1 // SPDX-License-Identifier: GPL-2.0
2 #include <linux/kernel.h>
3 #include <linux/errno.h>
5 #include <linux/file.h>
7 #include <linux/slab.h>
8 #include <linux/nospec.h>
9 #include <linux/hugetlb.h>
10 #include <linux/compat.h>
11 #include <linux/io_uring.h>
13 #include <uapi/linux/io_uring.h>
16 #include "openclose.h"
19 struct io_rsrc_update {
26 static int io_sqe_buffer_register(struct io_ring_ctx *ctx, struct iovec *iov,
27 struct io_mapped_ubuf **pimu,
28 struct page **last_hpage);
31 #define IORING_MAX_FIXED_FILES (1U << 20)
32 #define IORING_MAX_REG_BUFFERS (1U << 14)
34 int __io_account_mem(struct user_struct *user, unsigned long nr_pages)
36 unsigned long page_limit, cur_pages, new_pages;
41 /* Don't allow more pages than we can safely lock */
42 page_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
44 cur_pages = atomic_long_read(&user->locked_vm);
46 new_pages = cur_pages + nr_pages;
47 if (new_pages > page_limit)
49 } while (!atomic_long_try_cmpxchg(&user->locked_vm,
50 &cur_pages, new_pages));
54 static void io_unaccount_mem(struct io_ring_ctx *ctx, unsigned long nr_pages)
57 __io_unaccount_mem(ctx->user, nr_pages);
60 atomic64_sub(nr_pages, &ctx->mm_account->pinned_vm);
63 static int io_account_mem(struct io_ring_ctx *ctx, unsigned long nr_pages)
68 ret = __io_account_mem(ctx->user, nr_pages);
74 atomic64_add(nr_pages, &ctx->mm_account->pinned_vm);
79 static int io_copy_iov(struct io_ring_ctx *ctx, struct iovec *dst,
80 void __user *arg, unsigned index)
82 struct iovec __user *src;
86 struct compat_iovec __user *ciovs;
87 struct compat_iovec ciov;
89 ciovs = (struct compat_iovec __user *) arg;
90 if (copy_from_user(&ciov, &ciovs[index], sizeof(ciov)))
93 dst->iov_base = u64_to_user_ptr((u64)ciov.iov_base);
94 dst->iov_len = ciov.iov_len;
98 src = (struct iovec __user *) arg;
99 if (copy_from_user(dst, &src[index], sizeof(*dst)))
104 static int io_buffer_validate(struct iovec *iov)
106 unsigned long tmp, acct_len = iov->iov_len + (PAGE_SIZE - 1);
109 * Don't impose further limits on the size and buffer
110 * constraints here, we'll -EINVAL later when IO is
111 * submitted if they are wrong.
114 return iov->iov_len ? -EFAULT : 0;
118 /* arbitrary limit, but we need something */
119 if (iov->iov_len > SZ_1G)
122 if (check_add_overflow((unsigned long)iov->iov_base, acct_len, &tmp))
128 static void io_buffer_unmap(struct io_ring_ctx *ctx, struct io_mapped_ubuf **slot)
130 struct io_mapped_ubuf *imu = *slot;
133 if (imu != ctx->dummy_ubuf) {
134 for (i = 0; i < imu->nr_bvecs; i++)
135 unpin_user_page(imu->bvec[i].bv_page);
137 io_unaccount_mem(ctx, imu->acct_pages);
143 static void __io_rsrc_put_work(struct io_rsrc_node *ref_node)
145 struct io_rsrc_data *rsrc_data = ref_node->rsrc_data;
146 struct io_ring_ctx *ctx = rsrc_data->ctx;
147 struct io_rsrc_put *prsrc, *tmp;
149 list_for_each_entry_safe(prsrc, tmp, &ref_node->rsrc_list, list) {
150 list_del(&prsrc->list);
153 if (ctx->flags & IORING_SETUP_IOPOLL) {
154 mutex_lock(&ctx->uring_lock);
155 io_post_aux_cqe(ctx, prsrc->tag, 0, 0);
156 mutex_unlock(&ctx->uring_lock);
158 io_post_aux_cqe(ctx, prsrc->tag, 0, 0);
162 rsrc_data->do_put(ctx, prsrc);
166 io_rsrc_node_destroy(ref_node);
167 if (atomic_dec_and_test(&rsrc_data->refs))
168 complete(&rsrc_data->done);
171 void io_rsrc_put_work(struct work_struct *work)
173 struct io_ring_ctx *ctx;
174 struct llist_node *node;
176 ctx = container_of(work, struct io_ring_ctx, rsrc_put_work.work);
177 node = llist_del_all(&ctx->rsrc_put_llist);
180 struct io_rsrc_node *ref_node;
181 struct llist_node *next = node->next;
183 ref_node = llist_entry(node, struct io_rsrc_node, llist);
184 __io_rsrc_put_work(ref_node);
189 void io_rsrc_put_tw(struct callback_head *cb)
191 struct io_ring_ctx *ctx = container_of(cb, struct io_ring_ctx,
194 io_rsrc_put_work(&ctx->rsrc_put_work.work);
197 void io_wait_rsrc_data(struct io_rsrc_data *data)
199 if (data && !atomic_dec_and_test(&data->refs))
200 wait_for_completion(&data->done);
203 void io_rsrc_node_destroy(struct io_rsrc_node *ref_node)
208 void io_rsrc_node_ref_zero(struct io_rsrc_node *node)
209 __must_hold(&node->rsrc_data->ctx->uring_lock)
211 struct io_ring_ctx *ctx = node->rsrc_data->ctx;
212 bool first_add = false;
213 unsigned long delay = HZ;
217 /* if we are mid-quiesce then do not delay */
218 if (node->rsrc_data->quiesce)
221 while (!list_empty(&ctx->rsrc_ref_list)) {
222 node = list_first_entry(&ctx->rsrc_ref_list,
223 struct io_rsrc_node, node);
224 /* recycle ref nodes in order */
227 list_del(&node->node);
228 first_add |= llist_add(&node->llist, &ctx->rsrc_put_llist);
234 if (ctx->submitter_task) {
235 if (!task_work_add(ctx->submitter_task, &ctx->rsrc_put_tw,
239 mod_delayed_work(system_wq, &ctx->rsrc_put_work, delay);
242 static struct io_rsrc_node *io_rsrc_node_alloc(void)
244 struct io_rsrc_node *ref_node;
246 ref_node = kzalloc(sizeof(*ref_node), GFP_KERNEL);
251 INIT_LIST_HEAD(&ref_node->node);
252 INIT_LIST_HEAD(&ref_node->rsrc_list);
253 ref_node->done = false;
257 void io_rsrc_node_switch(struct io_ring_ctx *ctx,
258 struct io_rsrc_data *data_to_kill)
259 __must_hold(&ctx->uring_lock)
261 WARN_ON_ONCE(!ctx->rsrc_backup_node);
262 WARN_ON_ONCE(data_to_kill && !ctx->rsrc_node);
265 struct io_rsrc_node *rsrc_node = ctx->rsrc_node;
267 rsrc_node->rsrc_data = data_to_kill;
268 list_add_tail(&rsrc_node->node, &ctx->rsrc_ref_list);
270 atomic_inc(&data_to_kill->refs);
272 io_put_rsrc_node(rsrc_node);
273 ctx->rsrc_node = NULL;
276 if (!ctx->rsrc_node) {
277 ctx->rsrc_node = ctx->rsrc_backup_node;
278 ctx->rsrc_backup_node = NULL;
282 int io_rsrc_node_switch_start(struct io_ring_ctx *ctx)
284 if (ctx->rsrc_backup_node)
286 ctx->rsrc_backup_node = io_rsrc_node_alloc();
287 return ctx->rsrc_backup_node ? 0 : -ENOMEM;
290 __cold static int io_rsrc_ref_quiesce(struct io_rsrc_data *data,
291 struct io_ring_ctx *ctx)
295 /* As we may drop ->uring_lock, other task may have started quiesce */
298 ret = io_rsrc_node_switch_start(ctx);
301 io_rsrc_node_switch(ctx, data);
303 /* kill initial ref, already quiesced if zero */
304 if (atomic_dec_and_test(&data->refs))
307 data->quiesce = true;
308 mutex_unlock(&ctx->uring_lock);
310 ret = io_run_task_work_sig(ctx);
312 atomic_inc(&data->refs);
313 /* wait for all works potentially completing data->done */
314 flush_delayed_work(&ctx->rsrc_put_work);
315 reinit_completion(&data->done);
316 mutex_lock(&ctx->uring_lock);
320 flush_delayed_work(&ctx->rsrc_put_work);
321 ret = wait_for_completion_interruptible(&data->done);
323 mutex_lock(&ctx->uring_lock);
324 if (atomic_read(&data->refs) <= 0)
327 * it has been revived by another thread while
330 mutex_unlock(&ctx->uring_lock);
333 data->quiesce = false;
338 static void io_free_page_table(void **table, size_t size)
340 unsigned i, nr_tables = DIV_ROUND_UP(size, PAGE_SIZE);
342 for (i = 0; i < nr_tables; i++)
347 static void io_rsrc_data_free(struct io_rsrc_data *data)
349 size_t size = data->nr * sizeof(data->tags[0][0]);
352 io_free_page_table((void **)data->tags, size);
356 static __cold void **io_alloc_page_table(size_t size)
358 unsigned i, nr_tables = DIV_ROUND_UP(size, PAGE_SIZE);
359 size_t init_size = size;
362 table = kcalloc(nr_tables, sizeof(*table), GFP_KERNEL_ACCOUNT);
366 for (i = 0; i < nr_tables; i++) {
367 unsigned int this_size = min_t(size_t, size, PAGE_SIZE);
369 table[i] = kzalloc(this_size, GFP_KERNEL_ACCOUNT);
371 io_free_page_table(table, init_size);
379 __cold static int io_rsrc_data_alloc(struct io_ring_ctx *ctx,
380 rsrc_put_fn *do_put, u64 __user *utags,
381 unsigned nr, struct io_rsrc_data **pdata)
383 struct io_rsrc_data *data;
387 data = kzalloc(sizeof(*data), GFP_KERNEL);
390 data->tags = (u64 **)io_alloc_page_table(nr * sizeof(data->tags[0][0]));
398 data->do_put = do_put;
401 for (i = 0; i < nr; i++) {
402 u64 *tag_slot = io_get_tag_slot(data, i);
404 if (copy_from_user(tag_slot, &utags[i],
410 atomic_set(&data->refs, 1);
411 init_completion(&data->done);
415 io_rsrc_data_free(data);
419 static int __io_sqe_files_update(struct io_ring_ctx *ctx,
420 struct io_uring_rsrc_update2 *up,
423 u64 __user *tags = u64_to_user_ptr(up->tags);
424 __s32 __user *fds = u64_to_user_ptr(up->data);
425 struct io_rsrc_data *data = ctx->file_data;
426 struct io_fixed_file *file_slot;
430 bool needs_switch = false;
434 if (up->offset + nr_args > ctx->nr_user_files)
437 for (done = 0; done < nr_args; done++) {
440 if ((tags && copy_from_user(&tag, &tags[done], sizeof(tag))) ||
441 copy_from_user(&fd, &fds[done], sizeof(fd))) {
445 if ((fd == IORING_REGISTER_FILES_SKIP || fd == -1) && tag) {
449 if (fd == IORING_REGISTER_FILES_SKIP)
452 i = array_index_nospec(up->offset + done, ctx->nr_user_files);
453 file_slot = io_fixed_file_slot(&ctx->file_table, i);
455 if (file_slot->file_ptr) {
456 file = (struct file *)(file_slot->file_ptr & FFS_MASK);
457 err = io_queue_rsrc_removal(data, i, ctx->rsrc_node, file);
460 file_slot->file_ptr = 0;
461 io_file_bitmap_clear(&ctx->file_table, i);
471 * Don't allow io_uring instances to be registered. If
472 * UNIX isn't enabled, then this causes a reference
473 * cycle and this instance can never get freed. If UNIX
474 * is enabled we'll handle it just fine, but there's
475 * still no point in allowing a ring fd as it doesn't
476 * support regular read/write anyway.
478 if (io_is_uring_fops(file)) {
483 err = io_scm_file_account(ctx, file);
488 *io_get_tag_slot(data, i) = tag;
489 io_fixed_file_set(file_slot, file);
490 io_file_bitmap_set(&ctx->file_table, i);
495 io_rsrc_node_switch(ctx, data);
496 return done ? done : err;
499 static int __io_sqe_buffers_update(struct io_ring_ctx *ctx,
500 struct io_uring_rsrc_update2 *up,
501 unsigned int nr_args)
503 u64 __user *tags = u64_to_user_ptr(up->tags);
504 struct iovec iov, __user *iovs = u64_to_user_ptr(up->data);
505 struct page *last_hpage = NULL;
506 bool needs_switch = false;
512 if (up->offset + nr_args > ctx->nr_user_bufs)
515 for (done = 0; done < nr_args; done++) {
516 struct io_mapped_ubuf *imu;
517 int offset = up->offset + done;
520 err = io_copy_iov(ctx, &iov, iovs, done);
523 if (tags && copy_from_user(&tag, &tags[done], sizeof(tag))) {
527 err = io_buffer_validate(&iov);
530 if (!iov.iov_base && tag) {
534 err = io_sqe_buffer_register(ctx, &iov, &imu, &last_hpage);
538 i = array_index_nospec(offset, ctx->nr_user_bufs);
539 if (ctx->user_bufs[i] != ctx->dummy_ubuf) {
540 err = io_queue_rsrc_removal(ctx->buf_data, i,
541 ctx->rsrc_node, ctx->user_bufs[i]);
543 io_buffer_unmap(ctx, &imu);
546 ctx->user_bufs[i] = ctx->dummy_ubuf;
550 ctx->user_bufs[i] = imu;
551 *io_get_tag_slot(ctx->buf_data, offset) = tag;
555 io_rsrc_node_switch(ctx, ctx->buf_data);
556 return done ? done : err;
559 static int __io_register_rsrc_update(struct io_ring_ctx *ctx, unsigned type,
560 struct io_uring_rsrc_update2 *up,
566 if (check_add_overflow(up->offset, nr_args, &tmp))
568 err = io_rsrc_node_switch_start(ctx);
573 case IORING_RSRC_FILE:
574 return __io_sqe_files_update(ctx, up, nr_args);
575 case IORING_RSRC_BUFFER:
576 return __io_sqe_buffers_update(ctx, up, nr_args);
581 int io_register_files_update(struct io_ring_ctx *ctx, void __user *arg,
584 struct io_uring_rsrc_update2 up;
588 memset(&up, 0, sizeof(up));
589 if (copy_from_user(&up, arg, sizeof(struct io_uring_rsrc_update)))
591 if (up.resv || up.resv2)
593 return __io_register_rsrc_update(ctx, IORING_RSRC_FILE, &up, nr_args);
596 int io_register_rsrc_update(struct io_ring_ctx *ctx, void __user *arg,
597 unsigned size, unsigned type)
599 struct io_uring_rsrc_update2 up;
601 if (size != sizeof(up))
603 if (copy_from_user(&up, arg, sizeof(up)))
605 if (!up.nr || up.resv || up.resv2)
607 return __io_register_rsrc_update(ctx, type, &up, up.nr);
610 __cold int io_register_rsrc(struct io_ring_ctx *ctx, void __user *arg,
611 unsigned int size, unsigned int type)
613 struct io_uring_rsrc_register rr;
615 /* keep it extendible */
616 if (size != sizeof(rr))
619 memset(&rr, 0, sizeof(rr));
620 if (copy_from_user(&rr, arg, size))
622 if (!rr.nr || rr.resv2)
624 if (rr.flags & ~IORING_RSRC_REGISTER_SPARSE)
628 case IORING_RSRC_FILE:
629 if (rr.flags & IORING_RSRC_REGISTER_SPARSE && rr.data)
631 return io_sqe_files_register(ctx, u64_to_user_ptr(rr.data),
632 rr.nr, u64_to_user_ptr(rr.tags));
633 case IORING_RSRC_BUFFER:
634 if (rr.flags & IORING_RSRC_REGISTER_SPARSE && rr.data)
636 return io_sqe_buffers_register(ctx, u64_to_user_ptr(rr.data),
637 rr.nr, u64_to_user_ptr(rr.tags));
642 int io_files_update_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
644 struct io_rsrc_update *up = io_kiocb_to_cmd(req, struct io_rsrc_update);
646 if (unlikely(req->flags & (REQ_F_FIXED_FILE | REQ_F_BUFFER_SELECT)))
648 if (sqe->rw_flags || sqe->splice_fd_in)
651 up->offset = READ_ONCE(sqe->off);
652 up->nr_args = READ_ONCE(sqe->len);
655 up->arg = READ_ONCE(sqe->addr);
659 static int io_files_update_with_index_alloc(struct io_kiocb *req,
660 unsigned int issue_flags)
662 struct io_rsrc_update *up = io_kiocb_to_cmd(req, struct io_rsrc_update);
663 __s32 __user *fds = u64_to_user_ptr(up->arg);
668 if (!req->ctx->file_data)
671 for (done = 0; done < up->nr_args; done++) {
672 if (copy_from_user(&fd, &fds[done], sizeof(fd))) {
682 ret = io_fixed_fd_install(req, issue_flags, file,
683 IORING_FILE_INDEX_ALLOC);
686 if (copy_to_user(&fds[done], &ret, sizeof(ret))) {
687 __io_close_fixed(req->ctx, issue_flags, ret);
698 int io_files_update(struct io_kiocb *req, unsigned int issue_flags)
700 struct io_rsrc_update *up = io_kiocb_to_cmd(req, struct io_rsrc_update);
701 struct io_ring_ctx *ctx = req->ctx;
702 struct io_uring_rsrc_update2 up2;
705 up2.offset = up->offset;
712 if (up->offset == IORING_FILE_INDEX_ALLOC) {
713 ret = io_files_update_with_index_alloc(req, issue_flags);
715 io_ring_submit_lock(ctx, issue_flags);
716 ret = __io_register_rsrc_update(ctx, IORING_RSRC_FILE,
718 io_ring_submit_unlock(ctx, issue_flags);
723 io_req_set_res(req, ret, 0);
727 int io_queue_rsrc_removal(struct io_rsrc_data *data, unsigned idx,
728 struct io_rsrc_node *node, void *rsrc)
730 u64 *tag_slot = io_get_tag_slot(data, idx);
731 struct io_rsrc_put *prsrc;
733 prsrc = kzalloc(sizeof(*prsrc), GFP_KERNEL);
737 prsrc->tag = *tag_slot;
740 list_add(&prsrc->list, &node->rsrc_list);
744 void __io_sqe_files_unregister(struct io_ring_ctx *ctx)
748 for (i = 0; i < ctx->nr_user_files; i++) {
749 struct file *file = io_file_from_index(&ctx->file_table, i);
751 /* skip scm accounted files, they'll be freed by ->ring_sock */
752 if (!file || io_file_need_scm(file))
754 io_file_bitmap_clear(&ctx->file_table, i);
758 #if defined(CONFIG_UNIX)
759 if (ctx->ring_sock) {
760 struct sock *sock = ctx->ring_sock->sk;
763 while ((skb = skb_dequeue(&sock->sk_receive_queue)) != NULL)
767 io_free_file_tables(&ctx->file_table);
768 io_file_table_set_alloc_range(ctx, 0, 0);
769 io_rsrc_data_free(ctx->file_data);
770 ctx->file_data = NULL;
771 ctx->nr_user_files = 0;
774 int io_sqe_files_unregister(struct io_ring_ctx *ctx)
776 unsigned nr = ctx->nr_user_files;
783 * Quiesce may unlock ->uring_lock, and while it's not held
784 * prevent new requests using the table.
786 ctx->nr_user_files = 0;
787 ret = io_rsrc_ref_quiesce(ctx->file_data, ctx);
788 ctx->nr_user_files = nr;
790 __io_sqe_files_unregister(ctx);
795 * Ensure the UNIX gc is aware of our file set, so we are certain that
796 * the io_uring can be safely unregistered on process exit, even if we have
797 * loops in the file referencing. We account only files that can hold other
798 * files because otherwise they can't form a loop and so are not interesting
801 int __io_scm_file_account(struct io_ring_ctx *ctx, struct file *file)
803 #if defined(CONFIG_UNIX)
804 struct sock *sk = ctx->ring_sock->sk;
805 struct sk_buff_head *head = &sk->sk_receive_queue;
806 struct scm_fp_list *fpl;
809 if (likely(!io_file_need_scm(file)))
813 * See if we can merge this file into an existing skb SCM_RIGHTS
814 * file set. If there's no room, fall back to allocating a new skb
817 spin_lock_irq(&head->lock);
818 skb = skb_peek(head);
819 if (skb && UNIXCB(skb).fp->count < SCM_MAX_FD)
820 __skb_unlink(skb, head);
823 spin_unlock_irq(&head->lock);
826 fpl = kzalloc(sizeof(*fpl), GFP_KERNEL);
830 skb = alloc_skb(0, GFP_KERNEL);
836 fpl->user = get_uid(current_user());
837 fpl->max = SCM_MAX_FD;
840 UNIXCB(skb).fp = fpl;
842 skb->scm_io_uring = 1;
843 skb->destructor = unix_destruct_scm;
844 refcount_add(skb->truesize, &sk->sk_wmem_alloc);
847 fpl = UNIXCB(skb).fp;
848 fpl->fp[fpl->count++] = get_file(file);
849 unix_inflight(fpl->user, file);
850 skb_queue_head(head, skb);
856 static void io_rsrc_file_put(struct io_ring_ctx *ctx, struct io_rsrc_put *prsrc)
858 struct file *file = prsrc->file;
859 #if defined(CONFIG_UNIX)
860 struct sock *sock = ctx->ring_sock->sk;
861 struct sk_buff_head list, *head = &sock->sk_receive_queue;
865 if (!io_file_need_scm(file)) {
870 __skb_queue_head_init(&list);
873 * Find the skb that holds this file in its SCM_RIGHTS. When found,
874 * remove this entry and rearrange the file array.
876 skb = skb_dequeue(head);
878 struct scm_fp_list *fp;
881 for (i = 0; i < fp->count; i++) {
884 if (fp->fp[i] != file)
887 unix_notinflight(fp->user, fp->fp[i]);
888 left = fp->count - 1 - i;
890 memmove(&fp->fp[i], &fp->fp[i + 1],
891 left * sizeof(struct file *));
898 __skb_queue_tail(&list, skb);
908 __skb_queue_tail(&list, skb);
910 skb = skb_dequeue(head);
913 if (skb_peek(&list)) {
914 spin_lock_irq(&head->lock);
915 while ((skb = __skb_dequeue(&list)) != NULL)
916 __skb_queue_tail(head, skb);
917 spin_unlock_irq(&head->lock);
924 int io_sqe_files_register(struct io_ring_ctx *ctx, void __user *arg,
925 unsigned nr_args, u64 __user *tags)
927 __s32 __user *fds = (__s32 __user *) arg;
936 if (nr_args > IORING_MAX_FIXED_FILES)
938 if (nr_args > rlimit(RLIMIT_NOFILE))
940 ret = io_rsrc_node_switch_start(ctx);
943 ret = io_rsrc_data_alloc(ctx, io_rsrc_file_put, tags, nr_args,
948 if (!io_alloc_file_tables(&ctx->file_table, nr_args)) {
949 io_rsrc_data_free(ctx->file_data);
950 ctx->file_data = NULL;
954 for (i = 0; i < nr_args; i++, ctx->nr_user_files++) {
955 struct io_fixed_file *file_slot;
957 if (fds && copy_from_user(&fd, &fds[i], sizeof(fd))) {
961 /* allow sparse sets */
962 if (!fds || fd == -1) {
964 if (unlikely(*io_get_tag_slot(ctx->file_data, i)))
975 * Don't allow io_uring instances to be registered. If UNIX
976 * isn't enabled, then this causes a reference cycle and this
977 * instance can never get freed. If UNIX is enabled we'll
978 * handle it just fine, but there's still no point in allowing
979 * a ring fd as it doesn't support regular read/write anyway.
981 if (io_is_uring_fops(file)) {
985 ret = io_scm_file_account(ctx, file);
990 file_slot = io_fixed_file_slot(&ctx->file_table, i);
991 io_fixed_file_set(file_slot, file);
992 io_file_bitmap_set(&ctx->file_table, i);
995 /* default it to the whole table */
996 io_file_table_set_alloc_range(ctx, 0, ctx->nr_user_files);
997 io_rsrc_node_switch(ctx, NULL);
1000 __io_sqe_files_unregister(ctx);
1004 static void io_rsrc_buf_put(struct io_ring_ctx *ctx, struct io_rsrc_put *prsrc)
1006 io_buffer_unmap(ctx, &prsrc->buf);
1010 void __io_sqe_buffers_unregister(struct io_ring_ctx *ctx)
1014 for (i = 0; i < ctx->nr_user_bufs; i++)
1015 io_buffer_unmap(ctx, &ctx->user_bufs[i]);
1016 kfree(ctx->user_bufs);
1017 io_rsrc_data_free(ctx->buf_data);
1018 ctx->user_bufs = NULL;
1019 ctx->buf_data = NULL;
1020 ctx->nr_user_bufs = 0;
1023 int io_sqe_buffers_unregister(struct io_ring_ctx *ctx)
1025 unsigned nr = ctx->nr_user_bufs;
1032 * Quiesce may unlock ->uring_lock, and while it's not held
1033 * prevent new requests using the table.
1035 ctx->nr_user_bufs = 0;
1036 ret = io_rsrc_ref_quiesce(ctx->buf_data, ctx);
1037 ctx->nr_user_bufs = nr;
1039 __io_sqe_buffers_unregister(ctx);
1044 * Not super efficient, but this is just a registration time. And we do cache
1045 * the last compound head, so generally we'll only do a full search if we don't
1048 * We check if the given compound head page has already been accounted, to
1049 * avoid double accounting it. This allows us to account the full size of the
1050 * page, not just the constituent pages of a huge page.
1052 static bool headpage_already_acct(struct io_ring_ctx *ctx, struct page **pages,
1053 int nr_pages, struct page *hpage)
1057 /* check current page array */
1058 for (i = 0; i < nr_pages; i++) {
1059 if (!PageCompound(pages[i]))
1061 if (compound_head(pages[i]) == hpage)
1065 /* check previously registered pages */
1066 for (i = 0; i < ctx->nr_user_bufs; i++) {
1067 struct io_mapped_ubuf *imu = ctx->user_bufs[i];
1069 for (j = 0; j < imu->nr_bvecs; j++) {
1070 if (!PageCompound(imu->bvec[j].bv_page))
1072 if (compound_head(imu->bvec[j].bv_page) == hpage)
1080 static int io_buffer_account_pin(struct io_ring_ctx *ctx, struct page **pages,
1081 int nr_pages, struct io_mapped_ubuf *imu,
1082 struct page **last_hpage)
1086 imu->acct_pages = 0;
1087 for (i = 0; i < nr_pages; i++) {
1088 if (!PageCompound(pages[i])) {
1093 hpage = compound_head(pages[i]);
1094 if (hpage == *last_hpage)
1096 *last_hpage = hpage;
1097 if (headpage_already_acct(ctx, pages, i, hpage))
1099 imu->acct_pages += page_size(hpage) >> PAGE_SHIFT;
1103 if (!imu->acct_pages)
1106 ret = io_account_mem(ctx, imu->acct_pages);
1108 imu->acct_pages = 0;
1112 struct page **io_pin_pages(unsigned long ubuf, unsigned long len, int *npages)
1114 unsigned long start, end, nr_pages;
1115 struct vm_area_struct **vmas = NULL;
1116 struct page **pages = NULL;
1117 int i, pret, ret = -ENOMEM;
1119 end = (ubuf + len + PAGE_SIZE - 1) >> PAGE_SHIFT;
1120 start = ubuf >> PAGE_SHIFT;
1121 nr_pages = end - start;
1123 pages = kvmalloc_array(nr_pages, sizeof(struct page *), GFP_KERNEL);
1127 vmas = kvmalloc_array(nr_pages, sizeof(struct vm_area_struct *),
1133 mmap_read_lock(current->mm);
1134 pret = pin_user_pages(ubuf, nr_pages, FOLL_WRITE | FOLL_LONGTERM,
1136 if (pret == nr_pages) {
1137 struct file *file = vmas[0]->vm_file;
1139 /* don't support file backed memory */
1140 for (i = 0; i < nr_pages; i++) {
1141 if (vmas[i]->vm_file != file) {
1147 if (!vma_is_shmem(vmas[i]) && !is_file_hugepages(file)) {
1154 ret = pret < 0 ? pret : -EFAULT;
1156 mmap_read_unlock(current->mm);
1159 * if we did partial map, or found file backed vmas,
1160 * release any pages we did get
1163 unpin_user_pages(pages, pret);
1171 pages = ERR_PTR(ret);
1176 static int io_sqe_buffer_register(struct io_ring_ctx *ctx, struct iovec *iov,
1177 struct io_mapped_ubuf **pimu,
1178 struct page **last_hpage)
1180 struct io_mapped_ubuf *imu = NULL;
1181 struct page **pages = NULL;
1184 int ret, nr_pages, i;
1185 struct folio *folio = NULL;
1187 *pimu = ctx->dummy_ubuf;
1192 pages = io_pin_pages((unsigned long) iov->iov_base, iov->iov_len,
1194 if (IS_ERR(pages)) {
1195 ret = PTR_ERR(pages);
1200 /* If it's a huge page, try to coalesce them into a single bvec entry */
1202 folio = page_folio(pages[0]);
1203 for (i = 1; i < nr_pages; i++) {
1204 if (page_folio(pages[i]) != folio) {
1211 * The pages are bound to the folio, it doesn't
1212 * actually unpin them but drops all but one reference,
1213 * which is usually put down by io_buffer_unmap().
1214 * Note, needs a better helper.
1216 unpin_user_pages(&pages[1], nr_pages - 1);
1221 imu = kvmalloc(struct_size(imu, bvec, nr_pages), GFP_KERNEL);
1225 ret = io_buffer_account_pin(ctx, pages, nr_pages, imu, last_hpage);
1227 unpin_user_pages(pages, nr_pages);
1231 off = (unsigned long) iov->iov_base & ~PAGE_MASK;
1232 size = iov->iov_len;
1233 /* store original address for later verification */
1234 imu->ubuf = (unsigned long) iov->iov_base;
1235 imu->ubuf_end = imu->ubuf + iov->iov_len;
1236 imu->nr_bvecs = nr_pages;
1241 bvec_set_page(&imu->bvec[0], pages[0], size, off);
1244 for (i = 0; i < nr_pages; i++) {
1247 vec_len = min_t(size_t, size, PAGE_SIZE - off);
1248 bvec_set_page(&imu->bvec[i], pages[i], vec_len, off);
1259 static int io_buffers_map_alloc(struct io_ring_ctx *ctx, unsigned int nr_args)
1261 ctx->user_bufs = kcalloc(nr_args, sizeof(*ctx->user_bufs), GFP_KERNEL);
1262 return ctx->user_bufs ? 0 : -ENOMEM;
1265 int io_sqe_buffers_register(struct io_ring_ctx *ctx, void __user *arg,
1266 unsigned int nr_args, u64 __user *tags)
1268 struct page *last_hpage = NULL;
1269 struct io_rsrc_data *data;
1273 BUILD_BUG_ON(IORING_MAX_REG_BUFFERS >= (1u << 16));
1277 if (!nr_args || nr_args > IORING_MAX_REG_BUFFERS)
1279 ret = io_rsrc_node_switch_start(ctx);
1282 ret = io_rsrc_data_alloc(ctx, io_rsrc_buf_put, tags, nr_args, &data);
1285 ret = io_buffers_map_alloc(ctx, nr_args);
1287 io_rsrc_data_free(data);
1291 for (i = 0; i < nr_args; i++, ctx->nr_user_bufs++) {
1293 ret = io_copy_iov(ctx, &iov, arg, i);
1296 ret = io_buffer_validate(&iov);
1300 memset(&iov, 0, sizeof(iov));
1303 if (!iov.iov_base && *io_get_tag_slot(data, i)) {
1308 ret = io_sqe_buffer_register(ctx, &iov, &ctx->user_bufs[i],
1314 WARN_ON_ONCE(ctx->buf_data);
1316 ctx->buf_data = data;
1318 __io_sqe_buffers_unregister(ctx);
1320 io_rsrc_node_switch(ctx, NULL);
1324 int io_import_fixed(int ddir, struct iov_iter *iter,
1325 struct io_mapped_ubuf *imu,
1326 u64 buf_addr, size_t len)
1331 if (WARN_ON_ONCE(!imu))
1333 if (unlikely(check_add_overflow(buf_addr, (u64)len, &buf_end)))
1335 /* not inside the mapped region */
1336 if (unlikely(buf_addr < imu->ubuf || buf_end > imu->ubuf_end))
1340 * Might not be a start of buffer, set size appropriately
1341 * and advance us to the beginning.
1343 offset = buf_addr - imu->ubuf;
1344 iov_iter_bvec(iter, ddir, imu->bvec, imu->nr_bvecs, offset + len);
1348 * Don't use iov_iter_advance() here, as it's really slow for
1349 * using the latter parts of a big fixed buffer - it iterates
1350 * over each segment manually. We can cheat a bit here, because
1353 * 1) it's a BVEC iter, we set it up
1354 * 2) all bvecs are PAGE_SIZE in size, except potentially the
1355 * first and last bvec
1357 * So just find our index, and adjust the iterator afterwards.
1358 * If the offset is within the first bvec (or the whole first
1359 * bvec, just use iov_iter_advance(). This makes it easier
1360 * since we can just skip the first segment, which may not
1361 * be PAGE_SIZE aligned.
1363 const struct bio_vec *bvec = imu->bvec;
1365 if (offset <= bvec->bv_len) {
1367 * Note, huge pages buffers consists of one large
1368 * bvec entry and should always go this way. The other
1369 * branch doesn't expect non PAGE_SIZE'd chunks.
1372 iter->nr_segs = bvec->bv_len;
1373 iter->count -= offset;
1374 iter->iov_offset = offset;
1376 unsigned long seg_skip;
1378 /* skip first vec */
1379 offset -= bvec->bv_len;
1380 seg_skip = 1 + (offset >> PAGE_SHIFT);
1382 iter->bvec = bvec + seg_skip;
1383 iter->nr_segs -= seg_skip;
1384 iter->count -= bvec->bv_len + offset;
1385 iter->iov_offset = offset & ~PAGE_MASK;
projects / platform / kernel / linux-starfive.git / blob