1 // SPDX-License-Identifier: GPL-2.0
2 #include <linux/kernel.h>
3 #include <linux/errno.h>
5 #include <linux/file.h>
7 #include <linux/slab.h>
8 #include <linux/nospec.h>
9 #include <linux/hugetlb.h>
10 #include <linux/compat.h>
11 #include <linux/io_uring.h>
13 #include <uapi/linux/io_uring.h>
16 #include "openclose.h"
19 struct io_rsrc_update {
26 static int io_sqe_buffer_register(struct io_ring_ctx *ctx, struct iovec *iov,
27 struct io_mapped_ubuf **pimu,
28 struct page **last_hpage);
31 #define IORING_MAX_FIXED_FILES (1U << 20)
32 #define IORING_MAX_REG_BUFFERS (1U << 14)
34 int __io_account_mem(struct user_struct *user, unsigned long nr_pages)
36 unsigned long page_limit, cur_pages, new_pages;
41 /* Don't allow more pages than we can safely lock */
42 page_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
44 cur_pages = atomic_long_read(&user->locked_vm);
46 new_pages = cur_pages + nr_pages;
47 if (new_pages > page_limit)
49 } while (!atomic_long_try_cmpxchg(&user->locked_vm,
50 &cur_pages, new_pages));
54 static void io_unaccount_mem(struct io_ring_ctx *ctx, unsigned long nr_pages)
57 __io_unaccount_mem(ctx->user, nr_pages);
60 atomic64_sub(nr_pages, &ctx->mm_account->pinned_vm);
63 static int io_account_mem(struct io_ring_ctx *ctx, unsigned long nr_pages)
68 ret = __io_account_mem(ctx->user, nr_pages);
74 atomic64_add(nr_pages, &ctx->mm_account->pinned_vm);
79 static int io_copy_iov(struct io_ring_ctx *ctx, struct iovec *dst,
80 void __user *arg, unsigned index)
82 struct iovec __user *src;
86 struct compat_iovec __user *ciovs;
87 struct compat_iovec ciov;
89 ciovs = (struct compat_iovec __user *) arg;
90 if (copy_from_user(&ciov, &ciovs[index], sizeof(ciov)))
93 dst->iov_base = u64_to_user_ptr((u64)ciov.iov_base);
94 dst->iov_len = ciov.iov_len;
98 src = (struct iovec __user *) arg;
99 if (copy_from_user(dst, &src[index], sizeof(*dst)))
104 static int io_buffer_validate(struct iovec *iov)
106 unsigned long tmp, acct_len = iov->iov_len + (PAGE_SIZE - 1);
109 * Don't impose further limits on the size and buffer
110 * constraints here, we'll -EINVAL later when IO is
111 * submitted if they are wrong.
114 return iov->iov_len ? -EFAULT : 0;
118 /* arbitrary limit, but we need something */
119 if (iov->iov_len > SZ_1G)
122 if (check_add_overflow((unsigned long)iov->iov_base, acct_len, &tmp))
128 static void io_buffer_unmap(struct io_ring_ctx *ctx, struct io_mapped_ubuf **slot)
130 struct io_mapped_ubuf *imu = *slot;
133 if (imu != ctx->dummy_ubuf) {
134 for (i = 0; i < imu->nr_bvecs; i++)
135 unpin_user_page(imu->bvec[i].bv_page);
137 io_unaccount_mem(ctx, imu->acct_pages);
143 static void io_rsrc_put_work_one(struct io_rsrc_data *rsrc_data,
144 struct io_rsrc_put *prsrc)
146 struct io_ring_ctx *ctx = rsrc_data->ctx;
149 io_post_aux_cqe(ctx, prsrc->tag, 0, 0);
150 rsrc_data->do_put(ctx, prsrc);
153 static void __io_rsrc_put_work(struct io_rsrc_node *ref_node)
155 struct io_rsrc_data *rsrc_data = ref_node->rsrc_data;
156 struct io_rsrc_put *prsrc, *tmp;
158 if (ref_node->inline_items)
159 io_rsrc_put_work_one(rsrc_data, &ref_node->item);
161 list_for_each_entry_safe(prsrc, tmp, &ref_node->item_list, list) {
162 list_del(&prsrc->list);
163 io_rsrc_put_work_one(rsrc_data, prsrc);
167 io_rsrc_node_destroy(rsrc_data->ctx, ref_node);
170 void io_rsrc_node_destroy(struct io_ring_ctx *ctx, struct io_rsrc_node *node)
172 if (!io_alloc_cache_put(&ctx->rsrc_node_cache, &node->cache))
176 void io_rsrc_node_ref_zero(struct io_rsrc_node *node)
177 __must_hold(&node->rsrc_data->ctx->uring_lock)
179 struct io_ring_ctx *ctx = node->rsrc_data->ctx;
181 while (!list_empty(&ctx->rsrc_ref_list)) {
182 node = list_first_entry(&ctx->rsrc_ref_list,
183 struct io_rsrc_node, node);
184 /* recycle ref nodes in order */
187 list_del(&node->node);
188 __io_rsrc_put_work(node);
190 if (list_empty(&ctx->rsrc_ref_list) && unlikely(ctx->rsrc_quiesce))
191 wake_up_all(&ctx->rsrc_quiesce_wq);
194 struct io_rsrc_node *io_rsrc_node_alloc(struct io_ring_ctx *ctx)
196 struct io_rsrc_node *ref_node;
197 struct io_cache_entry *entry;
199 entry = io_alloc_cache_get(&ctx->rsrc_node_cache);
201 ref_node = container_of(entry, struct io_rsrc_node, cache);
203 ref_node = kzalloc(sizeof(*ref_node), GFP_KERNEL);
208 ref_node->rsrc_data = NULL;
210 INIT_LIST_HEAD(&ref_node->node);
211 INIT_LIST_HEAD(&ref_node->item_list);
212 ref_node->inline_items = 0;
216 void io_rsrc_node_switch(struct io_ring_ctx *ctx,
217 struct io_rsrc_data *data_to_kill)
218 __must_hold(&ctx->uring_lock)
220 struct io_rsrc_node *node = ctx->rsrc_node;
221 struct io_rsrc_node *backup = io_rsrc_node_alloc(ctx);
223 if (WARN_ON_ONCE(!backup))
226 node->rsrc_data = data_to_kill;
227 list_add_tail(&node->node, &ctx->rsrc_ref_list);
229 io_put_rsrc_node(ctx, node);
230 ctx->rsrc_node = backup;
233 int io_rsrc_node_switch_start(struct io_ring_ctx *ctx)
235 if (io_alloc_cache_empty(&ctx->rsrc_node_cache)) {
236 struct io_rsrc_node *node = kzalloc(sizeof(*node), GFP_KERNEL);
240 io_alloc_cache_put(&ctx->rsrc_node_cache, &node->cache);
245 __cold static int io_rsrc_ref_quiesce(struct io_rsrc_data *data,
246 struct io_ring_ctx *ctx)
251 /* As we may drop ->uring_lock, other task may have started quiesce */
254 ret = io_rsrc_node_switch_start(ctx);
257 io_rsrc_node_switch(ctx, data);
259 if (list_empty(&ctx->rsrc_ref_list))
262 if (ctx->flags & IORING_SETUP_DEFER_TASKRUN) {
263 atomic_set(&ctx->cq_wait_nr, 1);
268 data->quiesce = true;
270 prepare_to_wait(&ctx->rsrc_quiesce_wq, &we, TASK_INTERRUPTIBLE);
271 mutex_unlock(&ctx->uring_lock);
273 ret = io_run_task_work_sig(ctx);
275 mutex_lock(&ctx->uring_lock);
276 if (list_empty(&ctx->rsrc_ref_list))
282 __set_current_state(TASK_RUNNING);
283 mutex_lock(&ctx->uring_lock);
285 } while (!list_empty(&ctx->rsrc_ref_list));
287 finish_wait(&ctx->rsrc_quiesce_wq, &we);
288 data->quiesce = false;
291 if (ctx->flags & IORING_SETUP_DEFER_TASKRUN) {
292 atomic_set(&ctx->cq_wait_nr, 0);
298 static void io_free_page_table(void **table, size_t size)
300 unsigned i, nr_tables = DIV_ROUND_UP(size, PAGE_SIZE);
302 for (i = 0; i < nr_tables; i++)
307 static void io_rsrc_data_free(struct io_rsrc_data *data)
309 size_t size = data->nr * sizeof(data->tags[0][0]);
312 io_free_page_table((void **)data->tags, size);
316 static __cold void **io_alloc_page_table(size_t size)
318 unsigned i, nr_tables = DIV_ROUND_UP(size, PAGE_SIZE);
319 size_t init_size = size;
322 table = kcalloc(nr_tables, sizeof(*table), GFP_KERNEL_ACCOUNT);
326 for (i = 0; i < nr_tables; i++) {
327 unsigned int this_size = min_t(size_t, size, PAGE_SIZE);
329 table[i] = kzalloc(this_size, GFP_KERNEL_ACCOUNT);
331 io_free_page_table(table, init_size);
339 __cold static int io_rsrc_data_alloc(struct io_ring_ctx *ctx,
340 rsrc_put_fn *do_put, u64 __user *utags,
341 unsigned nr, struct io_rsrc_data **pdata)
343 struct io_rsrc_data *data;
347 data = kzalloc(sizeof(*data), GFP_KERNEL);
350 data->tags = (u64 **)io_alloc_page_table(nr * sizeof(data->tags[0][0]));
358 data->do_put = do_put;
361 for (i = 0; i < nr; i++) {
362 u64 *tag_slot = io_get_tag_slot(data, i);
364 if (copy_from_user(tag_slot, &utags[i],
372 io_rsrc_data_free(data);
376 static int __io_sqe_files_update(struct io_ring_ctx *ctx,
377 struct io_uring_rsrc_update2 *up,
380 u64 __user *tags = u64_to_user_ptr(up->tags);
381 __s32 __user *fds = u64_to_user_ptr(up->data);
382 struct io_rsrc_data *data = ctx->file_data;
383 struct io_fixed_file *file_slot;
387 bool needs_switch = false;
391 if (up->offset + nr_args > ctx->nr_user_files)
394 for (done = 0; done < nr_args; done++) {
397 if ((tags && copy_from_user(&tag, &tags[done], sizeof(tag))) ||
398 copy_from_user(&fd, &fds[done], sizeof(fd))) {
402 if ((fd == IORING_REGISTER_FILES_SKIP || fd == -1) && tag) {
406 if (fd == IORING_REGISTER_FILES_SKIP)
409 i = array_index_nospec(up->offset + done, ctx->nr_user_files);
410 file_slot = io_fixed_file_slot(&ctx->file_table, i);
412 if (file_slot->file_ptr) {
413 file = (struct file *)(file_slot->file_ptr & FFS_MASK);
414 err = io_queue_rsrc_removal(data, i, ctx->rsrc_node, file);
417 file_slot->file_ptr = 0;
418 io_file_bitmap_clear(&ctx->file_table, i);
428 * Don't allow io_uring instances to be registered. If
429 * UNIX isn't enabled, then this causes a reference
430 * cycle and this instance can never get freed. If UNIX
431 * is enabled we'll handle it just fine, but there's
432 * still no point in allowing a ring fd as it doesn't
433 * support regular read/write anyway.
435 if (io_is_uring_fops(file)) {
440 err = io_scm_file_account(ctx, file);
445 *io_get_tag_slot(data, i) = tag;
446 io_fixed_file_set(file_slot, file);
447 io_file_bitmap_set(&ctx->file_table, i);
452 io_rsrc_node_switch(ctx, data);
453 return done ? done : err;
456 static int __io_sqe_buffers_update(struct io_ring_ctx *ctx,
457 struct io_uring_rsrc_update2 *up,
458 unsigned int nr_args)
460 u64 __user *tags = u64_to_user_ptr(up->tags);
461 struct iovec iov, __user *iovs = u64_to_user_ptr(up->data);
462 struct page *last_hpage = NULL;
463 bool needs_switch = false;
469 if (up->offset + nr_args > ctx->nr_user_bufs)
472 for (done = 0; done < nr_args; done++) {
473 struct io_mapped_ubuf *imu;
474 int offset = up->offset + done;
477 err = io_copy_iov(ctx, &iov, iovs, done);
480 if (tags && copy_from_user(&tag, &tags[done], sizeof(tag))) {
484 err = io_buffer_validate(&iov);
487 if (!iov.iov_base && tag) {
491 err = io_sqe_buffer_register(ctx, &iov, &imu, &last_hpage);
495 i = array_index_nospec(offset, ctx->nr_user_bufs);
496 if (ctx->user_bufs[i] != ctx->dummy_ubuf) {
497 err = io_queue_rsrc_removal(ctx->buf_data, i,
498 ctx->rsrc_node, ctx->user_bufs[i]);
500 io_buffer_unmap(ctx, &imu);
503 ctx->user_bufs[i] = ctx->dummy_ubuf;
507 ctx->user_bufs[i] = imu;
508 *io_get_tag_slot(ctx->buf_data, i) = tag;
512 io_rsrc_node_switch(ctx, ctx->buf_data);
513 return done ? done : err;
516 static int __io_register_rsrc_update(struct io_ring_ctx *ctx, unsigned type,
517 struct io_uring_rsrc_update2 *up,
523 lockdep_assert_held(&ctx->uring_lock);
525 if (check_add_overflow(up->offset, nr_args, &tmp))
527 err = io_rsrc_node_switch_start(ctx);
532 case IORING_RSRC_FILE:
533 return __io_sqe_files_update(ctx, up, nr_args);
534 case IORING_RSRC_BUFFER:
535 return __io_sqe_buffers_update(ctx, up, nr_args);
540 int io_register_files_update(struct io_ring_ctx *ctx, void __user *arg,
543 struct io_uring_rsrc_update2 up;
547 memset(&up, 0, sizeof(up));
548 if (copy_from_user(&up, arg, sizeof(struct io_uring_rsrc_update)))
550 if (up.resv || up.resv2)
552 return __io_register_rsrc_update(ctx, IORING_RSRC_FILE, &up, nr_args);
555 int io_register_rsrc_update(struct io_ring_ctx *ctx, void __user *arg,
556 unsigned size, unsigned type)
558 struct io_uring_rsrc_update2 up;
560 if (size != sizeof(up))
562 if (copy_from_user(&up, arg, sizeof(up)))
564 if (!up.nr || up.resv || up.resv2)
566 return __io_register_rsrc_update(ctx, type, &up, up.nr);
569 __cold int io_register_rsrc(struct io_ring_ctx *ctx, void __user *arg,
570 unsigned int size, unsigned int type)
572 struct io_uring_rsrc_register rr;
574 /* keep it extendible */
575 if (size != sizeof(rr))
578 memset(&rr, 0, sizeof(rr));
579 if (copy_from_user(&rr, arg, size))
581 if (!rr.nr || rr.resv2)
583 if (rr.flags & ~IORING_RSRC_REGISTER_SPARSE)
587 case IORING_RSRC_FILE:
588 if (rr.flags & IORING_RSRC_REGISTER_SPARSE && rr.data)
590 return io_sqe_files_register(ctx, u64_to_user_ptr(rr.data),
591 rr.nr, u64_to_user_ptr(rr.tags));
592 case IORING_RSRC_BUFFER:
593 if (rr.flags & IORING_RSRC_REGISTER_SPARSE && rr.data)
595 return io_sqe_buffers_register(ctx, u64_to_user_ptr(rr.data),
596 rr.nr, u64_to_user_ptr(rr.tags));
601 int io_files_update_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
603 struct io_rsrc_update *up = io_kiocb_to_cmd(req, struct io_rsrc_update);
605 if (unlikely(req->flags & (REQ_F_FIXED_FILE | REQ_F_BUFFER_SELECT)))
607 if (sqe->rw_flags || sqe->splice_fd_in)
610 up->offset = READ_ONCE(sqe->off);
611 up->nr_args = READ_ONCE(sqe->len);
614 up->arg = READ_ONCE(sqe->addr);
618 static int io_files_update_with_index_alloc(struct io_kiocb *req,
619 unsigned int issue_flags)
621 struct io_rsrc_update *up = io_kiocb_to_cmd(req, struct io_rsrc_update);
622 __s32 __user *fds = u64_to_user_ptr(up->arg);
627 if (!req->ctx->file_data)
630 for (done = 0; done < up->nr_args; done++) {
631 if (copy_from_user(&fd, &fds[done], sizeof(fd))) {
641 ret = io_fixed_fd_install(req, issue_flags, file,
642 IORING_FILE_INDEX_ALLOC);
645 if (copy_to_user(&fds[done], &ret, sizeof(ret))) {
646 __io_close_fixed(req->ctx, issue_flags, ret);
657 int io_files_update(struct io_kiocb *req, unsigned int issue_flags)
659 struct io_rsrc_update *up = io_kiocb_to_cmd(req, struct io_rsrc_update);
660 struct io_ring_ctx *ctx = req->ctx;
661 struct io_uring_rsrc_update2 up2;
664 up2.offset = up->offset;
671 if (up->offset == IORING_FILE_INDEX_ALLOC) {
672 ret = io_files_update_with_index_alloc(req, issue_flags);
674 io_ring_submit_lock(ctx, issue_flags);
675 ret = __io_register_rsrc_update(ctx, IORING_RSRC_FILE,
677 io_ring_submit_unlock(ctx, issue_flags);
682 io_req_set_res(req, ret, 0);
686 int io_queue_rsrc_removal(struct io_rsrc_data *data, unsigned idx,
687 struct io_rsrc_node *node, void *rsrc)
689 u64 *tag_slot = io_get_tag_slot(data, idx);
690 struct io_rsrc_put *prsrc;
691 bool inline_item = true;
693 if (!node->inline_items) {
695 node->inline_items++;
697 prsrc = kzalloc(sizeof(*prsrc), GFP_KERNEL);
703 prsrc->tag = *tag_slot;
707 list_add(&prsrc->list, &node->item_list);
711 void __io_sqe_files_unregister(struct io_ring_ctx *ctx)
715 for (i = 0; i < ctx->nr_user_files; i++) {
716 struct file *file = io_file_from_index(&ctx->file_table, i);
718 /* skip scm accounted files, they'll be freed by ->ring_sock */
719 if (!file || io_file_need_scm(file))
721 io_file_bitmap_clear(&ctx->file_table, i);
725 #if defined(CONFIG_UNIX)
726 if (ctx->ring_sock) {
727 struct sock *sock = ctx->ring_sock->sk;
730 while ((skb = skb_dequeue(&sock->sk_receive_queue)) != NULL)
734 io_free_file_tables(&ctx->file_table);
735 io_file_table_set_alloc_range(ctx, 0, 0);
736 io_rsrc_data_free(ctx->file_data);
737 ctx->file_data = NULL;
738 ctx->nr_user_files = 0;
741 int io_sqe_files_unregister(struct io_ring_ctx *ctx)
743 unsigned nr = ctx->nr_user_files;
750 * Quiesce may unlock ->uring_lock, and while it's not held
751 * prevent new requests using the table.
753 ctx->nr_user_files = 0;
754 ret = io_rsrc_ref_quiesce(ctx->file_data, ctx);
755 ctx->nr_user_files = nr;
757 __io_sqe_files_unregister(ctx);
762 * Ensure the UNIX gc is aware of our file set, so we are certain that
763 * the io_uring can be safely unregistered on process exit, even if we have
764 * loops in the file referencing. We account only files that can hold other
765 * files because otherwise they can't form a loop and so are not interesting
768 int __io_scm_file_account(struct io_ring_ctx *ctx, struct file *file)
770 #if defined(CONFIG_UNIX)
771 struct sock *sk = ctx->ring_sock->sk;
772 struct sk_buff_head *head = &sk->sk_receive_queue;
773 struct scm_fp_list *fpl;
776 if (likely(!io_file_need_scm(file)))
780 * See if we can merge this file into an existing skb SCM_RIGHTS
781 * file set. If there's no room, fall back to allocating a new skb
784 spin_lock_irq(&head->lock);
785 skb = skb_peek(head);
786 if (skb && UNIXCB(skb).fp->count < SCM_MAX_FD)
787 __skb_unlink(skb, head);
790 spin_unlock_irq(&head->lock);
793 fpl = kzalloc(sizeof(*fpl), GFP_KERNEL);
797 skb = alloc_skb(0, GFP_KERNEL);
803 fpl->user = get_uid(current_user());
804 fpl->max = SCM_MAX_FD;
807 UNIXCB(skb).fp = fpl;
809 skb->scm_io_uring = 1;
810 skb->destructor = unix_destruct_scm;
811 refcount_add(skb->truesize, &sk->sk_wmem_alloc);
814 fpl = UNIXCB(skb).fp;
815 fpl->fp[fpl->count++] = get_file(file);
816 unix_inflight(fpl->user, file);
817 skb_queue_head(head, skb);
823 static __cold void io_rsrc_file_scm_put(struct io_ring_ctx *ctx, struct file *file)
825 #if defined(CONFIG_UNIX)
826 struct sock *sock = ctx->ring_sock->sk;
827 struct sk_buff_head list, *head = &sock->sk_receive_queue;
831 __skb_queue_head_init(&list);
834 * Find the skb that holds this file in its SCM_RIGHTS. When found,
835 * remove this entry and rearrange the file array.
837 skb = skb_dequeue(head);
839 struct scm_fp_list *fp;
842 for (i = 0; i < fp->count; i++) {
845 if (fp->fp[i] != file)
848 unix_notinflight(fp->user, fp->fp[i]);
849 left = fp->count - 1 - i;
851 memmove(&fp->fp[i], &fp->fp[i + 1],
852 left * sizeof(struct file *));
859 __skb_queue_tail(&list, skb);
869 __skb_queue_tail(&list, skb);
871 skb = skb_dequeue(head);
874 if (skb_peek(&list)) {
875 spin_lock_irq(&head->lock);
876 while ((skb = __skb_dequeue(&list)) != NULL)
877 __skb_queue_tail(head, skb);
878 spin_unlock_irq(&head->lock);
883 static void io_rsrc_file_put(struct io_ring_ctx *ctx, struct io_rsrc_put *prsrc)
885 struct file *file = prsrc->file;
887 if (likely(!io_file_need_scm(file)))
890 io_rsrc_file_scm_put(ctx, file);
893 int io_sqe_files_register(struct io_ring_ctx *ctx, void __user *arg,
894 unsigned nr_args, u64 __user *tags)
896 __s32 __user *fds = (__s32 __user *) arg;
905 if (nr_args > IORING_MAX_FIXED_FILES)
907 if (nr_args > rlimit(RLIMIT_NOFILE))
909 ret = io_rsrc_data_alloc(ctx, io_rsrc_file_put, tags, nr_args,
914 if (!io_alloc_file_tables(&ctx->file_table, nr_args)) {
915 io_rsrc_data_free(ctx->file_data);
916 ctx->file_data = NULL;
920 for (i = 0; i < nr_args; i++, ctx->nr_user_files++) {
921 struct io_fixed_file *file_slot;
923 if (fds && copy_from_user(&fd, &fds[i], sizeof(fd))) {
927 /* allow sparse sets */
928 if (!fds || fd == -1) {
930 if (unlikely(*io_get_tag_slot(ctx->file_data, i)))
941 * Don't allow io_uring instances to be registered. If UNIX
942 * isn't enabled, then this causes a reference cycle and this
943 * instance can never get freed. If UNIX is enabled we'll
944 * handle it just fine, but there's still no point in allowing
945 * a ring fd as it doesn't support regular read/write anyway.
947 if (io_is_uring_fops(file)) {
951 ret = io_scm_file_account(ctx, file);
956 file_slot = io_fixed_file_slot(&ctx->file_table, i);
957 io_fixed_file_set(file_slot, file);
958 io_file_bitmap_set(&ctx->file_table, i);
961 /* default it to the whole table */
962 io_file_table_set_alloc_range(ctx, 0, ctx->nr_user_files);
965 __io_sqe_files_unregister(ctx);
969 static void io_rsrc_buf_put(struct io_ring_ctx *ctx, struct io_rsrc_put *prsrc)
971 io_buffer_unmap(ctx, &prsrc->buf);
975 void __io_sqe_buffers_unregister(struct io_ring_ctx *ctx)
979 for (i = 0; i < ctx->nr_user_bufs; i++)
980 io_buffer_unmap(ctx, &ctx->user_bufs[i]);
981 kfree(ctx->user_bufs);
982 io_rsrc_data_free(ctx->buf_data);
983 ctx->user_bufs = NULL;
984 ctx->buf_data = NULL;
985 ctx->nr_user_bufs = 0;
988 int io_sqe_buffers_unregister(struct io_ring_ctx *ctx)
990 unsigned nr = ctx->nr_user_bufs;
997 * Quiesce may unlock ->uring_lock, and while it's not held
998 * prevent new requests using the table.
1000 ctx->nr_user_bufs = 0;
1001 ret = io_rsrc_ref_quiesce(ctx->buf_data, ctx);
1002 ctx->nr_user_bufs = nr;
1004 __io_sqe_buffers_unregister(ctx);
1009 * Not super efficient, but this is just a registration time. And we do cache
1010 * the last compound head, so generally we'll only do a full search if we don't
1013 * We check if the given compound head page has already been accounted, to
1014 * avoid double accounting it. This allows us to account the full size of the
1015 * page, not just the constituent pages of a huge page.
1017 static bool headpage_already_acct(struct io_ring_ctx *ctx, struct page **pages,
1018 int nr_pages, struct page *hpage)
1022 /* check current page array */
1023 for (i = 0; i < nr_pages; i++) {
1024 if (!PageCompound(pages[i]))
1026 if (compound_head(pages[i]) == hpage)
1030 /* check previously registered pages */
1031 for (i = 0; i < ctx->nr_user_bufs; i++) {
1032 struct io_mapped_ubuf *imu = ctx->user_bufs[i];
1034 for (j = 0; j < imu->nr_bvecs; j++) {
1035 if (!PageCompound(imu->bvec[j].bv_page))
1037 if (compound_head(imu->bvec[j].bv_page) == hpage)
1045 static int io_buffer_account_pin(struct io_ring_ctx *ctx, struct page **pages,
1046 int nr_pages, struct io_mapped_ubuf *imu,
1047 struct page **last_hpage)
1051 imu->acct_pages = 0;
1052 for (i = 0; i < nr_pages; i++) {
1053 if (!PageCompound(pages[i])) {
1058 hpage = compound_head(pages[i]);
1059 if (hpage == *last_hpage)
1061 *last_hpage = hpage;
1062 if (headpage_already_acct(ctx, pages, i, hpage))
1064 imu->acct_pages += page_size(hpage) >> PAGE_SHIFT;
1068 if (!imu->acct_pages)
1071 ret = io_account_mem(ctx, imu->acct_pages);
1073 imu->acct_pages = 0;
1077 struct page **io_pin_pages(unsigned long ubuf, unsigned long len, int *npages)
1079 unsigned long start, end, nr_pages;
1080 struct vm_area_struct **vmas = NULL;
1081 struct page **pages = NULL;
1082 int i, pret, ret = -ENOMEM;
1084 end = (ubuf + len + PAGE_SIZE - 1) >> PAGE_SHIFT;
1085 start = ubuf >> PAGE_SHIFT;
1086 nr_pages = end - start;
1088 pages = kvmalloc_array(nr_pages, sizeof(struct page *), GFP_KERNEL);
1092 vmas = kvmalloc_array(nr_pages, sizeof(struct vm_area_struct *),
1098 mmap_read_lock(current->mm);
1099 pret = pin_user_pages(ubuf, nr_pages, FOLL_WRITE | FOLL_LONGTERM,
1101 if (pret == nr_pages) {
1102 struct file *file = vmas[0]->vm_file;
1104 /* don't support file backed memory */
1105 for (i = 0; i < nr_pages; i++) {
1106 if (vmas[i]->vm_file != file) {
1112 if (!vma_is_shmem(vmas[i]) && !is_file_hugepages(file)) {
1119 ret = pret < 0 ? pret : -EFAULT;
1121 mmap_read_unlock(current->mm);
1124 * if we did partial map, or found file backed vmas,
1125 * release any pages we did get
1128 unpin_user_pages(pages, pret);
1136 pages = ERR_PTR(ret);
1141 static int io_sqe_buffer_register(struct io_ring_ctx *ctx, struct iovec *iov,
1142 struct io_mapped_ubuf **pimu,
1143 struct page **last_hpage)
1145 struct io_mapped_ubuf *imu = NULL;
1146 struct page **pages = NULL;
1149 int ret, nr_pages, i;
1150 struct folio *folio = NULL;
1152 *pimu = ctx->dummy_ubuf;
1157 pages = io_pin_pages((unsigned long) iov->iov_base, iov->iov_len,
1159 if (IS_ERR(pages)) {
1160 ret = PTR_ERR(pages);
1165 /* If it's a huge page, try to coalesce them into a single bvec entry */
1167 folio = page_folio(pages[0]);
1168 for (i = 1; i < nr_pages; i++) {
1169 if (page_folio(pages[i]) != folio) {
1176 * The pages are bound to the folio, it doesn't
1177 * actually unpin them but drops all but one reference,
1178 * which is usually put down by io_buffer_unmap().
1179 * Note, needs a better helper.
1181 unpin_user_pages(&pages[1], nr_pages - 1);
1186 imu = kvmalloc(struct_size(imu, bvec, nr_pages), GFP_KERNEL);
1190 ret = io_buffer_account_pin(ctx, pages, nr_pages, imu, last_hpage);
1192 unpin_user_pages(pages, nr_pages);
1196 off = (unsigned long) iov->iov_base & ~PAGE_MASK;
1197 size = iov->iov_len;
1198 /* store original address for later verification */
1199 imu->ubuf = (unsigned long) iov->iov_base;
1200 imu->ubuf_end = imu->ubuf + iov->iov_len;
1201 imu->nr_bvecs = nr_pages;
1206 bvec_set_page(&imu->bvec[0], pages[0], size, off);
1209 for (i = 0; i < nr_pages; i++) {
1212 vec_len = min_t(size_t, size, PAGE_SIZE - off);
1213 bvec_set_page(&imu->bvec[i], pages[i], vec_len, off);
1224 static int io_buffers_map_alloc(struct io_ring_ctx *ctx, unsigned int nr_args)
1226 ctx->user_bufs = kcalloc(nr_args, sizeof(*ctx->user_bufs), GFP_KERNEL);
1227 return ctx->user_bufs ? 0 : -ENOMEM;
1230 int io_sqe_buffers_register(struct io_ring_ctx *ctx, void __user *arg,
1231 unsigned int nr_args, u64 __user *tags)
1233 struct page *last_hpage = NULL;
1234 struct io_rsrc_data *data;
1238 BUILD_BUG_ON(IORING_MAX_REG_BUFFERS >= (1u << 16));
1242 if (!nr_args || nr_args > IORING_MAX_REG_BUFFERS)
1244 ret = io_rsrc_data_alloc(ctx, io_rsrc_buf_put, tags, nr_args, &data);
1247 ret = io_buffers_map_alloc(ctx, nr_args);
1249 io_rsrc_data_free(data);
1253 for (i = 0; i < nr_args; i++, ctx->nr_user_bufs++) {
1255 ret = io_copy_iov(ctx, &iov, arg, i);
1258 ret = io_buffer_validate(&iov);
1262 memset(&iov, 0, sizeof(iov));
1265 if (!iov.iov_base && *io_get_tag_slot(data, i)) {
1270 ret = io_sqe_buffer_register(ctx, &iov, &ctx->user_bufs[i],
1276 WARN_ON_ONCE(ctx->buf_data);
1278 ctx->buf_data = data;
1280 __io_sqe_buffers_unregister(ctx);
1284 int io_import_fixed(int ddir, struct iov_iter *iter,
1285 struct io_mapped_ubuf *imu,
1286 u64 buf_addr, size_t len)
1291 if (WARN_ON_ONCE(!imu))
1293 if (unlikely(check_add_overflow(buf_addr, (u64)len, &buf_end)))
1295 /* not inside the mapped region */
1296 if (unlikely(buf_addr < imu->ubuf || buf_end > imu->ubuf_end))
1300 * Might not be a start of buffer, set size appropriately
1301 * and advance us to the beginning.
1303 offset = buf_addr - imu->ubuf;
1304 iov_iter_bvec(iter, ddir, imu->bvec, imu->nr_bvecs, offset + len);
1308 * Don't use iov_iter_advance() here, as it's really slow for
1309 * using the latter parts of a big fixed buffer - it iterates
1310 * over each segment manually. We can cheat a bit here, because
1313 * 1) it's a BVEC iter, we set it up
1314 * 2) all bvecs are PAGE_SIZE in size, except potentially the
1315 * first and last bvec
1317 * So just find our index, and adjust the iterator afterwards.
1318 * If the offset is within the first bvec (or the whole first
1319 * bvec, just use iov_iter_advance(). This makes it easier
1320 * since we can just skip the first segment, which may not
1321 * be PAGE_SIZE aligned.
1323 const struct bio_vec *bvec = imu->bvec;
1325 if (offset <= bvec->bv_len) {
1327 * Note, huge pages buffers consists of one large
1328 * bvec entry and should always go this way. The other
1329 * branch doesn't expect non PAGE_SIZE'd chunks.
1332 iter->nr_segs = bvec->bv_len;
1333 iter->count -= offset;
1334 iter->iov_offset = offset;
1336 unsigned long seg_skip;
1338 /* skip first vec */
1339 offset -= bvec->bv_len;
1340 seg_skip = 1 + (offset >> PAGE_SHIFT);
1342 iter->bvec = bvec + seg_skip;
1343 iter->nr_segs -= seg_skip;
1344 iter->count -= bvec->bv_len + offset;
1345 iter->iov_offset = offset & ~PAGE_MASK;
projects / platform / kernel / linux-starfive.git / blob