1 // SPDX-License-Identifier: GPL-2.0
3 * Shared application/kernel submission and completion ring pairs, for
4 * supporting fast/efficient IO.
6 * A note on the read/write ordering memory barriers that are matched between
7 * the application and kernel side.
9 * After the application reads the CQ ring tail, it must use an
10 * appropriate smp_rmb() to pair with the smp_wmb() the kernel uses
11 * before writing the tail (using smp_load_acquire to read the tail will
12 * do). It also needs a smp_mb() before updating CQ head (ordering the
13 * entry load(s) with the head store), pairing with an implicit barrier
14 * through a control-dependency in io_get_cqring (smp_store_release to
15 * store head will do). Failure to do so could lead to reading invalid
18 * Likewise, the application must use an appropriate smp_wmb() before
19 * writing the SQ tail (ordering SQ entry stores with the tail store),
20 * which pairs with smp_load_acquire in io_get_sqring (smp_store_release
21 * to store the tail will do). And it needs a barrier ordering the SQ
22 * head load before writing new SQ entries (smp_load_acquire to read
25 * When using the SQ poll thread (IORING_SETUP_SQPOLL), the application
26 * needs to check the SQ flags for IORING_SQ_NEED_WAKEUP *after*
27 * updating the SQ tail; a full memory barrier smp_mb() is needed
30 * Also see the examples in the liburing library:
32 * git://git.kernel.dk/liburing
34 * io_uring also uses READ/WRITE_ONCE() for _any_ store or load that happens
35 * from data shared between the kernel and application. This is done both
36 * for ordering purposes, but also to ensure that once a value is loaded from
37 * data that the application could potentially modify, it remains stable.
39 * Copyright (C) 2018-2019 Jens Axboe
40 * Copyright (c) 2018-2019 Christoph Hellwig
42 #include <linux/kernel.h>
43 #include <linux/init.h>
44 #include <linux/errno.h>
45 #include <linux/syscalls.h>
46 #include <linux/compat.h>
47 #include <linux/refcount.h>
48 #include <linux/uio.h>
50 #include <linux/sched/signal.h>
52 #include <linux/file.h>
53 #include <linux/fdtable.h>
55 #include <linux/mman.h>
56 #include <linux/mmu_context.h>
57 #include <linux/percpu.h>
58 #include <linux/slab.h>
59 #include <linux/kthread.h>
60 #include <linux/blkdev.h>
61 #include <linux/bvec.h>
62 #include <linux/net.h>
64 #include <net/af_unix.h>
66 #include <linux/anon_inodes.h>
67 #include <linux/sched/mm.h>
68 #include <linux/uaccess.h>
69 #include <linux/nospec.h>
70 #include <linux/sizes.h>
71 #include <linux/hugetlb.h>
72 #include <linux/highmem.h>
74 #define CREATE_TRACE_POINTS
75 #include <trace/events/io_uring.h>
77 #include <uapi/linux/io_uring.h>
82 #define IORING_MAX_ENTRIES 32768
83 #define IORING_MAX_CQ_ENTRIES (2 * IORING_MAX_ENTRIES)
86 * Shift of 9 is 512 entries, or exactly one page on 64-bit archs
88 #define IORING_FILE_TABLE_SHIFT 9
89 #define IORING_MAX_FILES_TABLE (1U << IORING_FILE_TABLE_SHIFT)
90 #define IORING_FILE_TABLE_MASK (IORING_MAX_FILES_TABLE - 1)
91 #define IORING_MAX_FIXED_FILES (64 * IORING_MAX_FILES_TABLE)
94 u32 head ____cacheline_aligned_in_smp;
95 u32 tail ____cacheline_aligned_in_smp;
99 * This data is shared with the application through the mmap at offsets
100 * IORING_OFF_SQ_RING and IORING_OFF_CQ_RING.
102 * The offsets to the member fields are published through struct
103 * io_sqring_offsets when calling io_uring_setup.
107 * Head and tail offsets into the ring; the offsets need to be
108 * masked to get valid indices.
110 * The kernel controls head of the sq ring and the tail of the cq ring,
111 * and the application controls tail of the sq ring and the head of the
114 struct io_uring sq, cq;
116 * Bitmasks to apply to head and tail offsets (constant, equals
119 u32 sq_ring_mask, cq_ring_mask;
120 /* Ring sizes (constant, power of 2) */
121 u32 sq_ring_entries, cq_ring_entries;
123 * Number of invalid entries dropped by the kernel due to
124 * invalid index stored in array
126 * Written by the kernel, shouldn't be modified by the
127 * application (i.e. get number of "new events" by comparing to
130 * After a new SQ head value was read by the application this
131 * counter includes all submissions that were dropped reaching
132 * the new SQ head (and possibly more).
138 * Written by the kernel, shouldn't be modified by the
141 * The application needs a full memory barrier before checking
142 * for IORING_SQ_NEED_WAKEUP after updating the sq tail.
146 * Number of completion events lost because the queue was full;
147 * this should be avoided by the application by making sure
148 * there are not more requests pending than there is space in
149 * the completion queue.
151 * Written by the kernel, shouldn't be modified by the
152 * application (i.e. get number of "new events" by comparing to
155 * As completion events come in out of order this counter is not
156 * ordered with any other data.
160 * Ring buffer of completion events.
162 * The kernel writes completion events fresh every time they are
163 * produced, so the application is allowed to modify pending
166 struct io_uring_cqe cqes[] ____cacheline_aligned_in_smp;
169 struct io_mapped_ubuf {
172 struct bio_vec *bvec;
173 unsigned int nr_bvecs;
176 struct fixed_file_table {
182 struct percpu_ref refs;
183 } ____cacheline_aligned_in_smp;
189 bool cq_overflow_flushed;
193 * Ring buffer of indices into array of io_uring_sqe, which is
194 * mmapped by the application using the IORING_OFF_SQES offset.
196 * This indirection could e.g. be used to assign fixed
197 * io_uring_sqe entries to operations and only submit them to
198 * the queue when needed.
200 * The kernel modifies neither the indices array nor the entries
204 unsigned cached_sq_head;
207 unsigned sq_thread_idle;
208 unsigned cached_sq_dropped;
209 atomic_t cached_cq_overflow;
210 struct io_uring_sqe *sq_sqes;
212 struct list_head defer_list;
213 struct list_head timeout_list;
214 struct list_head cq_overflow_list;
216 wait_queue_head_t inflight_wait;
217 } ____cacheline_aligned_in_smp;
219 struct io_rings *rings;
223 struct task_struct *sqo_thread; /* if using sq thread polling */
224 struct mm_struct *sqo_mm;
225 wait_queue_head_t sqo_wait;
228 * If used, fixed file set. Writers must ensure that ->refs is dead,
229 * readers must ensure that ->refs is alive as long as the file* is
230 * used. Only updated through io_uring_register(2).
232 struct fixed_file_table *file_table;
233 unsigned nr_user_files;
235 /* if used, fixed mapped user buffers */
236 unsigned nr_user_bufs;
237 struct io_mapped_ubuf *user_bufs;
239 struct user_struct *user;
241 const struct cred *creds;
243 /* 0 is for ctx quiesce/reinit/free, 1 is for sqo_thread started */
244 struct completion *completions;
246 /* if all else fails... */
247 struct io_kiocb *fallback_req;
249 #if defined(CONFIG_UNIX)
250 struct socket *ring_sock;
254 unsigned cached_cq_tail;
257 atomic_t cq_timeouts;
258 struct wait_queue_head cq_wait;
259 struct fasync_struct *cq_fasync;
260 struct eventfd_ctx *cq_ev_fd;
261 } ____cacheline_aligned_in_smp;
264 struct mutex uring_lock;
265 wait_queue_head_t wait;
266 } ____cacheline_aligned_in_smp;
269 spinlock_t completion_lock;
270 bool poll_multi_file;
272 * ->poll_list is protected by the ctx->uring_lock for
273 * io_uring instances that don't use IORING_SETUP_SQPOLL.
274 * For SQPOLL, only the single threaded io_sq_thread() will
275 * manipulate the list, hence no extra locking is needed there.
277 struct list_head poll_list;
278 struct hlist_head *cancel_hash;
279 unsigned cancel_hash_bits;
281 spinlock_t inflight_lock;
282 struct list_head inflight_list;
283 } ____cacheline_aligned_in_smp;
287 * First field must be the file pointer in all the
288 * iocb unions! See also 'struct kiocb' in <linux/fs.h>
290 struct io_poll_iocb {
293 struct wait_queue_head *head;
299 struct wait_queue_entry wait;
302 struct io_timeout_data {
303 struct io_kiocb *req;
304 struct hrtimer timer;
305 struct timespec64 ts;
306 enum hrtimer_mode mode;
312 struct sockaddr __user *addr;
313 int __user *addr_len;
324 struct io_async_connect {
325 struct sockaddr_storage address;
328 struct io_async_msghdr {
329 struct iovec fast_iov[UIO_FASTIOV];
331 struct sockaddr __user *uaddr;
336 struct iovec fast_iov[UIO_FASTIOV];
342 struct io_async_ctx {
343 struct io_uring_sqe sqe;
345 struct io_async_rw rw;
346 struct io_async_msghdr msg;
347 struct io_async_connect connect;
348 struct io_timeout_data timeout;
353 * NOTE! Each of the iocb union members has the file pointer
354 * as the first entry in their struct definition. So you can
355 * access the file pointer through any of the sub-structs,
356 * or directly as just 'ki_filp' in this struct.
362 struct io_poll_iocb poll;
363 struct io_accept accept;
367 const struct io_uring_sqe *sqe;
368 struct io_async_ctx *io;
369 struct file *ring_file;
373 bool needs_fixed_file;
375 struct io_ring_ctx *ctx;
377 struct list_head list;
378 struct hlist_node hash_node;
380 struct list_head link_list;
383 #define REQ_F_NOWAIT 1 /* must not punt to workers */
384 #define REQ_F_IOPOLL_COMPLETED 2 /* polled IO has completed */
385 #define REQ_F_FIXED_FILE 4 /* ctx owns file */
386 #define REQ_F_LINK_NEXT 8 /* already grabbed next link */
387 #define REQ_F_IO_DRAIN 16 /* drain existing IO first */
388 #define REQ_F_IO_DRAINED 32 /* drain done */
389 #define REQ_F_LINK 64 /* linked sqes */
390 #define REQ_F_LINK_TIMEOUT 128 /* has linked timeout */
391 #define REQ_F_FAIL_LINK 256 /* fail rest of links */
392 #define REQ_F_DRAIN_LINK 512 /* link should be fully drained */
393 #define REQ_F_TIMEOUT 1024 /* timeout request */
394 #define REQ_F_ISREG 2048 /* regular file */
395 #define REQ_F_MUST_PUNT 4096 /* must be punted even for NONBLOCK */
396 #define REQ_F_TIMEOUT_NOSEQ 8192 /* no timeout sequence */
397 #define REQ_F_INFLIGHT 16384 /* on inflight list */
398 #define REQ_F_COMP_LOCKED 32768 /* completion under lock */
399 #define REQ_F_HARDLINK 65536 /* doesn't sever on completion < 0 */
400 #define REQ_F_PREPPED 131072 /* request already opcode prepared */
405 struct list_head inflight_entry;
407 struct io_wq_work work;
410 #define IO_PLUG_THRESHOLD 2
411 #define IO_IOPOLL_BATCH 8
413 struct io_submit_state {
414 struct blk_plug plug;
417 * io_kiocb alloc cache
419 void *reqs[IO_IOPOLL_BATCH];
420 unsigned int free_reqs;
421 unsigned int cur_req;
424 * File reference cache
428 unsigned int has_refs;
429 unsigned int used_refs;
430 unsigned int ios_left;
433 static void io_wq_submit_work(struct io_wq_work **workptr);
434 static void io_cqring_fill_event(struct io_kiocb *req, long res);
435 static void __io_free_req(struct io_kiocb *req);
436 static void io_put_req(struct io_kiocb *req);
437 static void io_double_put_req(struct io_kiocb *req);
438 static void __io_double_put_req(struct io_kiocb *req);
439 static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req);
440 static void io_queue_linked_timeout(struct io_kiocb *req);
442 static struct kmem_cache *req_cachep;
444 static const struct file_operations io_uring_fops;
446 struct sock *io_uring_get_socket(struct file *file)
448 #if defined(CONFIG_UNIX)
449 if (file->f_op == &io_uring_fops) {
450 struct io_ring_ctx *ctx = file->private_data;
452 return ctx->ring_sock->sk;
457 EXPORT_SYMBOL(io_uring_get_socket);
459 static void io_ring_ctx_ref_free(struct percpu_ref *ref)
461 struct io_ring_ctx *ctx = container_of(ref, struct io_ring_ctx, refs);
463 complete(&ctx->completions[0]);
466 static struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p)
468 struct io_ring_ctx *ctx;
471 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
475 ctx->fallback_req = kmem_cache_alloc(req_cachep, GFP_KERNEL);
476 if (!ctx->fallback_req)
479 ctx->completions = kmalloc(2 * sizeof(struct completion), GFP_KERNEL);
480 if (!ctx->completions)
484 * Use 5 bits less than the max cq entries, that should give us around
485 * 32 entries per hash list if totally full and uniformly spread.
487 hash_bits = ilog2(p->cq_entries);
491 ctx->cancel_hash_bits = hash_bits;
492 ctx->cancel_hash = kmalloc((1U << hash_bits) * sizeof(struct hlist_head),
494 if (!ctx->cancel_hash)
496 __hash_init(ctx->cancel_hash, 1U << hash_bits);
498 if (percpu_ref_init(&ctx->refs, io_ring_ctx_ref_free,
499 PERCPU_REF_ALLOW_REINIT, GFP_KERNEL))
502 ctx->flags = p->flags;
503 init_waitqueue_head(&ctx->cq_wait);
504 INIT_LIST_HEAD(&ctx->cq_overflow_list);
505 init_completion(&ctx->completions[0]);
506 init_completion(&ctx->completions[1]);
507 mutex_init(&ctx->uring_lock);
508 init_waitqueue_head(&ctx->wait);
509 spin_lock_init(&ctx->completion_lock);
510 INIT_LIST_HEAD(&ctx->poll_list);
511 INIT_LIST_HEAD(&ctx->defer_list);
512 INIT_LIST_HEAD(&ctx->timeout_list);
513 init_waitqueue_head(&ctx->inflight_wait);
514 spin_lock_init(&ctx->inflight_lock);
515 INIT_LIST_HEAD(&ctx->inflight_list);
518 if (ctx->fallback_req)
519 kmem_cache_free(req_cachep, ctx->fallback_req);
520 kfree(ctx->completions);
521 kfree(ctx->cancel_hash);
526 static inline bool __req_need_defer(struct io_kiocb *req)
528 struct io_ring_ctx *ctx = req->ctx;
530 return req->sequence != ctx->cached_cq_tail + ctx->cached_sq_dropped
531 + atomic_read(&ctx->cached_cq_overflow);
534 static inline bool req_need_defer(struct io_kiocb *req)
536 if ((req->flags & (REQ_F_IO_DRAIN|REQ_F_IO_DRAINED)) == REQ_F_IO_DRAIN)
537 return __req_need_defer(req);
542 static struct io_kiocb *io_get_deferred_req(struct io_ring_ctx *ctx)
544 struct io_kiocb *req;
546 req = list_first_entry_or_null(&ctx->defer_list, struct io_kiocb, list);
547 if (req && !req_need_defer(req)) {
548 list_del_init(&req->list);
555 static struct io_kiocb *io_get_timeout_req(struct io_ring_ctx *ctx)
557 struct io_kiocb *req;
559 req = list_first_entry_or_null(&ctx->timeout_list, struct io_kiocb, list);
561 if (req->flags & REQ_F_TIMEOUT_NOSEQ)
563 if (!__req_need_defer(req)) {
564 list_del_init(&req->list);
572 static void __io_commit_cqring(struct io_ring_ctx *ctx)
574 struct io_rings *rings = ctx->rings;
576 if (ctx->cached_cq_tail != READ_ONCE(rings->cq.tail)) {
577 /* order cqe stores with ring update */
578 smp_store_release(&rings->cq.tail, ctx->cached_cq_tail);
580 if (wq_has_sleeper(&ctx->cq_wait)) {
581 wake_up_interruptible(&ctx->cq_wait);
582 kill_fasync(&ctx->cq_fasync, SIGIO, POLL_IN);
587 static inline bool io_sqe_needs_user(const struct io_uring_sqe *sqe)
589 u8 opcode = READ_ONCE(sqe->opcode);
591 return !(opcode == IORING_OP_READ_FIXED ||
592 opcode == IORING_OP_WRITE_FIXED);
595 static inline bool io_prep_async_work(struct io_kiocb *req,
596 struct io_kiocb **link)
598 bool do_hashed = false;
601 switch (req->sqe->opcode) {
602 case IORING_OP_WRITEV:
603 case IORING_OP_WRITE_FIXED:
604 /* only regular files should be hashed for writes */
605 if (req->flags & REQ_F_ISREG)
608 case IORING_OP_READV:
609 case IORING_OP_READ_FIXED:
610 case IORING_OP_SENDMSG:
611 case IORING_OP_RECVMSG:
612 case IORING_OP_ACCEPT:
613 case IORING_OP_POLL_ADD:
614 case IORING_OP_CONNECT:
616 * We know REQ_F_ISREG is not set on some of these
617 * opcodes, but this enables us to keep the check in
620 if (!(req->flags & REQ_F_ISREG))
621 req->work.flags |= IO_WQ_WORK_UNBOUND;
624 if (io_sqe_needs_user(req->sqe))
625 req->work.flags |= IO_WQ_WORK_NEEDS_USER;
628 *link = io_prep_linked_timeout(req);
632 static inline void io_queue_async_work(struct io_kiocb *req)
634 struct io_ring_ctx *ctx = req->ctx;
635 struct io_kiocb *link;
638 do_hashed = io_prep_async_work(req, &link);
640 trace_io_uring_queue_async_work(ctx, do_hashed, req, &req->work,
643 io_wq_enqueue(ctx->io_wq, &req->work);
645 io_wq_enqueue_hashed(ctx->io_wq, &req->work,
646 file_inode(req->file));
650 io_queue_linked_timeout(link);
653 static void io_kill_timeout(struct io_kiocb *req)
657 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
659 atomic_inc(&req->ctx->cq_timeouts);
660 list_del_init(&req->list);
661 io_cqring_fill_event(req, 0);
666 static void io_kill_timeouts(struct io_ring_ctx *ctx)
668 struct io_kiocb *req, *tmp;
670 spin_lock_irq(&ctx->completion_lock);
671 list_for_each_entry_safe(req, tmp, &ctx->timeout_list, list)
672 io_kill_timeout(req);
673 spin_unlock_irq(&ctx->completion_lock);
676 static void io_commit_cqring(struct io_ring_ctx *ctx)
678 struct io_kiocb *req;
680 while ((req = io_get_timeout_req(ctx)) != NULL)
681 io_kill_timeout(req);
683 __io_commit_cqring(ctx);
685 while ((req = io_get_deferred_req(ctx)) != NULL) {
686 req->flags |= REQ_F_IO_DRAINED;
687 io_queue_async_work(req);
691 static struct io_uring_cqe *io_get_cqring(struct io_ring_ctx *ctx)
693 struct io_rings *rings = ctx->rings;
696 tail = ctx->cached_cq_tail;
698 * writes to the cq entry need to come after reading head; the
699 * control dependency is enough as we're using WRITE_ONCE to
702 if (tail - READ_ONCE(rings->cq.head) == rings->cq_ring_entries)
705 ctx->cached_cq_tail++;
706 return &rings->cqes[tail & ctx->cq_mask];
709 static void io_cqring_ev_posted(struct io_ring_ctx *ctx)
711 if (waitqueue_active(&ctx->wait))
713 if (waitqueue_active(&ctx->sqo_wait))
714 wake_up(&ctx->sqo_wait);
716 eventfd_signal(ctx->cq_ev_fd, 1);
719 /* Returns true if there are no backlogged entries after the flush */
720 static bool io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool force)
722 struct io_rings *rings = ctx->rings;
723 struct io_uring_cqe *cqe;
724 struct io_kiocb *req;
729 if (list_empty_careful(&ctx->cq_overflow_list))
731 if ((ctx->cached_cq_tail - READ_ONCE(rings->cq.head) ==
732 rings->cq_ring_entries))
736 spin_lock_irqsave(&ctx->completion_lock, flags);
738 /* if force is set, the ring is going away. always drop after that */
740 ctx->cq_overflow_flushed = true;
743 while (!list_empty(&ctx->cq_overflow_list)) {
744 cqe = io_get_cqring(ctx);
748 req = list_first_entry(&ctx->cq_overflow_list, struct io_kiocb,
750 list_move(&req->list, &list);
752 WRITE_ONCE(cqe->user_data, req->user_data);
753 WRITE_ONCE(cqe->res, req->result);
754 WRITE_ONCE(cqe->flags, 0);
756 WRITE_ONCE(ctx->rings->cq_overflow,
757 atomic_inc_return(&ctx->cached_cq_overflow));
761 io_commit_cqring(ctx);
762 spin_unlock_irqrestore(&ctx->completion_lock, flags);
763 io_cqring_ev_posted(ctx);
765 while (!list_empty(&list)) {
766 req = list_first_entry(&list, struct io_kiocb, list);
767 list_del(&req->list);
774 static void io_cqring_fill_event(struct io_kiocb *req, long res)
776 struct io_ring_ctx *ctx = req->ctx;
777 struct io_uring_cqe *cqe;
779 trace_io_uring_complete(ctx, req->user_data, res);
782 * If we can't get a cq entry, userspace overflowed the
783 * submission (by quite a lot). Increment the overflow count in
786 cqe = io_get_cqring(ctx);
788 WRITE_ONCE(cqe->user_data, req->user_data);
789 WRITE_ONCE(cqe->res, res);
790 WRITE_ONCE(cqe->flags, 0);
791 } else if (ctx->cq_overflow_flushed) {
792 WRITE_ONCE(ctx->rings->cq_overflow,
793 atomic_inc_return(&ctx->cached_cq_overflow));
795 refcount_inc(&req->refs);
797 list_add_tail(&req->list, &ctx->cq_overflow_list);
801 static void io_cqring_add_event(struct io_kiocb *req, long res)
803 struct io_ring_ctx *ctx = req->ctx;
806 spin_lock_irqsave(&ctx->completion_lock, flags);
807 io_cqring_fill_event(req, res);
808 io_commit_cqring(ctx);
809 spin_unlock_irqrestore(&ctx->completion_lock, flags);
811 io_cqring_ev_posted(ctx);
814 static inline bool io_is_fallback_req(struct io_kiocb *req)
816 return req == (struct io_kiocb *)
817 ((unsigned long) req->ctx->fallback_req & ~1UL);
820 static struct io_kiocb *io_get_fallback_req(struct io_ring_ctx *ctx)
822 struct io_kiocb *req;
824 req = ctx->fallback_req;
825 if (!test_and_set_bit_lock(0, (unsigned long *) ctx->fallback_req))
831 static struct io_kiocb *io_get_req(struct io_ring_ctx *ctx,
832 struct io_submit_state *state)
834 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN;
835 struct io_kiocb *req;
837 if (!percpu_ref_tryget(&ctx->refs))
841 req = kmem_cache_alloc(req_cachep, gfp);
844 } else if (!state->free_reqs) {
848 sz = min_t(size_t, state->ios_left, ARRAY_SIZE(state->reqs));
849 ret = kmem_cache_alloc_bulk(req_cachep, gfp, sz, state->reqs);
852 * Bulk alloc is all-or-nothing. If we fail to get a batch,
853 * retry single alloc to be on the safe side.
855 if (unlikely(ret <= 0)) {
856 state->reqs[0] = kmem_cache_alloc(req_cachep, gfp);
861 state->free_reqs = ret - 1;
863 req = state->reqs[0];
865 req = state->reqs[state->cur_req];
872 req->ring_file = NULL;
876 /* one is dropped after submission, the other at completion */
877 refcount_set(&req->refs, 2);
879 INIT_IO_WORK(&req->work, io_wq_submit_work);
882 req = io_get_fallback_req(ctx);
885 percpu_ref_put(&ctx->refs);
889 static void io_free_req_many(struct io_ring_ctx *ctx, void **reqs, int *nr)
892 kmem_cache_free_bulk(req_cachep, *nr, reqs);
893 percpu_ref_put_many(&ctx->refs, *nr);
898 static void __io_free_req(struct io_kiocb *req)
900 struct io_ring_ctx *ctx = req->ctx;
904 if (req->file && !(req->flags & REQ_F_FIXED_FILE))
906 if (req->flags & REQ_F_INFLIGHT) {
909 spin_lock_irqsave(&ctx->inflight_lock, flags);
910 list_del(&req->inflight_entry);
911 if (waitqueue_active(&ctx->inflight_wait))
912 wake_up(&ctx->inflight_wait);
913 spin_unlock_irqrestore(&ctx->inflight_lock, flags);
915 percpu_ref_put(&ctx->refs);
916 if (likely(!io_is_fallback_req(req)))
917 kmem_cache_free(req_cachep, req);
919 clear_bit_unlock(0, (unsigned long *) ctx->fallback_req);
922 static bool io_link_cancel_timeout(struct io_kiocb *req)
924 struct io_ring_ctx *ctx = req->ctx;
927 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
929 io_cqring_fill_event(req, -ECANCELED);
930 io_commit_cqring(ctx);
931 req->flags &= ~REQ_F_LINK;
939 static void io_req_link_next(struct io_kiocb *req, struct io_kiocb **nxtptr)
941 struct io_ring_ctx *ctx = req->ctx;
942 bool wake_ev = false;
944 /* Already got next link */
945 if (req->flags & REQ_F_LINK_NEXT)
949 * The list should never be empty when we are called here. But could
950 * potentially happen if the chain is messed up, check to be on the
953 while (!list_empty(&req->link_list)) {
954 struct io_kiocb *nxt = list_first_entry(&req->link_list,
955 struct io_kiocb, link_list);
957 if (unlikely((req->flags & REQ_F_LINK_TIMEOUT) &&
958 (nxt->flags & REQ_F_TIMEOUT))) {
959 list_del_init(&nxt->link_list);
960 wake_ev |= io_link_cancel_timeout(nxt);
961 req->flags &= ~REQ_F_LINK_TIMEOUT;
965 list_del_init(&req->link_list);
966 if (!list_empty(&nxt->link_list))
967 nxt->flags |= REQ_F_LINK;
972 req->flags |= REQ_F_LINK_NEXT;
974 io_cqring_ev_posted(ctx);
978 * Called if REQ_F_LINK is set, and we fail the head request
980 static void io_fail_links(struct io_kiocb *req)
982 struct io_ring_ctx *ctx = req->ctx;
985 spin_lock_irqsave(&ctx->completion_lock, flags);
987 while (!list_empty(&req->link_list)) {
988 struct io_kiocb *link = list_first_entry(&req->link_list,
989 struct io_kiocb, link_list);
991 list_del_init(&link->link_list);
992 trace_io_uring_fail_link(req, link);
994 if ((req->flags & REQ_F_LINK_TIMEOUT) &&
995 link->sqe->opcode == IORING_OP_LINK_TIMEOUT) {
996 io_link_cancel_timeout(link);
998 io_cqring_fill_event(link, -ECANCELED);
999 __io_double_put_req(link);
1001 req->flags &= ~REQ_F_LINK_TIMEOUT;
1004 io_commit_cqring(ctx);
1005 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1006 io_cqring_ev_posted(ctx);
1009 static void io_req_find_next(struct io_kiocb *req, struct io_kiocb **nxt)
1011 if (likely(!(req->flags & REQ_F_LINK)))
1015 * If LINK is set, we have dependent requests in this chain. If we
1016 * didn't fail this request, queue the first one up, moving any other
1017 * dependencies to the next request. In case of failure, fail the rest
1020 if (req->flags & REQ_F_FAIL_LINK) {
1022 } else if ((req->flags & (REQ_F_LINK_TIMEOUT | REQ_F_COMP_LOCKED)) ==
1023 REQ_F_LINK_TIMEOUT) {
1024 struct io_ring_ctx *ctx = req->ctx;
1025 unsigned long flags;
1028 * If this is a timeout link, we could be racing with the
1029 * timeout timer. Grab the completion lock for this case to
1030 * protect against that.
1032 spin_lock_irqsave(&ctx->completion_lock, flags);
1033 io_req_link_next(req, nxt);
1034 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1036 io_req_link_next(req, nxt);
1040 static void io_free_req(struct io_kiocb *req)
1042 struct io_kiocb *nxt = NULL;
1044 io_req_find_next(req, &nxt);
1048 io_queue_async_work(nxt);
1052 * Drop reference to request, return next in chain (if there is one) if this
1053 * was the last reference to this request.
1055 __attribute__((nonnull))
1056 static void io_put_req_find_next(struct io_kiocb *req, struct io_kiocb **nxtptr)
1058 io_req_find_next(req, nxtptr);
1060 if (refcount_dec_and_test(&req->refs))
1064 static void io_put_req(struct io_kiocb *req)
1066 if (refcount_dec_and_test(&req->refs))
1071 * Must only be used if we don't need to care about links, usually from
1072 * within the completion handling itself.
1074 static void __io_double_put_req(struct io_kiocb *req)
1076 /* drop both submit and complete references */
1077 if (refcount_sub_and_test(2, &req->refs))
1081 static void io_double_put_req(struct io_kiocb *req)
1083 /* drop both submit and complete references */
1084 if (refcount_sub_and_test(2, &req->refs))
1088 static unsigned io_cqring_events(struct io_ring_ctx *ctx, bool noflush)
1090 struct io_rings *rings = ctx->rings;
1093 * noflush == true is from the waitqueue handler, just ensure we wake
1094 * up the task, and the next invocation will flush the entries. We
1095 * cannot safely to it from here.
1097 if (noflush && !list_empty(&ctx->cq_overflow_list))
1100 io_cqring_overflow_flush(ctx, false);
1102 /* See comment at the top of this file */
1104 return READ_ONCE(rings->cq.tail) - READ_ONCE(rings->cq.head);
1107 static inline unsigned int io_sqring_entries(struct io_ring_ctx *ctx)
1109 struct io_rings *rings = ctx->rings;
1111 /* make sure SQ entry isn't read before tail */
1112 return smp_load_acquire(&rings->sq.tail) - ctx->cached_sq_head;
1116 * Find and free completed poll iocbs
1118 static void io_iopoll_complete(struct io_ring_ctx *ctx, unsigned int *nr_events,
1119 struct list_head *done)
1121 void *reqs[IO_IOPOLL_BATCH];
1122 struct io_kiocb *req;
1126 while (!list_empty(done)) {
1127 req = list_first_entry(done, struct io_kiocb, list);
1128 list_del(&req->list);
1130 io_cqring_fill_event(req, req->result);
1133 if (refcount_dec_and_test(&req->refs)) {
1134 /* If we're not using fixed files, we have to pair the
1135 * completion part with the file put. Use regular
1136 * completions for those, only batch free for fixed
1137 * file and non-linked commands.
1139 if (((req->flags & (REQ_F_FIXED_FILE|REQ_F_LINK)) ==
1140 REQ_F_FIXED_FILE) && !io_is_fallback_req(req) &&
1142 reqs[to_free++] = req;
1143 if (to_free == ARRAY_SIZE(reqs))
1144 io_free_req_many(ctx, reqs, &to_free);
1151 io_commit_cqring(ctx);
1152 io_free_req_many(ctx, reqs, &to_free);
1155 static int io_do_iopoll(struct io_ring_ctx *ctx, unsigned int *nr_events,
1158 struct io_kiocb *req, *tmp;
1164 * Only spin for completions if we don't have multiple devices hanging
1165 * off our complete list, and we're under the requested amount.
1167 spin = !ctx->poll_multi_file && *nr_events < min;
1170 list_for_each_entry_safe(req, tmp, &ctx->poll_list, list) {
1171 struct kiocb *kiocb = &req->rw;
1174 * Move completed entries to our local list. If we find a
1175 * request that requires polling, break out and complete
1176 * the done list first, if we have entries there.
1178 if (req->flags & REQ_F_IOPOLL_COMPLETED) {
1179 list_move_tail(&req->list, &done);
1182 if (!list_empty(&done))
1185 ret = kiocb->ki_filp->f_op->iopoll(kiocb, spin);
1194 if (!list_empty(&done))
1195 io_iopoll_complete(ctx, nr_events, &done);
1201 * Poll for a minimum of 'min' events. Note that if min == 0 we consider that a
1202 * non-spinning poll check - we'll still enter the driver poll loop, but only
1203 * as a non-spinning completion check.
1205 static int io_iopoll_getevents(struct io_ring_ctx *ctx, unsigned int *nr_events,
1208 while (!list_empty(&ctx->poll_list) && !need_resched()) {
1211 ret = io_do_iopoll(ctx, nr_events, min);
1214 if (!min || *nr_events >= min)
1222 * We can't just wait for polled events to come to us, we have to actively
1223 * find and complete them.
1225 static void io_iopoll_reap_events(struct io_ring_ctx *ctx)
1227 if (!(ctx->flags & IORING_SETUP_IOPOLL))
1230 mutex_lock(&ctx->uring_lock);
1231 while (!list_empty(&ctx->poll_list)) {
1232 unsigned int nr_events = 0;
1234 io_iopoll_getevents(ctx, &nr_events, 1);
1237 * Ensure we allow local-to-the-cpu processing to take place,
1238 * in this case we need to ensure that we reap all events.
1242 mutex_unlock(&ctx->uring_lock);
1245 static int __io_iopoll_check(struct io_ring_ctx *ctx, unsigned *nr_events,
1248 int iters = 0, ret = 0;
1254 * Don't enter poll loop if we already have events pending.
1255 * If we do, we can potentially be spinning for commands that
1256 * already triggered a CQE (eg in error).
1258 if (io_cqring_events(ctx, false))
1262 * If a submit got punted to a workqueue, we can have the
1263 * application entering polling for a command before it gets
1264 * issued. That app will hold the uring_lock for the duration
1265 * of the poll right here, so we need to take a breather every
1266 * now and then to ensure that the issue has a chance to add
1267 * the poll to the issued list. Otherwise we can spin here
1268 * forever, while the workqueue is stuck trying to acquire the
1271 if (!(++iters & 7)) {
1272 mutex_unlock(&ctx->uring_lock);
1273 mutex_lock(&ctx->uring_lock);
1276 if (*nr_events < min)
1277 tmin = min - *nr_events;
1279 ret = io_iopoll_getevents(ctx, nr_events, tmin);
1283 } while (min && !*nr_events && !need_resched());
1288 static int io_iopoll_check(struct io_ring_ctx *ctx, unsigned *nr_events,
1294 * We disallow the app entering submit/complete with polling, but we
1295 * still need to lock the ring to prevent racing with polled issue
1296 * that got punted to a workqueue.
1298 mutex_lock(&ctx->uring_lock);
1299 ret = __io_iopoll_check(ctx, nr_events, min);
1300 mutex_unlock(&ctx->uring_lock);
1304 static void kiocb_end_write(struct io_kiocb *req)
1307 * Tell lockdep we inherited freeze protection from submission
1310 if (req->flags & REQ_F_ISREG) {
1311 struct inode *inode = file_inode(req->file);
1313 __sb_writers_acquired(inode->i_sb, SB_FREEZE_WRITE);
1315 file_end_write(req->file);
1318 static inline void req_set_fail_links(struct io_kiocb *req)
1320 if ((req->flags & (REQ_F_LINK | REQ_F_HARDLINK)) == REQ_F_LINK)
1321 req->flags |= REQ_F_FAIL_LINK;
1324 static void io_complete_rw_common(struct kiocb *kiocb, long res)
1326 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw);
1328 if (kiocb->ki_flags & IOCB_WRITE)
1329 kiocb_end_write(req);
1331 if (res != req->result)
1332 req_set_fail_links(req);
1333 io_cqring_add_event(req, res);
1336 static void io_complete_rw(struct kiocb *kiocb, long res, long res2)
1338 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw);
1340 io_complete_rw_common(kiocb, res);
1344 static struct io_kiocb *__io_complete_rw(struct kiocb *kiocb, long res)
1346 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw);
1347 struct io_kiocb *nxt = NULL;
1349 io_complete_rw_common(kiocb, res);
1350 io_put_req_find_next(req, &nxt);
1355 static void io_complete_rw_iopoll(struct kiocb *kiocb, long res, long res2)
1357 struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw);
1359 if (kiocb->ki_flags & IOCB_WRITE)
1360 kiocb_end_write(req);
1362 if (res != req->result)
1363 req_set_fail_links(req);
1366 req->flags |= REQ_F_IOPOLL_COMPLETED;
1370 * After the iocb has been issued, it's safe to be found on the poll list.
1371 * Adding the kiocb to the list AFTER submission ensures that we don't
1372 * find it from a io_iopoll_getevents() thread before the issuer is done
1373 * accessing the kiocb cookie.
1375 static void io_iopoll_req_issued(struct io_kiocb *req)
1377 struct io_ring_ctx *ctx = req->ctx;
1380 * Track whether we have multiple files in our lists. This will impact
1381 * how we do polling eventually, not spinning if we're on potentially
1382 * different devices.
1384 if (list_empty(&ctx->poll_list)) {
1385 ctx->poll_multi_file = false;
1386 } else if (!ctx->poll_multi_file) {
1387 struct io_kiocb *list_req;
1389 list_req = list_first_entry(&ctx->poll_list, struct io_kiocb,
1391 if (list_req->rw.ki_filp != req->rw.ki_filp)
1392 ctx->poll_multi_file = true;
1396 * For fast devices, IO may have already completed. If it has, add
1397 * it to the front so we find it first.
1399 if (req->flags & REQ_F_IOPOLL_COMPLETED)
1400 list_add(&req->list, &ctx->poll_list);
1402 list_add_tail(&req->list, &ctx->poll_list);
1405 static void io_file_put(struct io_submit_state *state)
1408 int diff = state->has_refs - state->used_refs;
1411 fput_many(state->file, diff);
1417 * Get as many references to a file as we have IOs left in this submission,
1418 * assuming most submissions are for one file, or at least that each file
1419 * has more than one submission.
1421 static struct file *io_file_get(struct io_submit_state *state, int fd)
1427 if (state->fd == fd) {
1434 state->file = fget_many(fd, state->ios_left);
1439 state->has_refs = state->ios_left;
1440 state->used_refs = 1;
1446 * If we tracked the file through the SCM inflight mechanism, we could support
1447 * any file. For now, just ensure that anything potentially problematic is done
1450 static bool io_file_supports_async(struct file *file)
1452 umode_t mode = file_inode(file)->i_mode;
1454 if (S_ISBLK(mode) || S_ISCHR(mode) || S_ISSOCK(mode))
1456 if (S_ISREG(mode) && file->f_op != &io_uring_fops)
1462 static int io_prep_rw(struct io_kiocb *req, bool force_nonblock)
1464 const struct io_uring_sqe *sqe = req->sqe;
1465 struct io_ring_ctx *ctx = req->ctx;
1466 struct kiocb *kiocb = &req->rw;
1473 if (S_ISREG(file_inode(req->file)->i_mode))
1474 req->flags |= REQ_F_ISREG;
1476 kiocb->ki_pos = READ_ONCE(sqe->off);
1477 kiocb->ki_flags = iocb_flags(kiocb->ki_filp);
1478 kiocb->ki_hint = ki_hint_validate(file_write_hint(kiocb->ki_filp));
1480 ioprio = READ_ONCE(sqe->ioprio);
1482 ret = ioprio_check_cap(ioprio);
1486 kiocb->ki_ioprio = ioprio;
1488 kiocb->ki_ioprio = get_current_ioprio();
1490 ret = kiocb_set_rw_flags(kiocb, READ_ONCE(sqe->rw_flags));
1494 /* don't allow async punt if RWF_NOWAIT was requested */
1495 if ((kiocb->ki_flags & IOCB_NOWAIT) ||
1496 (req->file->f_flags & O_NONBLOCK))
1497 req->flags |= REQ_F_NOWAIT;
1500 kiocb->ki_flags |= IOCB_NOWAIT;
1502 if (ctx->flags & IORING_SETUP_IOPOLL) {
1503 if (!(kiocb->ki_flags & IOCB_DIRECT) ||
1504 !kiocb->ki_filp->f_op->iopoll)
1507 kiocb->ki_flags |= IOCB_HIPRI;
1508 kiocb->ki_complete = io_complete_rw_iopoll;
1511 if (kiocb->ki_flags & IOCB_HIPRI)
1513 kiocb->ki_complete = io_complete_rw;
1518 static inline void io_rw_done(struct kiocb *kiocb, ssize_t ret)
1524 case -ERESTARTNOINTR:
1525 case -ERESTARTNOHAND:
1526 case -ERESTART_RESTARTBLOCK:
1528 * We can't just restart the syscall, since previously
1529 * submitted sqes may already be in progress. Just fail this
1535 kiocb->ki_complete(kiocb, ret, 0);
1539 static void kiocb_done(struct kiocb *kiocb, ssize_t ret, struct io_kiocb **nxt,
1542 if (in_async && ret >= 0 && kiocb->ki_complete == io_complete_rw)
1543 *nxt = __io_complete_rw(kiocb, ret);
1545 io_rw_done(kiocb, ret);
1548 static ssize_t io_import_fixed(struct io_ring_ctx *ctx, int rw,
1549 const struct io_uring_sqe *sqe,
1550 struct iov_iter *iter)
1552 size_t len = READ_ONCE(sqe->len);
1553 struct io_mapped_ubuf *imu;
1554 unsigned index, buf_index;
1558 /* attempt to use fixed buffers without having provided iovecs */
1559 if (unlikely(!ctx->user_bufs))
1562 buf_index = READ_ONCE(sqe->buf_index);
1563 if (unlikely(buf_index >= ctx->nr_user_bufs))
1566 index = array_index_nospec(buf_index, ctx->nr_user_bufs);
1567 imu = &ctx->user_bufs[index];
1568 buf_addr = READ_ONCE(sqe->addr);
1571 if (buf_addr + len < buf_addr)
1573 /* not inside the mapped region */
1574 if (buf_addr < imu->ubuf || buf_addr + len > imu->ubuf + imu->len)
1578 * May not be a start of buffer, set size appropriately
1579 * and advance us to the beginning.
1581 offset = buf_addr - imu->ubuf;
1582 iov_iter_bvec(iter, rw, imu->bvec, imu->nr_bvecs, offset + len);
1586 * Don't use iov_iter_advance() here, as it's really slow for
1587 * using the latter parts of a big fixed buffer - it iterates
1588 * over each segment manually. We can cheat a bit here, because
1591 * 1) it's a BVEC iter, we set it up
1592 * 2) all bvecs are PAGE_SIZE in size, except potentially the
1593 * first and last bvec
1595 * So just find our index, and adjust the iterator afterwards.
1596 * If the offset is within the first bvec (or the whole first
1597 * bvec, just use iov_iter_advance(). This makes it easier
1598 * since we can just skip the first segment, which may not
1599 * be PAGE_SIZE aligned.
1601 const struct bio_vec *bvec = imu->bvec;
1603 if (offset <= bvec->bv_len) {
1604 iov_iter_advance(iter, offset);
1606 unsigned long seg_skip;
1608 /* skip first vec */
1609 offset -= bvec->bv_len;
1610 seg_skip = 1 + (offset >> PAGE_SHIFT);
1612 iter->bvec = bvec + seg_skip;
1613 iter->nr_segs -= seg_skip;
1614 iter->count -= bvec->bv_len + offset;
1615 iter->iov_offset = offset & ~PAGE_MASK;
1622 static ssize_t io_import_iovec(int rw, struct io_kiocb *req,
1623 struct iovec **iovec, struct iov_iter *iter)
1625 const struct io_uring_sqe *sqe = req->sqe;
1626 void __user *buf = u64_to_user_ptr(READ_ONCE(sqe->addr));
1627 size_t sqe_len = READ_ONCE(sqe->len);
1631 * We're reading ->opcode for the second time, but the first read
1632 * doesn't care whether it's _FIXED or not, so it doesn't matter
1633 * whether ->opcode changes concurrently. The first read does care
1634 * about whether it is a READ or a WRITE, so we don't trust this read
1635 * for that purpose and instead let the caller pass in the read/write
1638 opcode = READ_ONCE(sqe->opcode);
1639 if (opcode == IORING_OP_READ_FIXED || opcode == IORING_OP_WRITE_FIXED) {
1641 return io_import_fixed(req->ctx, rw, sqe, iter);
1645 struct io_async_rw *iorw = &req->io->rw;
1648 iov_iter_init(iter, rw, *iovec, iorw->nr_segs, iorw->size);
1649 if (iorw->iov == iorw->fast_iov)
1657 #ifdef CONFIG_COMPAT
1658 if (req->ctx->compat)
1659 return compat_import_iovec(rw, buf, sqe_len, UIO_FASTIOV,
1663 return import_iovec(rw, buf, sqe_len, UIO_FASTIOV, iovec, iter);
1667 * For files that don't have ->read_iter() and ->write_iter(), handle them
1668 * by looping over ->read() or ->write() manually.
1670 static ssize_t loop_rw_iter(int rw, struct file *file, struct kiocb *kiocb,
1671 struct iov_iter *iter)
1676 * Don't support polled IO through this interface, and we can't
1677 * support non-blocking either. For the latter, this just causes
1678 * the kiocb to be handled from an async context.
1680 if (kiocb->ki_flags & IOCB_HIPRI)
1682 if (kiocb->ki_flags & IOCB_NOWAIT)
1685 while (iov_iter_count(iter)) {
1689 if (!iov_iter_is_bvec(iter)) {
1690 iovec = iov_iter_iovec(iter);
1692 /* fixed buffers import bvec */
1693 iovec.iov_base = kmap(iter->bvec->bv_page)
1695 iovec.iov_len = min(iter->count,
1696 iter->bvec->bv_len - iter->iov_offset);
1700 nr = file->f_op->read(file, iovec.iov_base,
1701 iovec.iov_len, &kiocb->ki_pos);
1703 nr = file->f_op->write(file, iovec.iov_base,
1704 iovec.iov_len, &kiocb->ki_pos);
1707 if (iov_iter_is_bvec(iter))
1708 kunmap(iter->bvec->bv_page);
1716 if (nr != iovec.iov_len)
1718 iov_iter_advance(iter, nr);
1724 static void io_req_map_rw(struct io_kiocb *req, ssize_t io_size,
1725 struct iovec *iovec, struct iovec *fast_iov,
1726 struct iov_iter *iter)
1728 req->io->rw.nr_segs = iter->nr_segs;
1729 req->io->rw.size = io_size;
1730 req->io->rw.iov = iovec;
1731 if (!req->io->rw.iov) {
1732 req->io->rw.iov = req->io->rw.fast_iov;
1733 memcpy(req->io->rw.iov, fast_iov,
1734 sizeof(struct iovec) * iter->nr_segs);
1738 static int io_alloc_async_ctx(struct io_kiocb *req)
1740 req->io = kmalloc(sizeof(*req->io), GFP_KERNEL);
1742 memcpy(&req->io->sqe, req->sqe, sizeof(req->io->sqe));
1743 req->sqe = &req->io->sqe;
1750 static void io_rw_async(struct io_wq_work **workptr)
1752 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
1753 struct iovec *iov = NULL;
1755 if (req->io->rw.iov != req->io->rw.fast_iov)
1756 iov = req->io->rw.iov;
1757 io_wq_submit_work(workptr);
1761 static int io_setup_async_rw(struct io_kiocb *req, ssize_t io_size,
1762 struct iovec *iovec, struct iovec *fast_iov,
1763 struct iov_iter *iter)
1765 if (!req->io && io_alloc_async_ctx(req))
1768 io_req_map_rw(req, io_size, iovec, fast_iov, iter);
1769 req->work.func = io_rw_async;
1773 static int io_read_prep(struct io_kiocb *req, struct iovec **iovec,
1774 struct iov_iter *iter, bool force_nonblock)
1778 ret = io_prep_rw(req, force_nonblock);
1782 if (unlikely(!(req->file->f_mode & FMODE_READ)))
1785 return io_import_iovec(READ, req, iovec, iter);
1788 static int io_read(struct io_kiocb *req, struct io_kiocb **nxt,
1789 bool force_nonblock)
1791 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
1792 struct kiocb *kiocb = &req->rw;
1793 struct iov_iter iter;
1796 ssize_t io_size, ret;
1799 ret = io_read_prep(req, &iovec, &iter, force_nonblock);
1803 ret = io_import_iovec(READ, req, &iovec, &iter);
1810 if (req->flags & REQ_F_LINK)
1811 req->result = io_size;
1814 * If the file doesn't support async, mark it as REQ_F_MUST_PUNT so
1815 * we know to async punt it even if it was opened O_NONBLOCK
1817 if (force_nonblock && !io_file_supports_async(file)) {
1818 req->flags |= REQ_F_MUST_PUNT;
1822 iov_count = iov_iter_count(&iter);
1823 ret = rw_verify_area(READ, file, &kiocb->ki_pos, iov_count);
1827 if (file->f_op->read_iter)
1828 ret2 = call_read_iter(file, kiocb, &iter);
1830 ret2 = loop_rw_iter(READ, file, kiocb, &iter);
1833 * In case of a short read, punt to async. This can happen
1834 * if we have data partially cached. Alternatively we can
1835 * return the short read, in which case the application will
1836 * need to issue another SQE and wait for it. That SQE will
1837 * need async punt anyway, so it's more efficient to do it
1840 if (force_nonblock && !(req->flags & REQ_F_NOWAIT) &&
1841 (req->flags & REQ_F_ISREG) &&
1842 ret2 > 0 && ret2 < io_size)
1844 /* Catch -EAGAIN return for forced non-blocking submission */
1845 if (!force_nonblock || ret2 != -EAGAIN) {
1846 kiocb_done(kiocb, ret2, nxt, req->in_async);
1849 ret = io_setup_async_rw(req, io_size, iovec,
1850 inline_vecs, &iter);
1857 if (!io_wq_current_is_worker())
1862 static int io_write_prep(struct io_kiocb *req, struct iovec **iovec,
1863 struct iov_iter *iter, bool force_nonblock)
1867 ret = io_prep_rw(req, force_nonblock);
1871 if (unlikely(!(req->file->f_mode & FMODE_WRITE)))
1874 return io_import_iovec(WRITE, req, iovec, iter);
1877 static int io_write(struct io_kiocb *req, struct io_kiocb **nxt,
1878 bool force_nonblock)
1880 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
1881 struct kiocb *kiocb = &req->rw;
1882 struct iov_iter iter;
1885 ssize_t ret, io_size;
1888 ret = io_write_prep(req, &iovec, &iter, force_nonblock);
1892 ret = io_import_iovec(WRITE, req, &iovec, &iter);
1897 file = kiocb->ki_filp;
1899 if (req->flags & REQ_F_LINK)
1900 req->result = io_size;
1903 * If the file doesn't support async, mark it as REQ_F_MUST_PUNT so
1904 * we know to async punt it even if it was opened O_NONBLOCK
1906 if (force_nonblock && !io_file_supports_async(req->file)) {
1907 req->flags |= REQ_F_MUST_PUNT;
1911 /* file path doesn't support NOWAIT for non-direct_IO */
1912 if (force_nonblock && !(kiocb->ki_flags & IOCB_DIRECT) &&
1913 (req->flags & REQ_F_ISREG))
1916 iov_count = iov_iter_count(&iter);
1917 ret = rw_verify_area(WRITE, file, &kiocb->ki_pos, iov_count);
1922 * Open-code file_start_write here to grab freeze protection,
1923 * which will be released by another thread in
1924 * io_complete_rw(). Fool lockdep by telling it the lock got
1925 * released so that it doesn't complain about the held lock when
1926 * we return to userspace.
1928 if (req->flags & REQ_F_ISREG) {
1929 __sb_start_write(file_inode(file)->i_sb,
1930 SB_FREEZE_WRITE, true);
1931 __sb_writers_release(file_inode(file)->i_sb,
1934 kiocb->ki_flags |= IOCB_WRITE;
1936 if (file->f_op->write_iter)
1937 ret2 = call_write_iter(file, kiocb, &iter);
1939 ret2 = loop_rw_iter(WRITE, file, kiocb, &iter);
1940 if (!force_nonblock || ret2 != -EAGAIN) {
1941 kiocb_done(kiocb, ret2, nxt, req->in_async);
1944 ret = io_setup_async_rw(req, io_size, iovec,
1945 inline_vecs, &iter);
1952 if (!io_wq_current_is_worker())
1958 * IORING_OP_NOP just posts a completion event, nothing else.
1960 static int io_nop(struct io_kiocb *req)
1962 struct io_ring_ctx *ctx = req->ctx;
1964 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
1967 io_cqring_add_event(req, 0);
1972 static int io_prep_fsync(struct io_kiocb *req)
1974 const struct io_uring_sqe *sqe = req->sqe;
1975 struct io_ring_ctx *ctx = req->ctx;
1977 if (req->flags & REQ_F_PREPPED)
1982 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
1984 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
1987 req->sync.flags = READ_ONCE(sqe->fsync_flags);
1988 if (unlikely(req->sync.flags & ~IORING_FSYNC_DATASYNC))
1991 req->sync.off = READ_ONCE(sqe->off);
1992 req->sync.len = READ_ONCE(sqe->len);
1993 req->flags |= REQ_F_PREPPED;
1997 static bool io_req_cancelled(struct io_kiocb *req)
1999 if (req->work.flags & IO_WQ_WORK_CANCEL) {
2000 req_set_fail_links(req);
2001 io_cqring_add_event(req, -ECANCELED);
2009 static void io_fsync_finish(struct io_wq_work **workptr)
2011 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2012 loff_t end = req->sync.off + req->sync.len;
2013 struct io_kiocb *nxt = NULL;
2016 if (io_req_cancelled(req))
2019 ret = vfs_fsync_range(req->rw.ki_filp, req->sync.off,
2020 end > 0 ? end : LLONG_MAX,
2021 req->sync.flags & IORING_FSYNC_DATASYNC);
2023 req_set_fail_links(req);
2024 io_cqring_add_event(req, ret);
2025 io_put_req_find_next(req, &nxt);
2027 *workptr = &nxt->work;
2030 static int io_fsync(struct io_kiocb *req, struct io_kiocb **nxt,
2031 bool force_nonblock)
2033 struct io_wq_work *work, *old_work;
2036 ret = io_prep_fsync(req);
2040 /* fsync always requires a blocking context */
2041 if (force_nonblock) {
2043 req->work.func = io_fsync_finish;
2047 work = old_work = &req->work;
2048 io_fsync_finish(&work);
2049 if (work && work != old_work)
2050 *nxt = container_of(work, struct io_kiocb, work);
2054 static int io_prep_sfr(struct io_kiocb *req)
2056 const struct io_uring_sqe *sqe = req->sqe;
2057 struct io_ring_ctx *ctx = req->ctx;
2059 if (req->flags & REQ_F_PREPPED)
2064 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
2066 if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
2069 req->sync.off = READ_ONCE(sqe->off);
2070 req->sync.len = READ_ONCE(sqe->len);
2071 req->sync.flags = READ_ONCE(sqe->sync_range_flags);
2072 req->flags |= REQ_F_PREPPED;
2076 static void io_sync_file_range_finish(struct io_wq_work **workptr)
2078 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2079 struct io_kiocb *nxt = NULL;
2082 if (io_req_cancelled(req))
2085 ret = sync_file_range(req->rw.ki_filp, req->sync.off, req->sync.len,
2088 req_set_fail_links(req);
2089 io_cqring_add_event(req, ret);
2090 io_put_req_find_next(req, &nxt);
2092 *workptr = &nxt->work;
2095 static int io_sync_file_range(struct io_kiocb *req, struct io_kiocb **nxt,
2096 bool force_nonblock)
2098 struct io_wq_work *work, *old_work;
2101 ret = io_prep_sfr(req);
2105 /* sync_file_range always requires a blocking context */
2106 if (force_nonblock) {
2108 req->work.func = io_sync_file_range_finish;
2112 work = old_work = &req->work;
2113 io_sync_file_range_finish(&work);
2114 if (work && work != old_work)
2115 *nxt = container_of(work, struct io_kiocb, work);
2119 #if defined(CONFIG_NET)
2120 static void io_sendrecv_async(struct io_wq_work **workptr)
2122 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2123 struct iovec *iov = NULL;
2125 if (req->io->rw.iov != req->io->rw.fast_iov)
2126 iov = req->io->msg.iov;
2127 io_wq_submit_work(workptr);
2132 static int io_sendmsg_prep(struct io_kiocb *req, struct io_async_ctx *io)
2134 #if defined(CONFIG_NET)
2135 const struct io_uring_sqe *sqe = req->sqe;
2136 struct user_msghdr __user *msg;
2139 flags = READ_ONCE(sqe->msg_flags);
2140 msg = (struct user_msghdr __user *)(unsigned long) READ_ONCE(sqe->addr);
2141 io->msg.iov = io->msg.fast_iov;
2142 return sendmsg_copy_msghdr(&io->msg.msg, msg, flags, &io->msg.iov);
2148 static int io_sendmsg(struct io_kiocb *req, struct io_kiocb **nxt,
2149 bool force_nonblock)
2151 #if defined(CONFIG_NET)
2152 const struct io_uring_sqe *sqe = req->sqe;
2153 struct io_async_msghdr *kmsg = NULL;
2154 struct socket *sock;
2157 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2160 sock = sock_from_file(req->file, &ret);
2162 struct io_async_ctx io;
2163 struct sockaddr_storage addr;
2166 flags = READ_ONCE(sqe->msg_flags);
2167 if (flags & MSG_DONTWAIT)
2168 req->flags |= REQ_F_NOWAIT;
2169 else if (force_nonblock)
2170 flags |= MSG_DONTWAIT;
2173 kmsg = &req->io->msg;
2174 kmsg->msg.msg_name = &addr;
2175 /* if iov is set, it's allocated already */
2177 kmsg->iov = kmsg->fast_iov;
2178 kmsg->msg.msg_iter.iov = kmsg->iov;
2181 kmsg->msg.msg_name = &addr;
2182 ret = io_sendmsg_prep(req, &io);
2187 ret = __sys_sendmsg_sock(sock, &kmsg->msg, flags);
2188 if (force_nonblock && ret == -EAGAIN) {
2191 if (io_alloc_async_ctx(req))
2193 memcpy(&req->io->msg, &io.msg, sizeof(io.msg));
2194 req->work.func = io_sendrecv_async;
2197 if (ret == -ERESTARTSYS)
2202 if (!io_wq_current_is_worker() && kmsg && kmsg->iov != kmsg->fast_iov)
2204 io_cqring_add_event(req, ret);
2206 req_set_fail_links(req);
2207 io_put_req_find_next(req, nxt);
2214 static int io_recvmsg_prep(struct io_kiocb *req, struct io_async_ctx *io)
2216 #if defined(CONFIG_NET)
2217 const struct io_uring_sqe *sqe = req->sqe;
2218 struct user_msghdr __user *msg;
2221 flags = READ_ONCE(sqe->msg_flags);
2222 msg = (struct user_msghdr __user *)(unsigned long) READ_ONCE(sqe->addr);
2223 io->msg.iov = io->msg.fast_iov;
2224 return recvmsg_copy_msghdr(&io->msg.msg, msg, flags, &io->msg.uaddr,
2231 static int io_recvmsg(struct io_kiocb *req, struct io_kiocb **nxt,
2232 bool force_nonblock)
2234 #if defined(CONFIG_NET)
2235 const struct io_uring_sqe *sqe = req->sqe;
2236 struct io_async_msghdr *kmsg = NULL;
2237 struct socket *sock;
2240 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2243 sock = sock_from_file(req->file, &ret);
2245 struct user_msghdr __user *msg;
2246 struct io_async_ctx io;
2247 struct sockaddr_storage addr;
2250 flags = READ_ONCE(sqe->msg_flags);
2251 if (flags & MSG_DONTWAIT)
2252 req->flags |= REQ_F_NOWAIT;
2253 else if (force_nonblock)
2254 flags |= MSG_DONTWAIT;
2256 msg = (struct user_msghdr __user *) (unsigned long)
2257 READ_ONCE(sqe->addr);
2259 kmsg = &req->io->msg;
2260 kmsg->msg.msg_name = &addr;
2261 /* if iov is set, it's allocated already */
2263 kmsg->iov = kmsg->fast_iov;
2264 kmsg->msg.msg_iter.iov = kmsg->iov;
2267 kmsg->msg.msg_name = &addr;
2268 ret = io_recvmsg_prep(req, &io);
2273 ret = __sys_recvmsg_sock(sock, &kmsg->msg, msg, kmsg->uaddr, flags);
2274 if (force_nonblock && ret == -EAGAIN) {
2277 if (io_alloc_async_ctx(req))
2279 memcpy(&req->io->msg, &io.msg, sizeof(io.msg));
2280 req->work.func = io_sendrecv_async;
2283 if (ret == -ERESTARTSYS)
2288 if (!io_wq_current_is_worker() && kmsg && kmsg->iov != kmsg->fast_iov)
2290 io_cqring_add_event(req, ret);
2292 req_set_fail_links(req);
2293 io_put_req_find_next(req, nxt);
2300 static int io_accept_prep(struct io_kiocb *req)
2302 #if defined(CONFIG_NET)
2303 const struct io_uring_sqe *sqe = req->sqe;
2304 struct io_accept *accept = &req->accept;
2306 if (req->flags & REQ_F_PREPPED)
2309 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
2311 if (sqe->ioprio || sqe->len || sqe->buf_index)
2314 accept->addr = (struct sockaddr __user *)
2315 (unsigned long) READ_ONCE(sqe->addr);
2316 accept->addr_len = (int __user *) (unsigned long) READ_ONCE(sqe->addr2);
2317 accept->flags = READ_ONCE(sqe->accept_flags);
2318 req->flags |= REQ_F_PREPPED;
2325 #if defined(CONFIG_NET)
2326 static int __io_accept(struct io_kiocb *req, struct io_kiocb **nxt,
2327 bool force_nonblock)
2329 struct io_accept *accept = &req->accept;
2330 unsigned file_flags;
2333 file_flags = force_nonblock ? O_NONBLOCK : 0;
2334 ret = __sys_accept4_file(req->file, file_flags, accept->addr,
2335 accept->addr_len, accept->flags);
2336 if (ret == -EAGAIN && force_nonblock)
2338 if (ret == -ERESTARTSYS)
2341 req_set_fail_links(req);
2342 io_cqring_add_event(req, ret);
2343 io_put_req_find_next(req, nxt);
2347 static void io_accept_finish(struct io_wq_work **workptr)
2349 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
2350 struct io_kiocb *nxt = NULL;
2352 if (io_req_cancelled(req))
2354 __io_accept(req, &nxt, false);
2356 *workptr = &nxt->work;
2360 static int io_accept(struct io_kiocb *req, struct io_kiocb **nxt,
2361 bool force_nonblock)
2363 #if defined(CONFIG_NET)
2366 ret = io_accept_prep(req);
2370 ret = __io_accept(req, nxt, force_nonblock);
2371 if (ret == -EAGAIN && force_nonblock) {
2372 req->work.func = io_accept_finish;
2373 req->work.flags |= IO_WQ_WORK_NEEDS_FILES;
2383 static int io_connect_prep(struct io_kiocb *req, struct io_async_ctx *io)
2385 #if defined(CONFIG_NET)
2386 const struct io_uring_sqe *sqe = req->sqe;
2387 struct sockaddr __user *addr;
2390 addr = (struct sockaddr __user *) (unsigned long) READ_ONCE(sqe->addr);
2391 addr_len = READ_ONCE(sqe->addr2);
2392 return move_addr_to_kernel(addr, addr_len, &io->connect.address);
2398 static int io_connect(struct io_kiocb *req, struct io_kiocb **nxt,
2399 bool force_nonblock)
2401 #if defined(CONFIG_NET)
2402 const struct io_uring_sqe *sqe = req->sqe;
2403 struct io_async_ctx __io, *io;
2404 unsigned file_flags;
2407 if (unlikely(req->ctx->flags & (IORING_SETUP_IOPOLL|IORING_SETUP_SQPOLL)))
2409 if (sqe->ioprio || sqe->len || sqe->buf_index || sqe->rw_flags)
2412 addr_len = READ_ONCE(sqe->addr2);
2413 file_flags = force_nonblock ? O_NONBLOCK : 0;
2418 ret = io_connect_prep(req, &__io);
2424 ret = __sys_connect_file(req->file, &io->connect.address, addr_len,
2426 if ((ret == -EAGAIN || ret == -EINPROGRESS) && force_nonblock) {
2429 if (io_alloc_async_ctx(req)) {
2433 memcpy(&req->io->connect, &__io.connect, sizeof(__io.connect));
2436 if (ret == -ERESTARTSYS)
2440 req_set_fail_links(req);
2441 io_cqring_add_event(req, ret);
2442 io_put_req_find_next(req, nxt);
2449 static void io_poll_remove_one(struct io_kiocb *req)
2451 struct io_poll_iocb *poll = &req->poll;
2453 spin_lock(&poll->head->lock);
2454 WRITE_ONCE(poll->canceled, true);
2455 if (!list_empty(&poll->wait.entry)) {
2456 list_del_init(&poll->wait.entry);
2457 io_queue_async_work(req);
2459 spin_unlock(&poll->head->lock);
2460 hash_del(&req->hash_node);
2463 static void io_poll_remove_all(struct io_ring_ctx *ctx)
2465 struct hlist_node *tmp;
2466 struct io_kiocb *req;
2469 spin_lock_irq(&ctx->completion_lock);
2470 for (i = 0; i < (1U << ctx->cancel_hash_bits); i++) {
2471 struct hlist_head *list;
2473 list = &ctx->cancel_hash[i];
2474 hlist_for_each_entry_safe(req, tmp, list, hash_node)
2475 io_poll_remove_one(req);
2477 spin_unlock_irq(&ctx->completion_lock);
2480 static int io_poll_cancel(struct io_ring_ctx *ctx, __u64 sqe_addr)
2482 struct hlist_head *list;
2483 struct io_kiocb *req;
2485 list = &ctx->cancel_hash[hash_long(sqe_addr, ctx->cancel_hash_bits)];
2486 hlist_for_each_entry(req, list, hash_node) {
2487 if (sqe_addr == req->user_data) {
2488 io_poll_remove_one(req);
2496 static int io_poll_remove_prep(struct io_kiocb *req)
2498 const struct io_uring_sqe *sqe = req->sqe;
2500 if (req->flags & REQ_F_PREPPED)
2502 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2504 if (sqe->ioprio || sqe->off || sqe->len || sqe->buf_index ||
2508 req->poll.addr = READ_ONCE(sqe->addr);
2509 req->flags |= REQ_F_PREPPED;
2514 * Find a running poll command that matches one specified in sqe->addr,
2515 * and remove it if found.
2517 static int io_poll_remove(struct io_kiocb *req)
2519 struct io_ring_ctx *ctx = req->ctx;
2523 ret = io_poll_remove_prep(req);
2527 addr = req->poll.addr;
2528 spin_lock_irq(&ctx->completion_lock);
2529 ret = io_poll_cancel(ctx, addr);
2530 spin_unlock_irq(&ctx->completion_lock);
2532 io_cqring_add_event(req, ret);
2534 req_set_fail_links(req);
2539 static void io_poll_complete(struct io_kiocb *req, __poll_t mask, int error)
2541 struct io_ring_ctx *ctx = req->ctx;
2543 req->poll.done = true;
2545 io_cqring_fill_event(req, error);
2547 io_cqring_fill_event(req, mangle_poll(mask));
2548 io_commit_cqring(ctx);
2551 static void io_poll_complete_work(struct io_wq_work **workptr)
2553 struct io_wq_work *work = *workptr;
2554 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
2555 struct io_poll_iocb *poll = &req->poll;
2556 struct poll_table_struct pt = { ._key = poll->events };
2557 struct io_ring_ctx *ctx = req->ctx;
2558 struct io_kiocb *nxt = NULL;
2562 if (work->flags & IO_WQ_WORK_CANCEL) {
2563 WRITE_ONCE(poll->canceled, true);
2565 } else if (READ_ONCE(poll->canceled)) {
2569 if (ret != -ECANCELED)
2570 mask = vfs_poll(poll->file, &pt) & poll->events;
2573 * Note that ->ki_cancel callers also delete iocb from active_reqs after
2574 * calling ->ki_cancel. We need the ctx_lock roundtrip here to
2575 * synchronize with them. In the cancellation case the list_del_init
2576 * itself is not actually needed, but harmless so we keep it in to
2577 * avoid further branches in the fast path.
2579 spin_lock_irq(&ctx->completion_lock);
2580 if (!mask && ret != -ECANCELED) {
2581 add_wait_queue(poll->head, &poll->wait);
2582 spin_unlock_irq(&ctx->completion_lock);
2585 hash_del(&req->hash_node);
2586 io_poll_complete(req, mask, ret);
2587 spin_unlock_irq(&ctx->completion_lock);
2589 io_cqring_ev_posted(ctx);
2592 req_set_fail_links(req);
2593 io_put_req_find_next(req, &nxt);
2595 *workptr = &nxt->work;
2598 static int io_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
2601 struct io_poll_iocb *poll = wait->private;
2602 struct io_kiocb *req = container_of(poll, struct io_kiocb, poll);
2603 struct io_ring_ctx *ctx = req->ctx;
2604 __poll_t mask = key_to_poll(key);
2605 unsigned long flags;
2607 /* for instances that support it check for an event match first: */
2608 if (mask && !(mask & poll->events))
2611 list_del_init(&poll->wait.entry);
2614 * Run completion inline if we can. We're using trylock here because
2615 * we are violating the completion_lock -> poll wq lock ordering.
2616 * If we have a link timeout we're going to need the completion_lock
2617 * for finalizing the request, mark us as having grabbed that already.
2619 if (mask && spin_trylock_irqsave(&ctx->completion_lock, flags)) {
2620 hash_del(&req->hash_node);
2621 io_poll_complete(req, mask, 0);
2622 req->flags |= REQ_F_COMP_LOCKED;
2624 spin_unlock_irqrestore(&ctx->completion_lock, flags);
2626 io_cqring_ev_posted(ctx);
2628 io_queue_async_work(req);
2634 struct io_poll_table {
2635 struct poll_table_struct pt;
2636 struct io_kiocb *req;
2640 static void io_poll_queue_proc(struct file *file, struct wait_queue_head *head,
2641 struct poll_table_struct *p)
2643 struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
2645 if (unlikely(pt->req->poll.head)) {
2646 pt->error = -EINVAL;
2651 pt->req->poll.head = head;
2652 add_wait_queue(head, &pt->req->poll.wait);
2655 static void io_poll_req_insert(struct io_kiocb *req)
2657 struct io_ring_ctx *ctx = req->ctx;
2658 struct hlist_head *list;
2660 list = &ctx->cancel_hash[hash_long(req->user_data, ctx->cancel_hash_bits)];
2661 hlist_add_head(&req->hash_node, list);
2664 static int io_poll_add_prep(struct io_kiocb *req)
2666 const struct io_uring_sqe *sqe = req->sqe;
2667 struct io_poll_iocb *poll = &req->poll;
2670 if (req->flags & REQ_F_PREPPED)
2672 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2674 if (sqe->addr || sqe->ioprio || sqe->off || sqe->len || sqe->buf_index)
2679 req->flags |= REQ_F_PREPPED;
2680 events = READ_ONCE(sqe->poll_events);
2681 poll->events = demangle_poll(events) | EPOLLERR | EPOLLHUP;
2685 static int io_poll_add(struct io_kiocb *req, struct io_kiocb **nxt)
2687 struct io_poll_iocb *poll = &req->poll;
2688 struct io_ring_ctx *ctx = req->ctx;
2689 struct io_poll_table ipt;
2690 bool cancel = false;
2694 ret = io_poll_add_prep(req);
2698 INIT_IO_WORK(&req->work, io_poll_complete_work);
2699 INIT_HLIST_NODE(&req->hash_node);
2703 poll->canceled = false;
2705 ipt.pt._qproc = io_poll_queue_proc;
2706 ipt.pt._key = poll->events;
2708 ipt.error = -EINVAL; /* same as no support for IOCB_CMD_POLL */
2710 /* initialized the list so that we can do list_empty checks */
2711 INIT_LIST_HEAD(&poll->wait.entry);
2712 init_waitqueue_func_entry(&poll->wait, io_poll_wake);
2713 poll->wait.private = poll;
2715 INIT_LIST_HEAD(&req->list);
2717 mask = vfs_poll(poll->file, &ipt.pt) & poll->events;
2719 spin_lock_irq(&ctx->completion_lock);
2720 if (likely(poll->head)) {
2721 spin_lock(&poll->head->lock);
2722 if (unlikely(list_empty(&poll->wait.entry))) {
2728 if (mask || ipt.error)
2729 list_del_init(&poll->wait.entry);
2731 WRITE_ONCE(poll->canceled, true);
2732 else if (!poll->done) /* actually waiting for an event */
2733 io_poll_req_insert(req);
2734 spin_unlock(&poll->head->lock);
2736 if (mask) { /* no async, we'd stolen it */
2738 io_poll_complete(req, mask, 0);
2740 spin_unlock_irq(&ctx->completion_lock);
2743 io_cqring_ev_posted(ctx);
2744 io_put_req_find_next(req, nxt);
2749 static enum hrtimer_restart io_timeout_fn(struct hrtimer *timer)
2751 struct io_timeout_data *data = container_of(timer,
2752 struct io_timeout_data, timer);
2753 struct io_kiocb *req = data->req;
2754 struct io_ring_ctx *ctx = req->ctx;
2755 unsigned long flags;
2757 atomic_inc(&ctx->cq_timeouts);
2759 spin_lock_irqsave(&ctx->completion_lock, flags);
2761 * We could be racing with timeout deletion. If the list is empty,
2762 * then timeout lookup already found it and will be handling it.
2764 if (!list_empty(&req->list)) {
2765 struct io_kiocb *prev;
2768 * Adjust the reqs sequence before the current one because it
2769 * will consume a slot in the cq_ring and the cq_tail
2770 * pointer will be increased, otherwise other timeout reqs may
2771 * return in advance without waiting for enough wait_nr.
2774 list_for_each_entry_continue_reverse(prev, &ctx->timeout_list, list)
2776 list_del_init(&req->list);
2779 io_cqring_fill_event(req, -ETIME);
2780 io_commit_cqring(ctx);
2781 spin_unlock_irqrestore(&ctx->completion_lock, flags);
2783 io_cqring_ev_posted(ctx);
2784 req_set_fail_links(req);
2786 return HRTIMER_NORESTART;
2789 static int io_timeout_cancel(struct io_ring_ctx *ctx, __u64 user_data)
2791 struct io_kiocb *req;
2794 list_for_each_entry(req, &ctx->timeout_list, list) {
2795 if (user_data == req->user_data) {
2796 list_del_init(&req->list);
2805 ret = hrtimer_try_to_cancel(&req->io->timeout.timer);
2809 req_set_fail_links(req);
2810 io_cqring_fill_event(req, -ECANCELED);
2816 * Remove or update an existing timeout command
2818 static int io_timeout_remove(struct io_kiocb *req)
2820 const struct io_uring_sqe *sqe = req->sqe;
2821 struct io_ring_ctx *ctx = req->ctx;
2825 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
2827 if (sqe->flags || sqe->ioprio || sqe->buf_index || sqe->len)
2829 flags = READ_ONCE(sqe->timeout_flags);
2833 spin_lock_irq(&ctx->completion_lock);
2834 ret = io_timeout_cancel(ctx, READ_ONCE(sqe->addr));
2836 io_cqring_fill_event(req, ret);
2837 io_commit_cqring(ctx);
2838 spin_unlock_irq(&ctx->completion_lock);
2839 io_cqring_ev_posted(ctx);
2841 req_set_fail_links(req);
2846 static int io_timeout_prep(struct io_kiocb *req, struct io_async_ctx *io,
2847 bool is_timeout_link)
2849 const struct io_uring_sqe *sqe = req->sqe;
2850 struct io_timeout_data *data;
2853 if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
2855 if (sqe->ioprio || sqe->buf_index || sqe->len != 1)
2857 if (sqe->off && is_timeout_link)
2859 flags = READ_ONCE(sqe->timeout_flags);
2860 if (flags & ~IORING_TIMEOUT_ABS)
2863 data = &io->timeout;
2865 req->flags |= REQ_F_TIMEOUT;
2867 if (get_timespec64(&data->ts, u64_to_user_ptr(sqe->addr)))
2870 if (flags & IORING_TIMEOUT_ABS)
2871 data->mode = HRTIMER_MODE_ABS;
2873 data->mode = HRTIMER_MODE_REL;
2875 hrtimer_init(&data->timer, CLOCK_MONOTONIC, data->mode);
2879 static int io_timeout(struct io_kiocb *req)
2881 const struct io_uring_sqe *sqe = req->sqe;
2883 struct io_ring_ctx *ctx = req->ctx;
2884 struct io_timeout_data *data;
2885 struct list_head *entry;
2890 if (io_alloc_async_ctx(req))
2892 ret = io_timeout_prep(req, req->io, false);
2896 data = &req->io->timeout;
2899 * sqe->off holds how many events that need to occur for this
2900 * timeout event to be satisfied. If it isn't set, then this is
2901 * a pure timeout request, sequence isn't used.
2903 count = READ_ONCE(sqe->off);
2905 req->flags |= REQ_F_TIMEOUT_NOSEQ;
2906 spin_lock_irq(&ctx->completion_lock);
2907 entry = ctx->timeout_list.prev;
2911 req->sequence = ctx->cached_sq_head + count - 1;
2912 data->seq_offset = count;
2915 * Insertion sort, ensuring the first entry in the list is always
2916 * the one we need first.
2918 spin_lock_irq(&ctx->completion_lock);
2919 list_for_each_prev(entry, &ctx->timeout_list) {
2920 struct io_kiocb *nxt = list_entry(entry, struct io_kiocb, list);
2921 unsigned nxt_sq_head;
2922 long long tmp, tmp_nxt;
2923 u32 nxt_offset = nxt->io->timeout.seq_offset;
2925 if (nxt->flags & REQ_F_TIMEOUT_NOSEQ)
2929 * Since cached_sq_head + count - 1 can overflow, use type long
2932 tmp = (long long)ctx->cached_sq_head + count - 1;
2933 nxt_sq_head = nxt->sequence - nxt_offset + 1;
2934 tmp_nxt = (long long)nxt_sq_head + nxt_offset - 1;
2937 * cached_sq_head may overflow, and it will never overflow twice
2938 * once there is some timeout req still be valid.
2940 if (ctx->cached_sq_head < nxt_sq_head)
2947 * Sequence of reqs after the insert one and itself should
2948 * be adjusted because each timeout req consumes a slot.
2953 req->sequence -= span;
2955 list_add(&req->list, entry);
2956 data->timer.function = io_timeout_fn;
2957 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts), data->mode);
2958 spin_unlock_irq(&ctx->completion_lock);
2962 static bool io_cancel_cb(struct io_wq_work *work, void *data)
2964 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
2966 return req->user_data == (unsigned long) data;
2969 static int io_async_cancel_one(struct io_ring_ctx *ctx, void *sqe_addr)
2971 enum io_wq_cancel cancel_ret;
2974 cancel_ret = io_wq_cancel_cb(ctx->io_wq, io_cancel_cb, sqe_addr);
2975 switch (cancel_ret) {
2976 case IO_WQ_CANCEL_OK:
2979 case IO_WQ_CANCEL_RUNNING:
2982 case IO_WQ_CANCEL_NOTFOUND:
2990 static void io_async_find_and_cancel(struct io_ring_ctx *ctx,
2991 struct io_kiocb *req, __u64 sqe_addr,
2992 struct io_kiocb **nxt, int success_ret)
2994 unsigned long flags;
2997 ret = io_async_cancel_one(ctx, (void *) (unsigned long) sqe_addr);
2998 if (ret != -ENOENT) {
2999 spin_lock_irqsave(&ctx->completion_lock, flags);
3003 spin_lock_irqsave(&ctx->completion_lock, flags);
3004 ret = io_timeout_cancel(ctx, sqe_addr);
3007 ret = io_poll_cancel(ctx, sqe_addr);
3011 io_cqring_fill_event(req, ret);
3012 io_commit_cqring(ctx);
3013 spin_unlock_irqrestore(&ctx->completion_lock, flags);
3014 io_cqring_ev_posted(ctx);
3017 req_set_fail_links(req);
3018 io_put_req_find_next(req, nxt);
3021 static int io_async_cancel(struct io_kiocb *req, struct io_kiocb **nxt)
3023 const struct io_uring_sqe *sqe = req->sqe;
3024 struct io_ring_ctx *ctx = req->ctx;
3026 if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
3028 if (sqe->flags || sqe->ioprio || sqe->off || sqe->len ||
3032 io_async_find_and_cancel(ctx, req, READ_ONCE(sqe->addr), nxt, 0);
3036 static int io_req_defer_prep(struct io_kiocb *req)
3038 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
3039 struct io_async_ctx *io = req->io;
3040 struct iov_iter iter;
3043 switch (io->sqe.opcode) {
3044 case IORING_OP_READV:
3045 case IORING_OP_READ_FIXED:
3046 /* ensure prep does right import */
3048 ret = io_read_prep(req, &iovec, &iter, true);
3052 io_req_map_rw(req, ret, iovec, inline_vecs, &iter);
3055 case IORING_OP_WRITEV:
3056 case IORING_OP_WRITE_FIXED:
3057 /* ensure prep does right import */
3059 ret = io_write_prep(req, &iovec, &iter, true);
3063 io_req_map_rw(req, ret, iovec, inline_vecs, &iter);
3066 case IORING_OP_POLL_ADD:
3067 ret = io_poll_add_prep(req);
3069 case IORING_OP_POLL_REMOVE:
3070 ret = io_poll_remove_prep(req);
3072 case IORING_OP_FSYNC:
3073 ret = io_prep_fsync(req);
3075 case IORING_OP_SYNC_FILE_RANGE:
3076 ret = io_prep_sfr(req);
3078 case IORING_OP_SENDMSG:
3079 ret = io_sendmsg_prep(req, io);
3081 case IORING_OP_RECVMSG:
3082 ret = io_recvmsg_prep(req, io);
3084 case IORING_OP_CONNECT:
3085 ret = io_connect_prep(req, io);
3087 case IORING_OP_TIMEOUT:
3088 ret = io_timeout_prep(req, io, false);
3090 case IORING_OP_LINK_TIMEOUT:
3091 ret = io_timeout_prep(req, io, true);
3093 case IORING_OP_ACCEPT:
3094 ret = io_accept_prep(req);
3104 static int io_req_defer(struct io_kiocb *req)
3106 struct io_ring_ctx *ctx = req->ctx;
3109 /* Still need defer if there is pending req in defer list. */
3110 if (!req_need_defer(req) && list_empty(&ctx->defer_list))
3113 if (io_alloc_async_ctx(req))
3116 ret = io_req_defer_prep(req);
3120 spin_lock_irq(&ctx->completion_lock);
3121 if (!req_need_defer(req) && list_empty(&ctx->defer_list)) {
3122 spin_unlock_irq(&ctx->completion_lock);
3126 trace_io_uring_defer(ctx, req, req->user_data);
3127 list_add_tail(&req->list, &ctx->defer_list);
3128 spin_unlock_irq(&ctx->completion_lock);
3129 return -EIOCBQUEUED;
3132 __attribute__((nonnull))
3133 static int io_issue_sqe(struct io_kiocb *req, struct io_kiocb **nxt,
3134 bool force_nonblock)
3137 struct io_ring_ctx *ctx = req->ctx;
3139 opcode = READ_ONCE(req->sqe->opcode);
3144 case IORING_OP_READV:
3145 if (unlikely(req->sqe->buf_index))
3147 ret = io_read(req, nxt, force_nonblock);
3149 case IORING_OP_WRITEV:
3150 if (unlikely(req->sqe->buf_index))
3152 ret = io_write(req, nxt, force_nonblock);
3154 case IORING_OP_READ_FIXED:
3155 ret = io_read(req, nxt, force_nonblock);
3157 case IORING_OP_WRITE_FIXED:
3158 ret = io_write(req, nxt, force_nonblock);
3160 case IORING_OP_FSYNC:
3161 ret = io_fsync(req, nxt, force_nonblock);
3163 case IORING_OP_POLL_ADD:
3164 ret = io_poll_add(req, nxt);
3166 case IORING_OP_POLL_REMOVE:
3167 ret = io_poll_remove(req);
3169 case IORING_OP_SYNC_FILE_RANGE:
3170 ret = io_sync_file_range(req, nxt, force_nonblock);
3172 case IORING_OP_SENDMSG:
3173 ret = io_sendmsg(req, nxt, force_nonblock);
3175 case IORING_OP_RECVMSG:
3176 ret = io_recvmsg(req, nxt, force_nonblock);
3178 case IORING_OP_TIMEOUT:
3179 ret = io_timeout(req);
3181 case IORING_OP_TIMEOUT_REMOVE:
3182 ret = io_timeout_remove(req);
3184 case IORING_OP_ACCEPT:
3185 ret = io_accept(req, nxt, force_nonblock);
3187 case IORING_OP_CONNECT:
3188 ret = io_connect(req, nxt, force_nonblock);
3190 case IORING_OP_ASYNC_CANCEL:
3191 ret = io_async_cancel(req, nxt);
3201 if (ctx->flags & IORING_SETUP_IOPOLL) {
3202 if (req->result == -EAGAIN)
3205 io_iopoll_req_issued(req);
3211 static void io_link_work_cb(struct io_wq_work **workptr)
3213 struct io_wq_work *work = *workptr;
3214 struct io_kiocb *link = work->data;
3216 io_queue_linked_timeout(link);
3217 work->func = io_wq_submit_work;
3220 static void io_wq_submit_work(struct io_wq_work **workptr)
3222 struct io_wq_work *work = *workptr;
3223 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
3224 struct io_kiocb *nxt = NULL;
3227 /* Ensure we clear previously set non-block flag */
3228 req->rw.ki_flags &= ~IOCB_NOWAIT;
3230 if (work->flags & IO_WQ_WORK_CANCEL)
3234 req->has_user = (work->flags & IO_WQ_WORK_HAS_MM) != 0;
3235 req->in_async = true;
3237 ret = io_issue_sqe(req, &nxt, false);
3239 * We can get EAGAIN for polled IO even though we're
3240 * forcing a sync submission from here, since we can't
3241 * wait for request slots on the block side.
3249 /* drop submission reference */
3253 req_set_fail_links(req);
3254 io_cqring_add_event(req, ret);
3258 /* if a dependent link is ready, pass it back */
3260 struct io_kiocb *link;
3262 io_prep_async_work(nxt, &link);
3263 *workptr = &nxt->work;
3265 nxt->work.flags |= IO_WQ_WORK_CB;
3266 nxt->work.func = io_link_work_cb;
3267 nxt->work.data = link;
3272 static bool io_req_op_valid(int op)
3274 return op >= IORING_OP_NOP && op < IORING_OP_LAST;
3277 static int io_op_needs_file(const struct io_uring_sqe *sqe)
3279 int op = READ_ONCE(sqe->opcode);
3283 case IORING_OP_POLL_REMOVE:
3284 case IORING_OP_TIMEOUT:
3285 case IORING_OP_TIMEOUT_REMOVE:
3286 case IORING_OP_ASYNC_CANCEL:
3287 case IORING_OP_LINK_TIMEOUT:
3290 if (io_req_op_valid(op))
3296 static inline struct file *io_file_from_index(struct io_ring_ctx *ctx,
3299 struct fixed_file_table *table;
3301 table = &ctx->file_table[index >> IORING_FILE_TABLE_SHIFT];
3302 return table->files[index & IORING_FILE_TABLE_MASK];
3305 static int io_req_set_file(struct io_submit_state *state, struct io_kiocb *req)
3307 struct io_ring_ctx *ctx = req->ctx;
3311 flags = READ_ONCE(req->sqe->flags);
3312 fd = READ_ONCE(req->sqe->fd);
3314 if (flags & IOSQE_IO_DRAIN)
3315 req->flags |= REQ_F_IO_DRAIN;
3317 ret = io_op_needs_file(req->sqe);
3321 if (flags & IOSQE_FIXED_FILE) {
3322 if (unlikely(!ctx->file_table ||
3323 (unsigned) fd >= ctx->nr_user_files))
3325 fd = array_index_nospec(fd, ctx->nr_user_files);
3326 req->file = io_file_from_index(ctx, fd);
3329 req->flags |= REQ_F_FIXED_FILE;
3331 if (req->needs_fixed_file)
3333 trace_io_uring_file_get(ctx, fd);
3334 req->file = io_file_get(state, fd);
3335 if (unlikely(!req->file))
3342 static int io_grab_files(struct io_kiocb *req)
3345 struct io_ring_ctx *ctx = req->ctx;
3348 spin_lock_irq(&ctx->inflight_lock);
3350 * We use the f_ops->flush() handler to ensure that we can flush
3351 * out work accessing these files if the fd is closed. Check if
3352 * the fd has changed since we started down this path, and disallow
3353 * this operation if it has.
3355 if (fcheck(req->ring_fd) == req->ring_file) {
3356 list_add(&req->inflight_entry, &ctx->inflight_list);
3357 req->flags |= REQ_F_INFLIGHT;
3358 req->work.files = current->files;
3361 spin_unlock_irq(&ctx->inflight_lock);
3367 static enum hrtimer_restart io_link_timeout_fn(struct hrtimer *timer)
3369 struct io_timeout_data *data = container_of(timer,
3370 struct io_timeout_data, timer);
3371 struct io_kiocb *req = data->req;
3372 struct io_ring_ctx *ctx = req->ctx;
3373 struct io_kiocb *prev = NULL;
3374 unsigned long flags;
3376 spin_lock_irqsave(&ctx->completion_lock, flags);
3379 * We don't expect the list to be empty, that will only happen if we
3380 * race with the completion of the linked work.
3382 if (!list_empty(&req->link_list)) {
3383 prev = list_entry(req->link_list.prev, struct io_kiocb,
3385 if (refcount_inc_not_zero(&prev->refs)) {
3386 list_del_init(&req->link_list);
3387 prev->flags &= ~REQ_F_LINK_TIMEOUT;
3392 spin_unlock_irqrestore(&ctx->completion_lock, flags);
3395 req_set_fail_links(prev);
3396 io_async_find_and_cancel(ctx, req, prev->user_data, NULL,
3400 io_cqring_add_event(req, -ETIME);
3403 return HRTIMER_NORESTART;
3406 static void io_queue_linked_timeout(struct io_kiocb *req)
3408 struct io_ring_ctx *ctx = req->ctx;
3411 * If the list is now empty, then our linked request finished before
3412 * we got a chance to setup the timer
3414 spin_lock_irq(&ctx->completion_lock);
3415 if (!list_empty(&req->link_list)) {
3416 struct io_timeout_data *data = &req->io->timeout;
3418 data->timer.function = io_link_timeout_fn;
3419 hrtimer_start(&data->timer, timespec64_to_ktime(data->ts),
3422 spin_unlock_irq(&ctx->completion_lock);
3424 /* drop submission reference */
3428 static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req)
3430 struct io_kiocb *nxt;
3432 if (!(req->flags & REQ_F_LINK))
3435 nxt = list_first_entry_or_null(&req->link_list, struct io_kiocb,
3437 if (!nxt || nxt->sqe->opcode != IORING_OP_LINK_TIMEOUT)
3440 req->flags |= REQ_F_LINK_TIMEOUT;
3444 static void __io_queue_sqe(struct io_kiocb *req)
3446 struct io_kiocb *linked_timeout;
3447 struct io_kiocb *nxt = NULL;
3451 linked_timeout = io_prep_linked_timeout(req);
3453 ret = io_issue_sqe(req, &nxt, true);
3456 * We async punt it if the file wasn't marked NOWAIT, or if the file
3457 * doesn't support non-blocking read/write attempts
3459 if (ret == -EAGAIN && (!(req->flags & REQ_F_NOWAIT) ||
3460 (req->flags & REQ_F_MUST_PUNT))) {
3461 if (req->work.flags & IO_WQ_WORK_NEEDS_FILES) {
3462 ret = io_grab_files(req);
3468 * Queued up for async execution, worker will release
3469 * submit reference when the iocb is actually submitted.
3471 io_queue_async_work(req);
3476 /* drop submission reference */
3479 if (linked_timeout) {
3481 io_queue_linked_timeout(linked_timeout);
3483 io_put_req(linked_timeout);
3486 /* and drop final reference, if we failed */
3488 io_cqring_add_event(req, ret);
3489 req_set_fail_links(req);
3500 static void io_queue_sqe(struct io_kiocb *req)
3504 if (unlikely(req->ctx->drain_next)) {
3505 req->flags |= REQ_F_IO_DRAIN;
3506 req->ctx->drain_next = false;
3508 req->ctx->drain_next = (req->flags & REQ_F_DRAIN_LINK);
3510 ret = io_req_defer(req);
3512 if (ret != -EIOCBQUEUED) {
3513 io_cqring_add_event(req, ret);
3514 req_set_fail_links(req);
3515 io_double_put_req(req);
3518 __io_queue_sqe(req);
3521 static inline void io_queue_link_head(struct io_kiocb *req)
3523 if (unlikely(req->flags & REQ_F_FAIL_LINK)) {
3524 io_cqring_add_event(req, -ECANCELED);
3525 io_double_put_req(req);
3530 #define SQE_VALID_FLAGS (IOSQE_FIXED_FILE|IOSQE_IO_DRAIN|IOSQE_IO_LINK| \
3533 static bool io_submit_sqe(struct io_kiocb *req, struct io_submit_state *state,
3534 struct io_kiocb **link)
3536 struct io_ring_ctx *ctx = req->ctx;
3539 req->user_data = req->sqe->user_data;
3541 /* enforce forwards compatibility on users */
3542 if (unlikely(req->sqe->flags & ~SQE_VALID_FLAGS)) {
3547 ret = io_req_set_file(state, req);
3548 if (unlikely(ret)) {
3550 io_cqring_add_event(req, ret);
3551 io_double_put_req(req);
3556 * If we already have a head request, queue this one for async
3557 * submittal once the head completes. If we don't have a head but
3558 * IOSQE_IO_LINK is set in the sqe, start a new head. This one will be
3559 * submitted sync once the chain is complete. If none of those
3560 * conditions are true (normal request), then just queue it.
3563 struct io_kiocb *prev = *link;
3565 if (req->sqe->flags & IOSQE_IO_DRAIN)
3566 (*link)->flags |= REQ_F_DRAIN_LINK | REQ_F_IO_DRAIN;
3568 if (req->sqe->flags & IOSQE_IO_HARDLINK)
3569 req->flags |= REQ_F_HARDLINK;
3571 if (io_alloc_async_ctx(req)) {
3576 ret = io_req_defer_prep(req);
3578 /* fail even hard links since we don't submit */
3579 prev->flags |= REQ_F_FAIL_LINK;
3582 trace_io_uring_link(ctx, req, prev);
3583 list_add_tail(&req->link_list, &prev->link_list);
3584 } else if (req->sqe->flags & (IOSQE_IO_LINK|IOSQE_IO_HARDLINK)) {
3585 req->flags |= REQ_F_LINK;
3586 if (req->sqe->flags & IOSQE_IO_HARDLINK)
3587 req->flags |= REQ_F_HARDLINK;
3589 INIT_LIST_HEAD(&req->link_list);
3599 * Batched submission is done, ensure local IO is flushed out.
3601 static void io_submit_state_end(struct io_submit_state *state)
3603 blk_finish_plug(&state->plug);
3605 if (state->free_reqs)
3606 kmem_cache_free_bulk(req_cachep, state->free_reqs,
3607 &state->reqs[state->cur_req]);
3611 * Start submission side cache.
3613 static void io_submit_state_start(struct io_submit_state *state,
3614 unsigned int max_ios)
3616 blk_start_plug(&state->plug);
3617 state->free_reqs = 0;
3619 state->ios_left = max_ios;
3622 static void io_commit_sqring(struct io_ring_ctx *ctx)
3624 struct io_rings *rings = ctx->rings;
3626 if (ctx->cached_sq_head != READ_ONCE(rings->sq.head)) {
3628 * Ensure any loads from the SQEs are done at this point,
3629 * since once we write the new head, the application could
3630 * write new data to them.
3632 smp_store_release(&rings->sq.head, ctx->cached_sq_head);
3637 * Fetch an sqe, if one is available. Note that req->sqe will point to memory
3638 * that is mapped by userspace. This means that care needs to be taken to
3639 * ensure that reads are stable, as we cannot rely on userspace always
3640 * being a good citizen. If members of the sqe are validated and then later
3641 * used, it's important that those reads are done through READ_ONCE() to
3642 * prevent a re-load down the line.
3644 static bool io_get_sqring(struct io_ring_ctx *ctx, struct io_kiocb *req)
3646 struct io_rings *rings = ctx->rings;
3647 u32 *sq_array = ctx->sq_array;
3651 * The cached sq head (or cq tail) serves two purposes:
3653 * 1) allows us to batch the cost of updating the user visible
3655 * 2) allows the kernel side to track the head on its own, even
3656 * though the application is the one updating it.
3658 head = ctx->cached_sq_head;
3659 /* make sure SQ entry isn't read before tail */
3660 if (unlikely(head == smp_load_acquire(&rings->sq.tail)))
3663 head = READ_ONCE(sq_array[head & ctx->sq_mask]);
3664 if (likely(head < ctx->sq_entries)) {
3666 * All io need record the previous position, if LINK vs DARIN,
3667 * it can be used to mark the position of the first IO in the
3670 req->sequence = ctx->cached_sq_head;
3671 req->sqe = &ctx->sq_sqes[head];
3672 ctx->cached_sq_head++;
3676 /* drop invalid entries */
3677 ctx->cached_sq_head++;
3678 ctx->cached_sq_dropped++;
3679 WRITE_ONCE(rings->sq_dropped, ctx->cached_sq_dropped);
3683 static int io_submit_sqes(struct io_ring_ctx *ctx, unsigned int nr,
3684 struct file *ring_file, int ring_fd,
3685 struct mm_struct **mm, bool async)
3687 struct io_submit_state state, *statep = NULL;
3688 struct io_kiocb *link = NULL;
3689 int i, submitted = 0;
3690 bool mm_fault = false;
3692 /* if we have a backlog and couldn't flush it all, return BUSY */
3693 if (!list_empty(&ctx->cq_overflow_list) &&
3694 !io_cqring_overflow_flush(ctx, false))
3697 if (nr > IO_PLUG_THRESHOLD) {
3698 io_submit_state_start(&state, nr);
3702 for (i = 0; i < nr; i++) {
3703 struct io_kiocb *req;
3704 unsigned int sqe_flags;
3706 req = io_get_req(ctx, statep);
3707 if (unlikely(!req)) {
3709 submitted = -EAGAIN;
3712 if (!io_get_sqring(ctx, req)) {
3717 if (io_sqe_needs_user(req->sqe) && !*mm) {
3718 mm_fault = mm_fault || !mmget_not_zero(ctx->sqo_mm);
3720 use_mm(ctx->sqo_mm);
3726 sqe_flags = req->sqe->flags;
3728 req->ring_file = ring_file;
3729 req->ring_fd = ring_fd;
3730 req->has_user = *mm != NULL;
3731 req->in_async = async;
3732 req->needs_fixed_file = async;
3733 trace_io_uring_submit_sqe(ctx, req->sqe->user_data,
3735 if (!io_submit_sqe(req, statep, &link))
3738 * If previous wasn't linked and we have a linked command,
3739 * that's the end of the chain. Submit the previous link.
3741 if (!(sqe_flags & (IOSQE_IO_LINK|IOSQE_IO_HARDLINK)) && link) {
3742 io_queue_link_head(link);
3748 io_queue_link_head(link);
3750 io_submit_state_end(&state);
3752 /* Commit SQ ring head once we've consumed and submitted all SQEs */
3753 io_commit_sqring(ctx);
3758 static int io_sq_thread(void *data)
3760 struct io_ring_ctx *ctx = data;
3761 struct mm_struct *cur_mm = NULL;
3762 const struct cred *old_cred;
3763 mm_segment_t old_fs;
3766 unsigned long timeout;
3769 complete(&ctx->completions[1]);
3773 old_cred = override_creds(ctx->creds);
3775 ret = timeout = inflight = 0;
3776 while (!kthread_should_park()) {
3777 unsigned int to_submit;
3780 unsigned nr_events = 0;
3782 if (ctx->flags & IORING_SETUP_IOPOLL) {
3784 * inflight is the count of the maximum possible
3785 * entries we submitted, but it can be smaller
3786 * if we dropped some of them. If we don't have
3787 * poll entries available, then we know that we
3788 * have nothing left to poll for. Reset the
3789 * inflight count to zero in that case.
3791 mutex_lock(&ctx->uring_lock);
3792 if (!list_empty(&ctx->poll_list))
3793 __io_iopoll_check(ctx, &nr_events, 0);
3796 mutex_unlock(&ctx->uring_lock);
3799 * Normal IO, just pretend everything completed.
3800 * We don't have to poll completions for that.
3802 nr_events = inflight;
3805 inflight -= nr_events;
3807 timeout = jiffies + ctx->sq_thread_idle;
3810 to_submit = io_sqring_entries(ctx);
3813 * If submit got -EBUSY, flag us as needing the application
3814 * to enter the kernel to reap and flush events.
3816 if (!to_submit || ret == -EBUSY) {
3818 * We're polling. If we're within the defined idle
3819 * period, then let us spin without work before going
3820 * to sleep. The exception is if we got EBUSY doing
3821 * more IO, we should wait for the application to
3822 * reap events and wake us up.
3825 (!time_after(jiffies, timeout) && ret != -EBUSY)) {
3831 * Drop cur_mm before scheduling, we can't hold it for
3832 * long periods (or over schedule()). Do this before
3833 * adding ourselves to the waitqueue, as the unuse/drop
3842 prepare_to_wait(&ctx->sqo_wait, &wait,
3843 TASK_INTERRUPTIBLE);
3845 /* Tell userspace we may need a wakeup call */
3846 ctx->rings->sq_flags |= IORING_SQ_NEED_WAKEUP;
3847 /* make sure to read SQ tail after writing flags */
3850 to_submit = io_sqring_entries(ctx);
3851 if (!to_submit || ret == -EBUSY) {
3852 if (kthread_should_park()) {
3853 finish_wait(&ctx->sqo_wait, &wait);
3856 if (signal_pending(current))
3857 flush_signals(current);
3859 finish_wait(&ctx->sqo_wait, &wait);
3861 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
3864 finish_wait(&ctx->sqo_wait, &wait);
3866 ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
3869 to_submit = min(to_submit, ctx->sq_entries);
3870 mutex_lock(&ctx->uring_lock);
3871 ret = io_submit_sqes(ctx, to_submit, NULL, -1, &cur_mm, true);
3872 mutex_unlock(&ctx->uring_lock);
3882 revert_creds(old_cred);
3889 struct io_wait_queue {
3890 struct wait_queue_entry wq;
3891 struct io_ring_ctx *ctx;
3893 unsigned nr_timeouts;
3896 static inline bool io_should_wake(struct io_wait_queue *iowq, bool noflush)
3898 struct io_ring_ctx *ctx = iowq->ctx;
3901 * Wake up if we have enough events, or if a timeout occurred since we
3902 * started waiting. For timeouts, we always want to return to userspace,
3903 * regardless of event count.
3905 return io_cqring_events(ctx, noflush) >= iowq->to_wait ||
3906 atomic_read(&ctx->cq_timeouts) != iowq->nr_timeouts;
3909 static int io_wake_function(struct wait_queue_entry *curr, unsigned int mode,
3910 int wake_flags, void *key)
3912 struct io_wait_queue *iowq = container_of(curr, struct io_wait_queue,
3915 /* use noflush == true, as we can't safely rely on locking context */
3916 if (!io_should_wake(iowq, true))
3919 return autoremove_wake_function(curr, mode, wake_flags, key);
3923 * Wait until events become available, if we don't already have some. The
3924 * application must reap them itself, as they reside on the shared cq ring.
3926 static int io_cqring_wait(struct io_ring_ctx *ctx, int min_events,
3927 const sigset_t __user *sig, size_t sigsz)
3929 struct io_wait_queue iowq = {
3932 .func = io_wake_function,
3933 .entry = LIST_HEAD_INIT(iowq.wq.entry),
3936 .to_wait = min_events,
3938 struct io_rings *rings = ctx->rings;
3941 if (io_cqring_events(ctx, false) >= min_events)
3945 #ifdef CONFIG_COMPAT
3946 if (in_compat_syscall())
3947 ret = set_compat_user_sigmask((const compat_sigset_t __user *)sig,
3951 ret = set_user_sigmask(sig, sigsz);
3957 iowq.nr_timeouts = atomic_read(&ctx->cq_timeouts);
3958 trace_io_uring_cqring_wait(ctx, min_events);
3960 prepare_to_wait_exclusive(&ctx->wait, &iowq.wq,
3961 TASK_INTERRUPTIBLE);
3962 if (io_should_wake(&iowq, false))
3965 if (signal_pending(current)) {
3970 finish_wait(&ctx->wait, &iowq.wq);
3972 restore_saved_sigmask_unless(ret == -EINTR);
3974 return READ_ONCE(rings->cq.head) == READ_ONCE(rings->cq.tail) ? ret : 0;
3977 static void __io_sqe_files_unregister(struct io_ring_ctx *ctx)
3979 #if defined(CONFIG_UNIX)
3980 if (ctx->ring_sock) {
3981 struct sock *sock = ctx->ring_sock->sk;
3982 struct sk_buff *skb;
3984 while ((skb = skb_dequeue(&sock->sk_receive_queue)) != NULL)
3990 for (i = 0; i < ctx->nr_user_files; i++) {
3993 file = io_file_from_index(ctx, i);
4000 static int io_sqe_files_unregister(struct io_ring_ctx *ctx)
4002 unsigned nr_tables, i;
4004 if (!ctx->file_table)
4007 __io_sqe_files_unregister(ctx);
4008 nr_tables = DIV_ROUND_UP(ctx->nr_user_files, IORING_MAX_FILES_TABLE);
4009 for (i = 0; i < nr_tables; i++)
4010 kfree(ctx->file_table[i].files);
4011 kfree(ctx->file_table);
4012 ctx->file_table = NULL;
4013 ctx->nr_user_files = 0;
4017 static void io_sq_thread_stop(struct io_ring_ctx *ctx)
4019 if (ctx->sqo_thread) {
4020 wait_for_completion(&ctx->completions[1]);
4022 * The park is a bit of a work-around, without it we get
4023 * warning spews on shutdown with SQPOLL set and affinity
4024 * set to a single CPU.
4026 kthread_park(ctx->sqo_thread);
4027 kthread_stop(ctx->sqo_thread);
4028 ctx->sqo_thread = NULL;
4032 static void io_finish_async(struct io_ring_ctx *ctx)
4034 io_sq_thread_stop(ctx);
4037 io_wq_destroy(ctx->io_wq);
4042 #if defined(CONFIG_UNIX)
4043 static void io_destruct_skb(struct sk_buff *skb)
4045 struct io_ring_ctx *ctx = skb->sk->sk_user_data;
4048 io_wq_flush(ctx->io_wq);
4050 unix_destruct_scm(skb);
4054 * Ensure the UNIX gc is aware of our file set, so we are certain that
4055 * the io_uring can be safely unregistered on process exit, even if we have
4056 * loops in the file referencing.
4058 static int __io_sqe_files_scm(struct io_ring_ctx *ctx, int nr, int offset)
4060 struct sock *sk = ctx->ring_sock->sk;
4061 struct scm_fp_list *fpl;
4062 struct sk_buff *skb;
4065 if (!capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) {
4066 unsigned long inflight = ctx->user->unix_inflight + nr;
4068 if (inflight > task_rlimit(current, RLIMIT_NOFILE))
4072 fpl = kzalloc(sizeof(*fpl), GFP_KERNEL);
4076 skb = alloc_skb(0, GFP_KERNEL);
4085 fpl->user = get_uid(ctx->user);
4086 for (i = 0; i < nr; i++) {
4087 struct file *file = io_file_from_index(ctx, i + offset);
4091 fpl->fp[nr_files] = get_file(file);
4092 unix_inflight(fpl->user, fpl->fp[nr_files]);
4097 fpl->max = SCM_MAX_FD;
4098 fpl->count = nr_files;
4099 UNIXCB(skb).fp = fpl;
4100 skb->destructor = io_destruct_skb;
4101 refcount_add(skb->truesize, &sk->sk_wmem_alloc);
4102 skb_queue_head(&sk->sk_receive_queue, skb);
4104 for (i = 0; i < nr_files; i++)
4115 * If UNIX sockets are enabled, fd passing can cause a reference cycle which
4116 * causes regular reference counting to break down. We rely on the UNIX
4117 * garbage collection to take care of this problem for us.
4119 static int io_sqe_files_scm(struct io_ring_ctx *ctx)
4121 unsigned left, total;
4125 left = ctx->nr_user_files;
4127 unsigned this_files = min_t(unsigned, left, SCM_MAX_FD);
4129 ret = __io_sqe_files_scm(ctx, this_files, total);
4133 total += this_files;
4139 while (total < ctx->nr_user_files) {
4140 struct file *file = io_file_from_index(ctx, total);
4150 static int io_sqe_files_scm(struct io_ring_ctx *ctx)
4156 static int io_sqe_alloc_file_tables(struct io_ring_ctx *ctx, unsigned nr_tables,
4161 for (i = 0; i < nr_tables; i++) {
4162 struct fixed_file_table *table = &ctx->file_table[i];
4163 unsigned this_files;
4165 this_files = min(nr_files, IORING_MAX_FILES_TABLE);
4166 table->files = kcalloc(this_files, sizeof(struct file *),
4170 nr_files -= this_files;
4176 for (i = 0; i < nr_tables; i++) {
4177 struct fixed_file_table *table = &ctx->file_table[i];
4178 kfree(table->files);
4183 static int io_sqe_files_register(struct io_ring_ctx *ctx, void __user *arg,
4186 __s32 __user *fds = (__s32 __user *) arg;
4191 if (ctx->file_table)
4195 if (nr_args > IORING_MAX_FIXED_FILES)
4198 nr_tables = DIV_ROUND_UP(nr_args, IORING_MAX_FILES_TABLE);
4199 ctx->file_table = kcalloc(nr_tables, sizeof(struct fixed_file_table),
4201 if (!ctx->file_table)
4204 if (io_sqe_alloc_file_tables(ctx, nr_tables, nr_args)) {
4205 kfree(ctx->file_table);
4206 ctx->file_table = NULL;
4210 for (i = 0; i < nr_args; i++, ctx->nr_user_files++) {
4211 struct fixed_file_table *table;
4215 if (copy_from_user(&fd, &fds[i], sizeof(fd)))
4217 /* allow sparse sets */
4223 table = &ctx->file_table[i >> IORING_FILE_TABLE_SHIFT];
4224 index = i & IORING_FILE_TABLE_MASK;
4225 table->files[index] = fget(fd);
4228 if (!table->files[index])
4231 * Don't allow io_uring instances to be registered. If UNIX
4232 * isn't enabled, then this causes a reference cycle and this
4233 * instance can never get freed. If UNIX is enabled we'll
4234 * handle it just fine, but there's still no point in allowing
4235 * a ring fd as it doesn't support regular read/write anyway.
4237 if (table->files[index]->f_op == &io_uring_fops) {
4238 fput(table->files[index]);
4245 for (i = 0; i < ctx->nr_user_files; i++) {
4248 file = io_file_from_index(ctx, i);
4252 for (i = 0; i < nr_tables; i++)
4253 kfree(ctx->file_table[i].files);
4255 kfree(ctx->file_table);
4256 ctx->file_table = NULL;
4257 ctx->nr_user_files = 0;
4261 ret = io_sqe_files_scm(ctx);
4263 io_sqe_files_unregister(ctx);
4268 static void io_sqe_file_unregister(struct io_ring_ctx *ctx, int index)
4270 #if defined(CONFIG_UNIX)
4271 struct file *file = io_file_from_index(ctx, index);
4272 struct sock *sock = ctx->ring_sock->sk;
4273 struct sk_buff_head list, *head = &sock->sk_receive_queue;
4274 struct sk_buff *skb;
4277 __skb_queue_head_init(&list);
4280 * Find the skb that holds this file in its SCM_RIGHTS. When found,
4281 * remove this entry and rearrange the file array.
4283 skb = skb_dequeue(head);
4285 struct scm_fp_list *fp;
4287 fp = UNIXCB(skb).fp;
4288 for (i = 0; i < fp->count; i++) {
4291 if (fp->fp[i] != file)
4294 unix_notinflight(fp->user, fp->fp[i]);
4295 left = fp->count - 1 - i;
4297 memmove(&fp->fp[i], &fp->fp[i + 1],
4298 left * sizeof(struct file *));
4305 __skb_queue_tail(&list, skb);
4315 __skb_queue_tail(&list, skb);
4317 skb = skb_dequeue(head);
4320 if (skb_peek(&list)) {
4321 spin_lock_irq(&head->lock);
4322 while ((skb = __skb_dequeue(&list)) != NULL)
4323 __skb_queue_tail(head, skb);
4324 spin_unlock_irq(&head->lock);
4327 fput(io_file_from_index(ctx, index));
4331 static int io_sqe_file_register(struct io_ring_ctx *ctx, struct file *file,
4334 #if defined(CONFIG_UNIX)
4335 struct sock *sock = ctx->ring_sock->sk;
4336 struct sk_buff_head *head = &sock->sk_receive_queue;
4337 struct sk_buff *skb;
4340 * See if we can merge this file into an existing skb SCM_RIGHTS
4341 * file set. If there's no room, fall back to allocating a new skb
4342 * and filling it in.
4344 spin_lock_irq(&head->lock);
4345 skb = skb_peek(head);
4347 struct scm_fp_list *fpl = UNIXCB(skb).fp;
4349 if (fpl->count < SCM_MAX_FD) {
4350 __skb_unlink(skb, head);
4351 spin_unlock_irq(&head->lock);
4352 fpl->fp[fpl->count] = get_file(file);
4353 unix_inflight(fpl->user, fpl->fp[fpl->count]);
4355 spin_lock_irq(&head->lock);
4356 __skb_queue_head(head, skb);
4361 spin_unlock_irq(&head->lock);
4368 return __io_sqe_files_scm(ctx, 1, index);
4374 static int io_sqe_files_update(struct io_ring_ctx *ctx, void __user *arg,
4377 struct io_uring_files_update up;
4382 if (!ctx->file_table)
4386 if (copy_from_user(&up, arg, sizeof(up)))
4388 if (check_add_overflow(up.offset, nr_args, &done))
4390 if (done > ctx->nr_user_files)
4394 fds = (__s32 __user *) up.fds;
4396 struct fixed_file_table *table;
4400 if (copy_from_user(&fd, &fds[done], sizeof(fd))) {
4404 i = array_index_nospec(up.offset, ctx->nr_user_files);
4405 table = &ctx->file_table[i >> IORING_FILE_TABLE_SHIFT];
4406 index = i & IORING_FILE_TABLE_MASK;
4407 if (table->files[index]) {
4408 io_sqe_file_unregister(ctx, i);
4409 table->files[index] = NULL;
4420 * Don't allow io_uring instances to be registered. If
4421 * UNIX isn't enabled, then this causes a reference
4422 * cycle and this instance can never get freed. If UNIX
4423 * is enabled we'll handle it just fine, but there's
4424 * still no point in allowing a ring fd as it doesn't
4425 * support regular read/write anyway.
4427 if (file->f_op == &io_uring_fops) {
4432 table->files[index] = file;
4433 err = io_sqe_file_register(ctx, file, i);
4442 return done ? done : err;
4445 static void io_put_work(struct io_wq_work *work)
4447 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
4452 static void io_get_work(struct io_wq_work *work)
4454 struct io_kiocb *req = container_of(work, struct io_kiocb, work);
4456 refcount_inc(&req->refs);
4459 static int io_sq_offload_start(struct io_ring_ctx *ctx,
4460 struct io_uring_params *p)
4462 struct io_wq_data data;
4463 unsigned concurrency;
4466 init_waitqueue_head(&ctx->sqo_wait);
4467 mmgrab(current->mm);
4468 ctx->sqo_mm = current->mm;
4470 if (ctx->flags & IORING_SETUP_SQPOLL) {
4472 if (!capable(CAP_SYS_ADMIN))
4475 ctx->sq_thread_idle = msecs_to_jiffies(p->sq_thread_idle);
4476 if (!ctx->sq_thread_idle)
4477 ctx->sq_thread_idle = HZ;
4479 if (p->flags & IORING_SETUP_SQ_AFF) {
4480 int cpu = p->sq_thread_cpu;
4483 if (cpu >= nr_cpu_ids)
4485 if (!cpu_online(cpu))
4488 ctx->sqo_thread = kthread_create_on_cpu(io_sq_thread,
4492 ctx->sqo_thread = kthread_create(io_sq_thread, ctx,
4495 if (IS_ERR(ctx->sqo_thread)) {
4496 ret = PTR_ERR(ctx->sqo_thread);
4497 ctx->sqo_thread = NULL;
4500 wake_up_process(ctx->sqo_thread);
4501 } else if (p->flags & IORING_SETUP_SQ_AFF) {
4502 /* Can't have SQ_AFF without SQPOLL */
4507 data.mm = ctx->sqo_mm;
4508 data.user = ctx->user;
4509 data.creds = ctx->creds;
4510 data.get_work = io_get_work;
4511 data.put_work = io_put_work;
4513 /* Do QD, or 4 * CPUS, whatever is smallest */
4514 concurrency = min(ctx->sq_entries, 4 * num_online_cpus());
4515 ctx->io_wq = io_wq_create(concurrency, &data);
4516 if (IS_ERR(ctx->io_wq)) {
4517 ret = PTR_ERR(ctx->io_wq);
4524 io_finish_async(ctx);
4525 mmdrop(ctx->sqo_mm);
4530 static void io_unaccount_mem(struct user_struct *user, unsigned long nr_pages)
4532 atomic_long_sub(nr_pages, &user->locked_vm);
4535 static int io_account_mem(struct user_struct *user, unsigned long nr_pages)
4537 unsigned long page_limit, cur_pages, new_pages;
4539 /* Don't allow more pages than we can safely lock */
4540 page_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
4543 cur_pages = atomic_long_read(&user->locked_vm);
4544 new_pages = cur_pages + nr_pages;
4545 if (new_pages > page_limit)
4547 } while (atomic_long_cmpxchg(&user->locked_vm, cur_pages,
4548 new_pages) != cur_pages);
4553 static void io_mem_free(void *ptr)
4560 page = virt_to_head_page(ptr);
4561 if (put_page_testzero(page))
4562 free_compound_page(page);
4565 static void *io_mem_alloc(size_t size)
4567 gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO | __GFP_NOWARN | __GFP_COMP |
4570 return (void *) __get_free_pages(gfp_flags, get_order(size));
4573 static unsigned long rings_size(unsigned sq_entries, unsigned cq_entries,
4576 struct io_rings *rings;
4577 size_t off, sq_array_size;
4579 off = struct_size(rings, cqes, cq_entries);
4580 if (off == SIZE_MAX)
4584 off = ALIGN(off, SMP_CACHE_BYTES);
4589 sq_array_size = array_size(sizeof(u32), sq_entries);
4590 if (sq_array_size == SIZE_MAX)
4593 if (check_add_overflow(off, sq_array_size, &off))
4602 static unsigned long ring_pages(unsigned sq_entries, unsigned cq_entries)
4606 pages = (size_t)1 << get_order(
4607 rings_size(sq_entries, cq_entries, NULL));
4608 pages += (size_t)1 << get_order(
4609 array_size(sizeof(struct io_uring_sqe), sq_entries));
4614 static int io_sqe_buffer_unregister(struct io_ring_ctx *ctx)
4618 if (!ctx->user_bufs)
4621 for (i = 0; i < ctx->nr_user_bufs; i++) {
4622 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
4624 for (j = 0; j < imu->nr_bvecs; j++)
4625 put_user_page(imu->bvec[j].bv_page);
4627 if (ctx->account_mem)
4628 io_unaccount_mem(ctx->user, imu->nr_bvecs);
4633 kfree(ctx->user_bufs);
4634 ctx->user_bufs = NULL;
4635 ctx->nr_user_bufs = 0;
4639 static int io_copy_iov(struct io_ring_ctx *ctx, struct iovec *dst,
4640 void __user *arg, unsigned index)
4642 struct iovec __user *src;
4644 #ifdef CONFIG_COMPAT
4646 struct compat_iovec __user *ciovs;
4647 struct compat_iovec ciov;
4649 ciovs = (struct compat_iovec __user *) arg;
4650 if (copy_from_user(&ciov, &ciovs[index], sizeof(ciov)))
4653 dst->iov_base = (void __user *) (unsigned long) ciov.iov_base;
4654 dst->iov_len = ciov.iov_len;
4658 src = (struct iovec __user *) arg;
4659 if (copy_from_user(dst, &src[index], sizeof(*dst)))
4664 static int io_sqe_buffer_register(struct io_ring_ctx *ctx, void __user *arg,
4667 struct vm_area_struct **vmas = NULL;
4668 struct page **pages = NULL;
4669 int i, j, got_pages = 0;
4674 if (!nr_args || nr_args > UIO_MAXIOV)
4677 ctx->user_bufs = kcalloc(nr_args, sizeof(struct io_mapped_ubuf),
4679 if (!ctx->user_bufs)
4682 for (i = 0; i < nr_args; i++) {
4683 struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
4684 unsigned long off, start, end, ubuf;
4689 ret = io_copy_iov(ctx, &iov, arg, i);
4694 * Don't impose further limits on the size and buffer
4695 * constraints here, we'll -EINVAL later when IO is
4696 * submitted if they are wrong.
4699 if (!iov.iov_base || !iov.iov_len)
4702 /* arbitrary limit, but we need something */
4703 if (iov.iov_len > SZ_1G)
4706 ubuf = (unsigned long) iov.iov_base;
4707 end = (ubuf + iov.iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT;
4708 start = ubuf >> PAGE_SHIFT;
4709 nr_pages = end - start;
4711 if (ctx->account_mem) {
4712 ret = io_account_mem(ctx->user, nr_pages);
4718 if (!pages || nr_pages > got_pages) {
4721 pages = kvmalloc_array(nr_pages, sizeof(struct page *),
4723 vmas = kvmalloc_array(nr_pages,
4724 sizeof(struct vm_area_struct *),
4726 if (!pages || !vmas) {
4728 if (ctx->account_mem)
4729 io_unaccount_mem(ctx->user, nr_pages);
4732 got_pages = nr_pages;
4735 imu->bvec = kvmalloc_array(nr_pages, sizeof(struct bio_vec),
4739 if (ctx->account_mem)
4740 io_unaccount_mem(ctx->user, nr_pages);
4745 down_read(¤t->mm->mmap_sem);
4746 pret = get_user_pages(ubuf, nr_pages,
4747 FOLL_WRITE | FOLL_LONGTERM,
4749 if (pret == nr_pages) {
4750 /* don't support file backed memory */
4751 for (j = 0; j < nr_pages; j++) {
4752 struct vm_area_struct *vma = vmas[j];
4755 !is_file_hugepages(vma->vm_file)) {
4761 ret = pret < 0 ? pret : -EFAULT;
4763 up_read(¤t->mm->mmap_sem);
4766 * if we did partial map, or found file backed vmas,
4767 * release any pages we did get
4770 put_user_pages(pages, pret);
4771 if (ctx->account_mem)
4772 io_unaccount_mem(ctx->user, nr_pages);
4777 off = ubuf & ~PAGE_MASK;
4779 for (j = 0; j < nr_pages; j++) {
4782 vec_len = min_t(size_t, size, PAGE_SIZE - off);
4783 imu->bvec[j].bv_page = pages[j];
4784 imu->bvec[j].bv_len = vec_len;
4785 imu->bvec[j].bv_offset = off;
4789 /* store original address for later verification */
4791 imu->len = iov.iov_len;
4792 imu->nr_bvecs = nr_pages;
4794 ctx->nr_user_bufs++;
4802 io_sqe_buffer_unregister(ctx);
4806 static int io_eventfd_register(struct io_ring_ctx *ctx, void __user *arg)
4808 __s32 __user *fds = arg;
4814 if (copy_from_user(&fd, fds, sizeof(*fds)))
4817 ctx->cq_ev_fd = eventfd_ctx_fdget(fd);
4818 if (IS_ERR(ctx->cq_ev_fd)) {
4819 int ret = PTR_ERR(ctx->cq_ev_fd);
4820 ctx->cq_ev_fd = NULL;
4827 static int io_eventfd_unregister(struct io_ring_ctx *ctx)
4829 if (ctx->cq_ev_fd) {
4830 eventfd_ctx_put(ctx->cq_ev_fd);
4831 ctx->cq_ev_fd = NULL;
4838 static void io_ring_ctx_free(struct io_ring_ctx *ctx)
4840 io_finish_async(ctx);
4842 mmdrop(ctx->sqo_mm);
4844 io_iopoll_reap_events(ctx);
4845 io_sqe_buffer_unregister(ctx);
4846 io_sqe_files_unregister(ctx);
4847 io_eventfd_unregister(ctx);
4849 #if defined(CONFIG_UNIX)
4850 if (ctx->ring_sock) {
4851 ctx->ring_sock->file = NULL; /* so that iput() is called */
4852 sock_release(ctx->ring_sock);
4856 io_mem_free(ctx->rings);
4857 io_mem_free(ctx->sq_sqes);
4859 percpu_ref_exit(&ctx->refs);
4860 if (ctx->account_mem)
4861 io_unaccount_mem(ctx->user,
4862 ring_pages(ctx->sq_entries, ctx->cq_entries));
4863 free_uid(ctx->user);
4864 put_cred(ctx->creds);
4865 kfree(ctx->completions);
4866 kfree(ctx->cancel_hash);
4867 kmem_cache_free(req_cachep, ctx->fallback_req);
4871 static __poll_t io_uring_poll(struct file *file, poll_table *wait)
4873 struct io_ring_ctx *ctx = file->private_data;
4876 poll_wait(file, &ctx->cq_wait, wait);
4878 * synchronizes with barrier from wq_has_sleeper call in
4882 if (READ_ONCE(ctx->rings->sq.tail) - ctx->cached_sq_head !=
4883 ctx->rings->sq_ring_entries)
4884 mask |= EPOLLOUT | EPOLLWRNORM;
4885 if (READ_ONCE(ctx->rings->cq.head) != ctx->cached_cq_tail)
4886 mask |= EPOLLIN | EPOLLRDNORM;
4891 static int io_uring_fasync(int fd, struct file *file, int on)
4893 struct io_ring_ctx *ctx = file->private_data;
4895 return fasync_helper(fd, file, on, &ctx->cq_fasync);
4898 static void io_ring_ctx_wait_and_kill(struct io_ring_ctx *ctx)
4900 mutex_lock(&ctx->uring_lock);
4901 percpu_ref_kill(&ctx->refs);
4902 mutex_unlock(&ctx->uring_lock);
4904 io_kill_timeouts(ctx);
4905 io_poll_remove_all(ctx);
4908 io_wq_cancel_all(ctx->io_wq);
4910 io_iopoll_reap_events(ctx);
4911 /* if we failed setting up the ctx, we might not have any rings */
4913 io_cqring_overflow_flush(ctx, true);
4914 wait_for_completion(&ctx->completions[0]);
4915 io_ring_ctx_free(ctx);
4918 static int io_uring_release(struct inode *inode, struct file *file)
4920 struct io_ring_ctx *ctx = file->private_data;
4922 file->private_data = NULL;
4923 io_ring_ctx_wait_and_kill(ctx);
4927 static void io_uring_cancel_files(struct io_ring_ctx *ctx,
4928 struct files_struct *files)
4930 struct io_kiocb *req;
4933 while (!list_empty_careful(&ctx->inflight_list)) {
4934 struct io_kiocb *cancel_req = NULL;
4936 spin_lock_irq(&ctx->inflight_lock);
4937 list_for_each_entry(req, &ctx->inflight_list, inflight_entry) {
4938 if (req->work.files != files)
4940 /* req is being completed, ignore */
4941 if (!refcount_inc_not_zero(&req->refs))
4947 prepare_to_wait(&ctx->inflight_wait, &wait,
4948 TASK_UNINTERRUPTIBLE);
4949 spin_unlock_irq(&ctx->inflight_lock);
4951 /* We need to keep going until we don't find a matching req */
4955 io_wq_cancel_work(ctx->io_wq, &cancel_req->work);
4956 io_put_req(cancel_req);
4959 finish_wait(&ctx->inflight_wait, &wait);
4962 static int io_uring_flush(struct file *file, void *data)
4964 struct io_ring_ctx *ctx = file->private_data;
4966 io_uring_cancel_files(ctx, data);
4967 if (fatal_signal_pending(current) || (current->flags & PF_EXITING)) {
4968 io_cqring_overflow_flush(ctx, true);
4969 io_wq_cancel_all(ctx->io_wq);
4974 static void *io_uring_validate_mmap_request(struct file *file,
4975 loff_t pgoff, size_t sz)
4977 struct io_ring_ctx *ctx = file->private_data;
4978 loff_t offset = pgoff << PAGE_SHIFT;
4983 case IORING_OFF_SQ_RING:
4984 case IORING_OFF_CQ_RING:
4987 case IORING_OFF_SQES:
4991 return ERR_PTR(-EINVAL);
4994 page = virt_to_head_page(ptr);
4995 if (sz > page_size(page))
4996 return ERR_PTR(-EINVAL);
5003 static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
5005 size_t sz = vma->vm_end - vma->vm_start;
5009 ptr = io_uring_validate_mmap_request(file, vma->vm_pgoff, sz);
5011 return PTR_ERR(ptr);
5013 pfn = virt_to_phys(ptr) >> PAGE_SHIFT;
5014 return remap_pfn_range(vma, vma->vm_start, pfn, sz, vma->vm_page_prot);
5017 #else /* !CONFIG_MMU */
5019 static int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
5021 return vma->vm_flags & (VM_SHARED | VM_MAYSHARE) ? 0 : -EINVAL;
5024 static unsigned int io_uring_nommu_mmap_capabilities(struct file *file)
5026 return NOMMU_MAP_DIRECT | NOMMU_MAP_READ | NOMMU_MAP_WRITE;
5029 static unsigned long io_uring_nommu_get_unmapped_area(struct file *file,
5030 unsigned long addr, unsigned long len,
5031 unsigned long pgoff, unsigned long flags)
5035 ptr = io_uring_validate_mmap_request(file, pgoff, len);
5037 return PTR_ERR(ptr);
5039 return (unsigned long) ptr;
5042 #endif /* !CONFIG_MMU */
5044 SYSCALL_DEFINE6(io_uring_enter, unsigned int, fd, u32, to_submit,
5045 u32, min_complete, u32, flags, const sigset_t __user *, sig,
5048 struct io_ring_ctx *ctx;
5053 if (flags & ~(IORING_ENTER_GETEVENTS | IORING_ENTER_SQ_WAKEUP))
5061 if (f.file->f_op != &io_uring_fops)
5065 ctx = f.file->private_data;
5066 if (!percpu_ref_tryget(&ctx->refs))
5070 * For SQ polling, the thread will do all submissions and completions.
5071 * Just return the requested submit count, and wake the thread if
5075 if (ctx->flags & IORING_SETUP_SQPOLL) {
5076 if (!list_empty_careful(&ctx->cq_overflow_list))
5077 io_cqring_overflow_flush(ctx, false);
5078 if (flags & IORING_ENTER_SQ_WAKEUP)
5079 wake_up(&ctx->sqo_wait);
5080 submitted = to_submit;
5081 } else if (to_submit) {
5082 struct mm_struct *cur_mm;
5084 to_submit = min(to_submit, ctx->sq_entries);
5085 mutex_lock(&ctx->uring_lock);
5086 /* already have mm, so io_submit_sqes() won't try to grab it */
5087 cur_mm = ctx->sqo_mm;
5088 submitted = io_submit_sqes(ctx, to_submit, f.file, fd,
5090 mutex_unlock(&ctx->uring_lock);
5092 if (flags & IORING_ENTER_GETEVENTS) {
5093 unsigned nr_events = 0;
5095 min_complete = min(min_complete, ctx->cq_entries);
5097 if (ctx->flags & IORING_SETUP_IOPOLL) {
5098 ret = io_iopoll_check(ctx, &nr_events, min_complete);
5100 ret = io_cqring_wait(ctx, min_complete, sig, sigsz);
5104 percpu_ref_put(&ctx->refs);
5107 return submitted ? submitted : ret;
5110 static const struct file_operations io_uring_fops = {
5111 .release = io_uring_release,
5112 .flush = io_uring_flush,
5113 .mmap = io_uring_mmap,
5115 .get_unmapped_area = io_uring_nommu_get_unmapped_area,
5116 .mmap_capabilities = io_uring_nommu_mmap_capabilities,
5118 .poll = io_uring_poll,
5119 .fasync = io_uring_fasync,
5122 static int io_allocate_scq_urings(struct io_ring_ctx *ctx,
5123 struct io_uring_params *p)
5125 struct io_rings *rings;
5126 size_t size, sq_array_offset;
5128 size = rings_size(p->sq_entries, p->cq_entries, &sq_array_offset);
5129 if (size == SIZE_MAX)
5132 rings = io_mem_alloc(size);
5137 ctx->sq_array = (u32 *)((char *)rings + sq_array_offset);
5138 rings->sq_ring_mask = p->sq_entries - 1;
5139 rings->cq_ring_mask = p->cq_entries - 1;
5140 rings->sq_ring_entries = p->sq_entries;
5141 rings->cq_ring_entries = p->cq_entries;
5142 ctx->sq_mask = rings->sq_ring_mask;
5143 ctx->cq_mask = rings->cq_ring_mask;
5144 ctx->sq_entries = rings->sq_ring_entries;
5145 ctx->cq_entries = rings->cq_ring_entries;
5147 size = array_size(sizeof(struct io_uring_sqe), p->sq_entries);
5148 if (size == SIZE_MAX) {
5149 io_mem_free(ctx->rings);
5154 ctx->sq_sqes = io_mem_alloc(size);
5155 if (!ctx->sq_sqes) {
5156 io_mem_free(ctx->rings);
5165 * Allocate an anonymous fd, this is what constitutes the application
5166 * visible backing of an io_uring instance. The application mmaps this
5167 * fd to gain access to the SQ/CQ ring details. If UNIX sockets are enabled,
5168 * we have to tie this fd to a socket for file garbage collection purposes.
5170 static int io_uring_get_fd(struct io_ring_ctx *ctx)
5175 #if defined(CONFIG_UNIX)
5176 ret = sock_create_kern(&init_net, PF_UNIX, SOCK_RAW, IPPROTO_IP,
5182 ret = get_unused_fd_flags(O_RDWR | O_CLOEXEC);
5186 file = anon_inode_getfile("[io_uring]", &io_uring_fops, ctx,
5187 O_RDWR | O_CLOEXEC);
5190 ret = PTR_ERR(file);
5194 #if defined(CONFIG_UNIX)
5195 ctx->ring_sock->file = file;
5196 ctx->ring_sock->sk->sk_user_data = ctx;
5198 fd_install(ret, file);
5201 #if defined(CONFIG_UNIX)
5202 sock_release(ctx->ring_sock);
5203 ctx->ring_sock = NULL;
5208 static int io_uring_create(unsigned entries, struct io_uring_params *p)
5210 struct user_struct *user = NULL;
5211 struct io_ring_ctx *ctx;
5215 if (!entries || entries > IORING_MAX_ENTRIES)
5219 * Use twice as many entries for the CQ ring. It's possible for the
5220 * application to drive a higher depth than the size of the SQ ring,
5221 * since the sqes are only used at submission time. This allows for
5222 * some flexibility in overcommitting a bit. If the application has
5223 * set IORING_SETUP_CQSIZE, it will have passed in the desired number
5224 * of CQ ring entries manually.
5226 p->sq_entries = roundup_pow_of_two(entries);
5227 if (p->flags & IORING_SETUP_CQSIZE) {
5229 * If IORING_SETUP_CQSIZE is set, we do the same roundup
5230 * to a power-of-two, if it isn't already. We do NOT impose
5231 * any cq vs sq ring sizing.
5233 if (p->cq_entries < p->sq_entries || p->cq_entries > IORING_MAX_CQ_ENTRIES)
5235 p->cq_entries = roundup_pow_of_two(p->cq_entries);
5237 p->cq_entries = 2 * p->sq_entries;
5240 user = get_uid(current_user());
5241 account_mem = !capable(CAP_IPC_LOCK);
5244 ret = io_account_mem(user,
5245 ring_pages(p->sq_entries, p->cq_entries));
5252 ctx = io_ring_ctx_alloc(p);
5255 io_unaccount_mem(user, ring_pages(p->sq_entries,
5260 ctx->compat = in_compat_syscall();
5261 ctx->account_mem = account_mem;
5263 ctx->creds = get_current_cred();
5265 ret = io_allocate_scq_urings(ctx, p);
5269 ret = io_sq_offload_start(ctx, p);
5273 memset(&p->sq_off, 0, sizeof(p->sq_off));
5274 p->sq_off.head = offsetof(struct io_rings, sq.head);
5275 p->sq_off.tail = offsetof(struct io_rings, sq.tail);
5276 p->sq_off.ring_mask = offsetof(struct io_rings, sq_ring_mask);
5277 p->sq_off.ring_entries = offsetof(struct io_rings, sq_ring_entries);
5278 p->sq_off.flags = offsetof(struct io_rings, sq_flags);
5279 p->sq_off.dropped = offsetof(struct io_rings, sq_dropped);
5280 p->sq_off.array = (char *)ctx->sq_array - (char *)ctx->rings;
5282 memset(&p->cq_off, 0, sizeof(p->cq_off));
5283 p->cq_off.head = offsetof(struct io_rings, cq.head);
5284 p->cq_off.tail = offsetof(struct io_rings, cq.tail);
5285 p->cq_off.ring_mask = offsetof(struct io_rings, cq_ring_mask);
5286 p->cq_off.ring_entries = offsetof(struct io_rings, cq_ring_entries);
5287 p->cq_off.overflow = offsetof(struct io_rings, cq_overflow);
5288 p->cq_off.cqes = offsetof(struct io_rings, cqes);
5291 * Install ring fd as the very last thing, so we don't risk someone
5292 * having closed it before we finish setup
5294 ret = io_uring_get_fd(ctx);
5298 p->features = IORING_FEAT_SINGLE_MMAP | IORING_FEAT_NODROP |
5299 IORING_FEAT_SUBMIT_STABLE;
5300 trace_io_uring_create(ret, ctx, p->sq_entries, p->cq_entries, p->flags);
5303 io_ring_ctx_wait_and_kill(ctx);
5308 * Sets up an aio uring context, and returns the fd. Applications asks for a
5309 * ring size, we return the actual sq/cq ring sizes (among other things) in the
5310 * params structure passed in.
5312 static long io_uring_setup(u32 entries, struct io_uring_params __user *params)
5314 struct io_uring_params p;
5318 if (copy_from_user(&p, params, sizeof(p)))
5320 for (i = 0; i < ARRAY_SIZE(p.resv); i++) {
5325 if (p.flags & ~(IORING_SETUP_IOPOLL | IORING_SETUP_SQPOLL |
5326 IORING_SETUP_SQ_AFF | IORING_SETUP_CQSIZE))
5329 ret = io_uring_create(entries, &p);
5333 if (copy_to_user(params, &p, sizeof(p)))
5339 SYSCALL_DEFINE2(io_uring_setup, u32, entries,
5340 struct io_uring_params __user *, params)
5342 return io_uring_setup(entries, params);
5345 static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,
5346 void __user *arg, unsigned nr_args)
5347 __releases(ctx->uring_lock)
5348 __acquires(ctx->uring_lock)
5353 * We're inside the ring mutex, if the ref is already dying, then
5354 * someone else killed the ctx or is already going through
5355 * io_uring_register().
5357 if (percpu_ref_is_dying(&ctx->refs))
5360 percpu_ref_kill(&ctx->refs);
5363 * Drop uring mutex before waiting for references to exit. If another
5364 * thread is currently inside io_uring_enter() it might need to grab
5365 * the uring_lock to make progress. If we hold it here across the drain
5366 * wait, then we can deadlock. It's safe to drop the mutex here, since
5367 * no new references will come in after we've killed the percpu ref.
5369 mutex_unlock(&ctx->uring_lock);
5370 wait_for_completion(&ctx->completions[0]);
5371 mutex_lock(&ctx->uring_lock);
5374 case IORING_REGISTER_BUFFERS:
5375 ret = io_sqe_buffer_register(ctx, arg, nr_args);
5377 case IORING_UNREGISTER_BUFFERS:
5381 ret = io_sqe_buffer_unregister(ctx);
5383 case IORING_REGISTER_FILES:
5384 ret = io_sqe_files_register(ctx, arg, nr_args);
5386 case IORING_UNREGISTER_FILES:
5390 ret = io_sqe_files_unregister(ctx);
5392 case IORING_REGISTER_FILES_UPDATE:
5393 ret = io_sqe_files_update(ctx, arg, nr_args);
5395 case IORING_REGISTER_EVENTFD:
5399 ret = io_eventfd_register(ctx, arg);
5401 case IORING_UNREGISTER_EVENTFD:
5405 ret = io_eventfd_unregister(ctx);
5412 /* bring the ctx back to life */
5413 reinit_completion(&ctx->completions[0]);
5414 percpu_ref_reinit(&ctx->refs);
5418 SYSCALL_DEFINE4(io_uring_register, unsigned int, fd, unsigned int, opcode,
5419 void __user *, arg, unsigned int, nr_args)
5421 struct io_ring_ctx *ctx;
5430 if (f.file->f_op != &io_uring_fops)
5433 ctx = f.file->private_data;
5435 mutex_lock(&ctx->uring_lock);
5436 ret = __io_uring_register(ctx, opcode, arg, nr_args);
5437 mutex_unlock(&ctx->uring_lock);
5438 trace_io_uring_register(ctx, opcode, ctx->nr_user_files, ctx->nr_user_bufs,
5439 ctx->cq_ev_fd != NULL, ret);
5445 static int __init io_uring_init(void)
5447 req_cachep = KMEM_CACHE(io_kiocb, SLAB_HWCACHE_ALIGN | SLAB_PANIC);
5450 __initcall(io_uring_init);
projects / platform / kernel / linux-starfive.git / blob