz)
5620 struct io_ring_ctx *ctx = file->private_data;
5621 loff_t offset = pgoff << PAGE_SHIFT;
5626 case IORING_OFF_SQ_RING:
5627 case IORING_OFF_CQ_RING:
5630 case IORING_OFF_SQES:
5634 return ERR_PTR(-EINVAL);
5637 page = virt_to_head_page(ptr);
5638 if (sz > page_size(page))
5639 return ERR_PTR(-EINVAL);
5646 static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
5648 size_t sz = vma->vm_end - vma->vm_start;
5652 ptr = io_uring_validate_mmap_request(file, vma->vm_pgoff, sz);
5654 return PTR_ERR(ptr);
5656 pfn = virt_to_phys(ptr) >> PAGE_SHIFT;
5657 return remap_pfn_range(vma, vma->vm_start, pfn, sz, vma->vm_page_prot);
5660 #else /* !CONFIG_MMU */
5662 static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
5664 return vma->vm_flags & (VM_SHARED | VM_MAYSHARE) ? 0 : -EINVAL;
5667 static unsigned int io_uring_nommu_mmap_capabilities(struct file *file)
5669 return NOMMU_MAP_DIRECT | NOMMU_MAP_READ | NOMMU_MAP_WRITE;
5672 static unsigned long io_uring_nommu_get_unmapped_area(struct file *file,
5673 unsigned long addr, unsigned long len,
5674 unsigned long pgoff, unsigned long flags)
5678 ptr = io_uring_validate_mmap_request(file, pgoff, len);
5680 return PTR_ERR(ptr);
5682 return (unsigned long) ptr;
5685 #endif /* !CONFIG_MMU */
5687 SYSCALL_DEFINE6(io_uring_enter, unsigned int, fd, u32, to_submit,
5688 u32, min_complete, u32, flags, const sigset_t __user *, sig,
5691 struct io_ring_ctx *ctx;
5696 if (flags & ~(IORING_ENTER_GETEVENTS | IORING_ENTER_SQ_WAKEUP))
5704 if (f.file->f_op != &io_uring_fops)
5708 ctx = f.file->private_data;
5709 if (!percpu_ref_tryget(&ctx->refs))
5713 * For SQ polling, the thread will do all submissions and completions.
5714 * Just return the requested submit count, and wake the thread if
5718 if (ctx->flags & IORING_SETUP_SQPOLL) {
5719 if (!list_empty_careful(&ctx->cq_overflow_list))
5720 io_cqring_overflow_flush(ctx, false);
5721 if (flags & IORING_ENTER_SQ_WAKEUP)
5722 wake_up(&ctx->sqo_wait);
5723 submitted = to_submit;
5724 } else if (to_submit) {
5725 struct mm_struct *cur_mm;
5727 if (current->mm != ctx->sqo_mm ||
5728 current_cred() != ctx->creds) {
5733 to_submit = min(to_submit, ctx->sq_entries);
5734 mutex_lock(&ctx->uring_lock);
5735 /* already have mm, so io_submit_sqes() won't try to grab it */
5736 cur_mm = ctx->sqo_mm;
5737 submitted = io_submit_sqes(ctx, to_submit, f.file, fd,
5739 mutex_unlock(&ctx->uring_lock);
5741 if (submitted != to_submit)
5744 if (flags & IORING_ENTER_GETEVENTS) {
5745 unsigned nr_events = 0;
5747 min_complete = min(min_complete, ctx->cq_entries);
5749 if (ctx->flags & IORING_SETUP_IOPOLL) {
5750 ret = io_iopoll_check(ctx, &nr_events, min_complete);
5752 ret = io_cqring_wait(ctx, min_complete, sig, sigsz);
5757 percpu_ref_put(&ctx->refs);
5760 return submitted ? submitted : ret;
5763 static const struct file_operations io_uring_fops = {
5764 .release = io_uring_release,
5765 .flush = io_uring_flush,
5766 .mmap = io_uring_mmap,
5768 .get_unmapped_area = io_uring_nommu_get_unmapped_area,
5769 .mmap_capabilities = io_uring_nommu_mmap_capabilities,
5771 .poll = io_uring_poll,
5772 .fasync = io_uring_fasync,
5775 static int io_allocate_scq_urings(struct io_ring_ctx *ctx,
5776 struct io_uring_params *p)
5778 struct io_rings *rings;
5779 size_t size, sq_array_offset;
5781 size = rings_size(p->sq_entries, p->cq_entries, &sq_array_offset);
5782 if (size == SIZE_MAX)
5785 rings = io_mem_alloc(size);
5790 ctx->sq_array = (u32 *)((char *)rings + sq_array_offset);
5791 rings->sq_ring_mask = p->sq_entries - 1;
5792 rings->cq_ring_mask = p->cq_entries - 1;
5793 rings->sq_ring_entries = p->sq_entries;
5794 rings->cq_ring_entries = p->cq_entries;
5795 ctx->sq_mask = rings->sq_ring_mask;
5796 ctx->cq_mask = rings->cq_ring_mask;
5797 ctx->sq_entries = rings->sq_ring_entries;
5798 ctx->cq_entries = rings->cq_ring_entries;
5800 size = array_size(sizeof(struct io_uring_sqe), p->sq_entries);
5801 if (size == SIZE_MAX) {
5802 io_mem_free(ctx->rings);
5807 ctx->sq_sqes = io_mem_alloc(size);
5808 if (!ctx->sq_sqes) {
5809 io_mem_free(ctx->rings);
5818 * Allocate an anonymous fd, this is what constitutes the application
5819 * visible backing of an io_uring instance. The application mmaps this
5820 * fd to gain access to the SQ/CQ ring details. If UNIX sockets are enabled,
5821 * we have to tie this fd to a socket for file garbage collection purposes.
5823 static int io_uring_get_fd(struct io_ring_ctx *ctx)
5828 #if defined(CONFIG_UNIX)
5829 ret = sock_create_kern(&init_net, PF_UNIX, SOCK_RAW, IPPROTO_IP,
5835 ret = get_unused_fd_flags(O_RDWR | O_CLOEXEC);
5839 file = anon_inode_getfile("[io_uring]", &io_uring_fops, ctx,
5840 O_RDWR | O_CLOEXEC);
5843 ret = PTR_ERR(file);
5847 #if defined(CONFIG_UNIX)
5848 ctx->ring_sock->file = file;
5850 fd_install(ret, file);
5853 #if defined(CONFIG_UNIX)
5854 sock_release(ctx->ring_sock);
5855 ctx->ring_sock = NULL;
5860 static int io_uring_create(unsigned entries, struct io_uring_params *p)
5862 struct user_struct *user = NULL;
5863 struct io_ring_ctx *ctx;
5867 if (!entries || entries > IORING_MAX_ENTRIES)
5871 * Use twice as many entries for the CQ ring. It's possible for the
5872 * application to drive a higher depth than the size of the SQ ring,
5873 * since the sqes are only used at submission time. This allows for
5874 * some flexibility in overcommitting a bit. If the application has
5875 * set IORING_SETUP_CQSIZE, it will have passed in the desired number
5876 * of CQ ring entries manually.
5878 p->sq_entries = roundup_pow_of_two(entries);
5879 if (p->flags & IORING_SETUP_CQSIZE) {
5881 * If IORING_SETUP_CQSIZE is set, we do the same roundup
5882 * to a power-of-two, if it isn't already. We do NOT impose
5883 * any cq vs sq ring sizing.
5885 if (p->cq_entries < p->sq_entries || p->cq_entries > IORING_MAX_CQ_ENTRIES)
5887 p->cq_entries = roundup_pow_of_two(p->cq_entries);
5889 p->cq_entries = 2 * p->sq_entries;
5892 user = get_uid(current_user());
5893 account_mem = !capable(CAP_IPC_LOCK);
5896 ret = io_account_mem(user,
5897 ring_pages(p->sq_entries, p->cq_entries));
5904 ctx = io_ring_ctx_alloc(p);
5907 io_unaccount_mem(user, ring_pages(p->sq_entries,
5912 ctx->compat = in_compat_syscall();
5913 ctx->account_mem = account_mem;
5915 ctx->creds = get_current_cred();
5917 ret = io_allocate_scq_urings(ctx, p);
5921 ret = io_sq_offload_start(ctx, p);
5925 memset(&p->sq_off, 0, sizeof(p->sq_off));
5926 p->sq_off.head = offsetof(struct io_rings, sq.head);
5927 p->sq_off.tail = offsetof(struct io_rings, sq.tail);
5928 p->sq_off.ring_mask = offsetof(struct io_rings, sq_ring_mask);
5929 p->sq_off.ring_entries = offsetof(struct io_rings, sq_ring_entries);
5930 p->sq_off.flags = offsetof(struct io_rings, sq_flags);
5931 p->sq_off.dropped = offsetof(struct io_rings, sq_dropped);
5932 p->sq_off.array = (char *)ctx->sq_array - (char *)ctx->rings;
5934 memset(&p->cq_off, 0, sizeof(p->cq_off));
5935 p->cq_off.head = offsetof(struct io_rings, cq.head);
5936 p->cq_off.tail = offsetof(struct io_rings, cq.tail);
5937 p->cq_off.ring_mask = offsetof(struct io_rings, cq_ring_mask);
5938 p->cq_off.ring_entries = offsetof(struct io_rings, cq_ring_entries);
5939 p->cq_off.overflow = offsetof(struct io_rings, cq_overflow);
5940 p->cq_off.cqes = offsetof(struct io_rings, cqes);
5943 * Install ring fd as the very last thing, so we don't risk someone
5944 * having closed it before we finish setup
5946 ret = io_uring_get_fd(ctx);
5950 p->features = IORING_FEAT_SINGLE_MMAP | IORING_FEAT_NODROP |
5951 IORING_FEAT_SUBMIT_STABLE;
5952 trace_io_uring_create(ret, ctx, p->sq_entries, p->cq_entries, p->flags);
5955 io_ring_ctx_wait_and_kill(ctx);
5960 * Sets up an aio uring context, and returns the fd. Applications asks for a
5961 * ring size, we return the actual sq/cq ring sizes (among other things) in the
5962 * params structure passed in.
5964 static long io_uring_setup(u32 entries, struct io_uring_params __user *params)
5966 struct io_uring_params p;
5970 if (copy_from_user(&p, params, sizeof(p)))
5972 for (i = 0; i < ARRAY_SIZE(p.resv); i++) {
5977 if (p.flags & ~(IORING_SETUP_IOPOLL | IORING_SETUP_SQPOLL |
5978 IORING_SETUP_SQ_AFF | IORING_SETUP_CQSIZE))
5981 ret = io_uring_create(entries, &p);
5985 if (copy_to_user(params, &p, sizeof(p)))
5991 SYSCALL_DEFINE2(io_uring_setup, u32, entries,
5992 struct io_uring_params __user *, params)
5994 return io_uring_setup(entries, params);
5997 static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,
5998 void __user *arg, unsigned nr_args)
5999 __releases(ctx->uring_lock)
6000 __acquires(ctx->uring_lock)
6005 * We're inside the ring mutex, if the ref is already dying, then
6006 * someone else killed the ctx or is already going through
6007 * io_uring_register().
6009 if (percpu_ref_is_dying(&ctx->refs))
6012 if (opcode != IORING_UNREGISTER_FILES &&
6013 opcode != IORING_REGISTER_FILES_UPDATE) {
6014 percpu_ref_kill(&ctx->refs);
6017 * Drop uring mutex before waiting for references to exit. If
6018 * another thread is currently inside io_uring_enter() it might
6019 * need to grab the uring_lock to make progress. If we hold it
6020 * here across the drain wait, then we can deadlock. It's safe
6021 * to drop the mutex here, since no new references will come in
6022 * after we've killed the percpu ref.
6024 mutex_unlock(&ctx->uring_lock);
6025 wait_for_completion(&ctx->completions[0]);
6026 mutex_lock(&ctx->uring_lock);
6030 case IORING_REGISTER_BUFFERS:
6031 ret = io_sqe_buffer_register(ctx, arg, nr_args);
6033 case IORING_UNREGISTER_BUFFERS:
6037 ret = io_sqe_buffer_unregister(ctx);
6039 case IORING_REGISTER_FILES:
6040 ret = io_sqe_files_register(ctx, arg, nr_args);
6042 case IORING_UNREGISTER_FILES:
6046 ret = io_sqe_files_unregister(ctx);
6048 case IORING_REGISTER_FILES_UPDATE:
6049 ret = io_sqe_files_update(ctx, arg, nr_args);
6051 case IORING_REGISTER_EVENTFD:
6055 ret = io_eventfd_register(ctx, arg);
6057 case IORING_UNREGISTER_EVENTFD:
6061 ret = io_eventfd_unregister(ctx);
6069 if (opcode != IORING_UNREGISTER_FILES &&
6070 opcode != IORING_REGISTER_FILES_UPDATE) {
6071 /* bring the ctx back to life */
6072 reinit_completion(&ctx->completions[0]);
6073 percpu_ref_reinit(&ctx->refs);
6078 SYSCALL_DEFINE4(io_uring_register, unsigned int, fd, unsigned int, opcode,
6079 void __user *, arg, unsigned int, nr_args)
6081 struct io_ring_ctx *ctx;
6090 if (f.file->f_op != &io_uring_fops)
6093 ctx = f.file->private_data;
6095 mutex_lock(&ctx->uring_lock);
6096 ret = __io_uring_register(ctx, opcode, arg, nr_args);
6097 mutex_unlock(&ctx->uring_lock);
6098 trace_io_uring_register(ctx, opcode, ctx->nr_user_files, ctx->nr_user_bufs,
6099 ctx->cq_ev_fd != NULL, ret);
6105 static int __init io_uring_init(void)
6107 req_cachep = KMEM_CACHE(io_kiocb, SLAB_HWCACHE_ALIGN | SLAB_PANIC);
6110 __initcall(io_uring_init);
OSDN Git Service
