1 // SPDX-License-Identifier: GPL-2.0
2 #include <linux/kernel.h>
3 #include <linux/errno.h>
5 #include <linux/file.h>
7 #include <linux/slab.h>
8 #include <linux/namei.h>
9 #include <linux/poll.h>
10 #include <linux/io_uring.h>
12 #include <uapi/linux/io_uring.h>
18 #define IO_BUFFER_LIST_BUF_PER_PAGE (PAGE_SIZE / sizeof(struct io_uring_buf))
22 /* BIDs are addressed by a 16-bit field in a CQE */
23 #define MAX_BIDS_PER_BGID (1 << 16)
25 struct io_provide_buf {
34 static struct io_buffer_list *__io_buffer_get_list(struct io_ring_ctx *ctx,
35 struct io_buffer_list *bl,
38 if (bl && bgid < BGID_ARRAY)
41 return xa_load(&ctx->io_bl_xa, bgid);
45 struct hlist_node list;
51 static inline struct io_buffer_list *io_buffer_get_list(struct io_ring_ctx *ctx,
54 lockdep_assert_held(&ctx->uring_lock);
56 return __io_buffer_get_list(ctx, ctx->io_bl, bgid);
59 static int io_buffer_add_list(struct io_ring_ctx *ctx,
60 struct io_buffer_list *bl, unsigned int bgid)
63 * Store buffer group ID and finally mark the list as visible.
64 * The normal lookup doesn't care about the visibility as we're
65 * always under the ->uring_lock, but the RCU lookup from mmap does.
68 smp_store_release(&bl->is_ready, 1);
70 if (bgid < BGID_ARRAY)
73 return xa_err(xa_store(&ctx->io_bl_xa, bgid, bl, GFP_KERNEL));
76 void io_kbuf_recycle_legacy(struct io_kiocb *req, unsigned issue_flags)
78 struct io_ring_ctx *ctx = req->ctx;
79 struct io_buffer_list *bl;
80 struct io_buffer *buf;
83 * For legacy provided buffer mode, don't recycle if we already did
84 * IO to this buffer. For ring-mapped provided buffer mode, we should
85 * increment ring->head to explicitly monopolize the buffer to avoid
88 if (req->flags & REQ_F_PARTIAL_IO)
91 io_ring_submit_lock(ctx, issue_flags);
94 bl = io_buffer_get_list(ctx, buf->bgid);
95 list_add(&buf->list, &bl->buf_list);
96 req->flags &= ~REQ_F_BUFFER_SELECTED;
97 req->buf_index = buf->bgid;
99 io_ring_submit_unlock(ctx, issue_flags);
103 unsigned int __io_put_kbuf(struct io_kiocb *req, unsigned issue_flags)
108 * We can add this buffer back to two lists:
110 * 1) The io_buffers_cache list. This one is protected by the
111 * ctx->uring_lock. If we already hold this lock, add back to this
112 * list as we can grab it from issue as well.
113 * 2) The io_buffers_comp list. This one is protected by the
114 * ctx->completion_lock.
116 * We migrate buffers from the comp_list to the issue cache list
119 if (req->flags & REQ_F_BUFFER_RING) {
120 /* no buffers to recycle for this case */
121 cflags = __io_put_kbuf_list(req, NULL);
122 } else if (issue_flags & IO_URING_F_UNLOCKED) {
123 struct io_ring_ctx *ctx = req->ctx;
125 spin_lock(&ctx->completion_lock);
126 cflags = __io_put_kbuf_list(req, &ctx->io_buffers_comp);
127 spin_unlock(&ctx->completion_lock);
129 lockdep_assert_held(&req->ctx->uring_lock);
131 cflags = __io_put_kbuf_list(req, &req->ctx->io_buffers_cache);
136 static void __user *io_provided_buffer_select(struct io_kiocb *req, size_t *len,
137 struct io_buffer_list *bl)
139 if (!list_empty(&bl->buf_list)) {
140 struct io_buffer *kbuf;
142 kbuf = list_first_entry(&bl->buf_list, struct io_buffer, list);
143 list_del(&kbuf->list);
144 if (*len == 0 || *len > kbuf->len)
146 req->flags |= REQ_F_BUFFER_SELECTED;
148 req->buf_index = kbuf->bid;
149 return u64_to_user_ptr(kbuf->addr);
154 static void __user *io_ring_buffer_select(struct io_kiocb *req, size_t *len,
155 struct io_buffer_list *bl,
156 unsigned int issue_flags)
158 struct io_uring_buf_ring *br = bl->buf_ring;
159 struct io_uring_buf *buf;
160 __u16 head = bl->head;
162 if (unlikely(smp_load_acquire(&br->tail) == head))
166 /* mmaped buffers are always contig */
167 if (bl->is_mmap || head < IO_BUFFER_LIST_BUF_PER_PAGE) {
168 buf = &br->bufs[head];
170 int off = head & (IO_BUFFER_LIST_BUF_PER_PAGE - 1);
171 int index = head / IO_BUFFER_LIST_BUF_PER_PAGE;
172 buf = page_address(bl->buf_pages[index]);
175 if (*len == 0 || *len > buf->len)
177 req->flags |= REQ_F_BUFFER_RING;
179 req->buf_index = buf->bid;
181 if (issue_flags & IO_URING_F_UNLOCKED || !file_can_poll(req->file)) {
183 * If we came in unlocked, we have no choice but to consume the
184 * buffer here, otherwise nothing ensures that the buffer won't
185 * get used by others. This does mean it'll be pinned until the
186 * IO completes, coming in unlocked means we're being called from
187 * io-wq context and there may be further retries in async hybrid
188 * mode. For the locked case, the caller must call commit when
189 * the transfer completes (or if we get -EAGAIN and must poll of
192 req->buf_list = NULL;
195 return u64_to_user_ptr(buf->addr);
198 void __user *io_buffer_select(struct io_kiocb *req, size_t *len,
199 unsigned int issue_flags)
201 struct io_ring_ctx *ctx = req->ctx;
202 struct io_buffer_list *bl;
203 void __user *ret = NULL;
205 io_ring_submit_lock(req->ctx, issue_flags);
207 bl = io_buffer_get_list(ctx, req->buf_index);
210 ret = io_ring_buffer_select(req, len, bl, issue_flags);
212 ret = io_provided_buffer_select(req, len, bl);
214 io_ring_submit_unlock(req->ctx, issue_flags);
218 static __cold int io_init_bl_list(struct io_ring_ctx *ctx)
220 struct io_buffer_list *bl;
223 bl = kcalloc(BGID_ARRAY, sizeof(struct io_buffer_list), GFP_KERNEL);
227 for (i = 0; i < BGID_ARRAY; i++) {
228 INIT_LIST_HEAD(&bl[i].buf_list);
232 smp_store_release(&ctx->io_bl, bl);
237 * Mark the given mapped range as free for reuse
239 static void io_kbuf_mark_free(struct io_ring_ctx *ctx, struct io_buffer_list *bl)
241 struct io_buf_free *ibf;
243 hlist_for_each_entry(ibf, &ctx->io_buf_list, list) {
244 if (bl->buf_ring == ibf->mem) {
250 /* can't happen... */
254 static int __io_remove_buffers(struct io_ring_ctx *ctx,
255 struct io_buffer_list *bl, unsigned nbufs)
259 /* shouldn't happen */
264 i = bl->buf_ring->tail - bl->head;
267 * io_kbuf_list_free() will free the page(s) at
270 io_kbuf_mark_free(ctx, bl);
273 } else if (bl->buf_nr_pages) {
276 for (j = 0; j < bl->buf_nr_pages; j++)
277 unpin_user_page(bl->buf_pages[j]);
278 kvfree(bl->buf_pages);
279 bl->buf_pages = NULL;
280 bl->buf_nr_pages = 0;
282 /* make sure it's seen as empty */
283 INIT_LIST_HEAD(&bl->buf_list);
288 /* protects io_buffers_cache */
289 lockdep_assert_held(&ctx->uring_lock);
291 while (!list_empty(&bl->buf_list)) {
292 struct io_buffer *nxt;
294 nxt = list_first_entry(&bl->buf_list, struct io_buffer, list);
295 list_move(&nxt->list, &ctx->io_buffers_cache);
304 void io_destroy_buffers(struct io_ring_ctx *ctx)
306 struct io_buffer_list *bl;
310 for (i = 0; i < BGID_ARRAY; i++) {
313 __io_remove_buffers(ctx, &ctx->io_bl[i], -1U);
316 xa_for_each(&ctx->io_bl_xa, index, bl) {
317 xa_erase(&ctx->io_bl_xa, bl->bgid);
318 __io_remove_buffers(ctx, bl, -1U);
322 while (!list_empty(&ctx->io_buffers_pages)) {
325 page = list_first_entry(&ctx->io_buffers_pages, struct page, lru);
326 list_del_init(&page->lru);
331 int io_remove_buffers_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
333 struct io_provide_buf *p = io_kiocb_to_cmd(req, struct io_provide_buf);
336 if (sqe->rw_flags || sqe->addr || sqe->len || sqe->off ||
340 tmp = READ_ONCE(sqe->fd);
341 if (!tmp || tmp > MAX_BIDS_PER_BGID)
344 memset(p, 0, sizeof(*p));
346 p->bgid = READ_ONCE(sqe->buf_group);
350 int io_remove_buffers(struct io_kiocb *req, unsigned int issue_flags)
352 struct io_provide_buf *p = io_kiocb_to_cmd(req, struct io_provide_buf);
353 struct io_ring_ctx *ctx = req->ctx;
354 struct io_buffer_list *bl;
357 io_ring_submit_lock(ctx, issue_flags);
360 bl = io_buffer_get_list(ctx, p->bgid);
363 /* can't use provide/remove buffers command on mapped buffers */
365 ret = __io_remove_buffers(ctx, bl, p->nbufs);
367 io_ring_submit_unlock(ctx, issue_flags);
370 io_req_set_res(req, ret, 0);
374 int io_provide_buffers_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
376 unsigned long size, tmp_check;
377 struct io_provide_buf *p = io_kiocb_to_cmd(req, struct io_provide_buf);
380 if (sqe->rw_flags || sqe->splice_fd_in)
383 tmp = READ_ONCE(sqe->fd);
384 if (!tmp || tmp > MAX_BIDS_PER_BGID)
387 p->addr = READ_ONCE(sqe->addr);
388 p->len = READ_ONCE(sqe->len);
390 if (check_mul_overflow((unsigned long)p->len, (unsigned long)p->nbufs,
393 if (check_add_overflow((unsigned long)p->addr, size, &tmp_check))
396 size = (unsigned long)p->len * p->nbufs;
397 if (!access_ok(u64_to_user_ptr(p->addr), size))
400 p->bgid = READ_ONCE(sqe->buf_group);
401 tmp = READ_ONCE(sqe->off);
404 if (tmp + p->nbufs > MAX_BIDS_PER_BGID)
410 static int io_refill_buffer_cache(struct io_ring_ctx *ctx)
412 struct io_buffer *buf;
417 * Completions that don't happen inline (eg not under uring_lock) will
418 * add to ->io_buffers_comp. If we don't have any free buffers, check
419 * the completion list and splice those entries first.
421 if (!list_empty_careful(&ctx->io_buffers_comp)) {
422 spin_lock(&ctx->completion_lock);
423 if (!list_empty(&ctx->io_buffers_comp)) {
424 list_splice_init(&ctx->io_buffers_comp,
425 &ctx->io_buffers_cache);
426 spin_unlock(&ctx->completion_lock);
429 spin_unlock(&ctx->completion_lock);
433 * No free buffers and no completion entries either. Allocate a new
434 * page worth of buffer entries and add those to our freelist.
436 page = alloc_page(GFP_KERNEL_ACCOUNT);
440 list_add(&page->lru, &ctx->io_buffers_pages);
442 buf = page_address(page);
443 bufs_in_page = PAGE_SIZE / sizeof(*buf);
444 while (bufs_in_page) {
445 list_add_tail(&buf->list, &ctx->io_buffers_cache);
453 static int io_add_buffers(struct io_ring_ctx *ctx, struct io_provide_buf *pbuf,
454 struct io_buffer_list *bl)
456 struct io_buffer *buf;
457 u64 addr = pbuf->addr;
458 int i, bid = pbuf->bid;
460 for (i = 0; i < pbuf->nbufs; i++) {
461 if (list_empty(&ctx->io_buffers_cache) &&
462 io_refill_buffer_cache(ctx))
464 buf = list_first_entry(&ctx->io_buffers_cache, struct io_buffer,
466 list_move_tail(&buf->list, &bl->buf_list);
468 buf->len = min_t(__u32, pbuf->len, MAX_RW_COUNT);
470 buf->bgid = pbuf->bgid;
476 return i ? 0 : -ENOMEM;
479 int io_provide_buffers(struct io_kiocb *req, unsigned int issue_flags)
481 struct io_provide_buf *p = io_kiocb_to_cmd(req, struct io_provide_buf);
482 struct io_ring_ctx *ctx = req->ctx;
483 struct io_buffer_list *bl;
486 io_ring_submit_lock(ctx, issue_flags);
488 if (unlikely(p->bgid < BGID_ARRAY && !ctx->io_bl)) {
489 ret = io_init_bl_list(ctx);
494 bl = io_buffer_get_list(ctx, p->bgid);
496 bl = kzalloc(sizeof(*bl), GFP_KERNEL_ACCOUNT);
501 INIT_LIST_HEAD(&bl->buf_list);
502 ret = io_buffer_add_list(ctx, bl, p->bgid);
505 * Doesn't need rcu free as it was never visible, but
506 * let's keep it consistent throughout. Also can't
507 * be a lower indexed array group, as adding one
508 * where lookup failed cannot happen.
510 if (p->bgid >= BGID_ARRAY)
517 /* can't add buffers via this command for a mapped buffer ring */
523 ret = io_add_buffers(ctx, p, bl);
525 io_ring_submit_unlock(ctx, issue_flags);
529 io_req_set_res(req, ret, 0);
533 static int io_pin_pbuf_ring(struct io_uring_buf_reg *reg,
534 struct io_buffer_list *bl)
536 struct io_uring_buf_ring *br;
540 pages = io_pin_pages(reg->ring_addr,
541 flex_array_size(br, bufs, reg->ring_entries),
544 return PTR_ERR(pages);
547 * Apparently some 32-bit boxes (ARM) will return highmem pages,
548 * which then need to be mapped. We could support that, but it'd
549 * complicate the code and slowdown the common cases quite a bit.
550 * So just error out, returning -EINVAL just like we did on kernels
551 * that didn't support mapped buffer rings.
553 for (i = 0; i < nr_pages; i++)
554 if (PageHighMem(pages[i]))
557 br = page_address(pages[0]);
560 * On platforms that have specific aliasing requirements, SHM_COLOUR
561 * is set and we must guarantee that the kernel and user side align
562 * nicely. We cannot do that if IOU_PBUF_RING_MMAP isn't set and
563 * the application mmap's the provided ring buffer. Fail the request
564 * if we, by chance, don't end up with aligned addresses. The app
565 * should use IOU_PBUF_RING_MMAP instead, and liburing will handle
566 * this transparently.
568 if ((reg->ring_addr | (unsigned long) br) & (SHM_COLOUR - 1))
571 bl->buf_pages = pages;
572 bl->buf_nr_pages = nr_pages;
578 for (i = 0; i < nr_pages; i++)
579 unpin_user_page(pages[i]);
585 * See if we have a suitable region that we can reuse, rather than allocate
586 * both a new io_buf_free and mem region again. We leave it on the list as
587 * even a reused entry will need freeing at ring release.
589 static struct io_buf_free *io_lookup_buf_free_entry(struct io_ring_ctx *ctx,
592 struct io_buf_free *ibf, *best = NULL;
595 hlist_for_each_entry(ibf, &ctx->io_buf_list, list) {
598 if (ibf->inuse || ibf->size < ring_size)
600 dist = ibf->size - ring_size;
601 if (!best || dist < best_dist) {
612 static int io_alloc_pbuf_ring(struct io_ring_ctx *ctx,
613 struct io_uring_buf_reg *reg,
614 struct io_buffer_list *bl)
616 struct io_buf_free *ibf;
620 ring_size = reg->ring_entries * sizeof(struct io_uring_buf_ring);
622 /* Reuse existing entry, if we can */
623 ibf = io_lookup_buf_free_entry(ctx, ring_size);
625 ptr = io_mem_alloc(ring_size);
629 /* Allocate and store deferred free entry */
630 ibf = kmalloc(sizeof(*ibf), GFP_KERNEL_ACCOUNT);
636 ibf->size = ring_size;
637 hlist_add_head(&ibf->list, &ctx->io_buf_list);
640 bl->buf_ring = ibf->mem;
646 int io_register_pbuf_ring(struct io_ring_ctx *ctx, void __user *arg)
648 struct io_uring_buf_reg reg;
649 struct io_buffer_list *bl, *free_bl = NULL;
652 lockdep_assert_held(&ctx->uring_lock);
654 if (copy_from_user(®, arg, sizeof(reg)))
657 if (reg.resv[0] || reg.resv[1] || reg.resv[2])
659 if (reg.flags & ~IOU_PBUF_RING_MMAP)
661 if (!(reg.flags & IOU_PBUF_RING_MMAP)) {
664 if (reg.ring_addr & ~PAGE_MASK)
671 if (!is_power_of_2(reg.ring_entries))
674 /* cannot disambiguate full vs empty due to head/tail size */
675 if (reg.ring_entries >= 65536)
678 if (unlikely(reg.bgid < BGID_ARRAY && !ctx->io_bl)) {
679 int ret = io_init_bl_list(ctx);
684 bl = io_buffer_get_list(ctx, reg.bgid);
686 /* if mapped buffer ring OR classic exists, don't allow */
687 if (bl->is_mapped || !list_empty(&bl->buf_list))
690 free_bl = bl = kzalloc(sizeof(*bl), GFP_KERNEL);
695 if (!(reg.flags & IOU_PBUF_RING_MMAP))
696 ret = io_pin_pbuf_ring(®, bl);
698 ret = io_alloc_pbuf_ring(ctx, ®, bl);
701 bl->nr_entries = reg.ring_entries;
702 bl->mask = reg.ring_entries - 1;
704 io_buffer_add_list(ctx, bl, reg.bgid);
708 kfree_rcu(free_bl, rcu);
712 int io_unregister_pbuf_ring(struct io_ring_ctx *ctx, void __user *arg)
714 struct io_uring_buf_reg reg;
715 struct io_buffer_list *bl;
717 lockdep_assert_held(&ctx->uring_lock);
719 if (copy_from_user(®, arg, sizeof(reg)))
721 if (reg.resv[0] || reg.resv[1] || reg.resv[2])
726 bl = io_buffer_get_list(ctx, reg.bgid);
732 __io_remove_buffers(ctx, bl, -1U);
733 if (bl->bgid >= BGID_ARRAY) {
734 xa_erase(&ctx->io_bl_xa, bl->bgid);
740 void *io_pbuf_get_address(struct io_ring_ctx *ctx, unsigned long bgid)
742 struct io_buffer_list *bl;
744 bl = __io_buffer_get_list(ctx, smp_load_acquire(&ctx->io_bl), bgid);
746 if (!bl || !bl->is_mmap)
749 * Ensure the list is fully setup. Only strictly needed for RCU lookup
750 * via mmap, and in that case only for the array indexed groups. For
751 * the xarray lookups, it's either visible and ready, or not at all.
753 if (!smp_load_acquire(&bl->is_ready))
760 * Called at or after ->release(), free the mmap'ed buffers that we used
761 * for memory mapped provided buffer rings.
763 void io_kbuf_mmap_list_free(struct io_ring_ctx *ctx)
765 struct io_buf_free *ibf;
766 struct hlist_node *tmp;
768 hlist_for_each_entry_safe(ibf, tmp, &ctx->io_buf_list, list) {
769 hlist_del(&ibf->list);
770 io_mem_free(ibf->mem);
projects / platform / kernel / linux-rpi.git / blob