1 // SPDX-License-Identifier: GPL-2.0
2 #include <linux/kernel.h>
3 #include <linux/errno.h>
5 #include <linux/file.h>
7 #include <linux/slab.h>
8 #include <linux/nospec.h>
9 #include <linux/hugetlb.h>
10 #include <linux/compat.h>
11 #include <linux/io_uring.h>
13 #include <uapi/linux/io_uring.h>
16 #include "openclose.h"
19 struct io_rsrc_update {
26 static int io_sqe_buffer_register(struct io_ring_ctx *ctx, struct iovec *iov,
27 struct io_mapped_ubuf **pimu,
28 struct page **last_hpage);
31 #define IORING_MAX_FIXED_FILES (1U << 20)
32 #define IORING_MAX_REG_BUFFERS (1U << 14)
34 int __io_account_mem(struct user_struct *user, unsigned long nr_pages)
36 unsigned long page_limit, cur_pages, new_pages;
41 /* Don't allow more pages than we can safely lock */
42 page_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
44 cur_pages = atomic_long_read(&user->locked_vm);
46 new_pages = cur_pages + nr_pages;
47 if (new_pages > page_limit)
49 } while (!atomic_long_try_cmpxchg(&user->locked_vm,
50 &cur_pages, new_pages));
54 static void io_unaccount_mem(struct io_ring_ctx *ctx, unsigned long nr_pages)
57 __io_unaccount_mem(ctx->user, nr_pages);
60 atomic64_sub(nr_pages, &ctx->mm_account->pinned_vm);
63 static int io_account_mem(struct io_ring_ctx *ctx, unsigned long nr_pages)
68 ret = __io_account_mem(ctx->user, nr_pages);
74 atomic64_add(nr_pages, &ctx->mm_account->pinned_vm);
79 static int io_copy_iov(struct io_ring_ctx *ctx, struct iovec *dst,
80 void __user *arg, unsigned index)
82 struct iovec __user *src;
86 struct compat_iovec __user *ciovs;
87 struct compat_iovec ciov;
89 ciovs = (struct compat_iovec __user *) arg;
90 if (copy_from_user(&ciov, &ciovs[index], sizeof(ciov)))
93 dst->iov_base = u64_to_user_ptr((u64)ciov.iov_base);
94 dst->iov_len = ciov.iov_len;
98 src = (struct iovec __user *) arg;
99 if (copy_from_user(dst, &src[index], sizeof(*dst)))
104 static int io_buffer_validate(struct iovec *iov)
106 unsigned long tmp, acct_len = iov->iov_len + (PAGE_SIZE - 1);
109 * Don't impose further limits on the size and buffer
110 * constraints here, we'll -EINVAL later when IO is
111 * submitted if they are wrong.
114 return iov->iov_len ? -EFAULT : 0;
118 /* arbitrary limit, but we need something */
119 if (iov->iov_len > SZ_1G)
122 if (check_add_overflow((unsigned long)iov->iov_base, acct_len, &tmp))
128 static void io_buffer_unmap(struct io_ring_ctx *ctx, struct io_mapped_ubuf **slot)
130 struct io_mapped_ubuf *imu = *slot;
133 if (imu != ctx->dummy_ubuf) {
134 for (i = 0; i < imu->nr_bvecs; i++)
135 unpin_user_page(imu->bvec[i].bv_page);
137 io_unaccount_mem(ctx, imu->acct_pages);
143 static void io_rsrc_put_work_one(struct io_rsrc_data *rsrc_data,
144 struct io_rsrc_put *prsrc)
146 struct io_ring_ctx *ctx = rsrc_data->ctx;
149 if (ctx->flags & IORING_SETUP_IOPOLL) {
150 mutex_lock(&ctx->uring_lock);
151 io_post_aux_cqe(ctx, prsrc->tag, 0, 0);
152 mutex_unlock(&ctx->uring_lock);
154 io_post_aux_cqe(ctx, prsrc->tag, 0, 0);
157 rsrc_data->do_put(ctx, prsrc);
160 static void __io_rsrc_put_work(struct io_rsrc_node *ref_node)
162 struct io_rsrc_data *rsrc_data = ref_node->rsrc_data;
163 struct io_rsrc_put *prsrc, *tmp;
165 if (ref_node->inline_items)
166 io_rsrc_put_work_one(rsrc_data, &ref_node->item);
168 list_for_each_entry_safe(prsrc, tmp, &ref_node->item_list, list) {
169 list_del(&prsrc->list);
170 io_rsrc_put_work_one(rsrc_data, prsrc);
174 io_rsrc_node_destroy(ref_node);
175 if (atomic_dec_and_test(&rsrc_data->refs))
176 complete(&rsrc_data->done);
179 void io_rsrc_put_work(struct work_struct *work)
181 struct io_ring_ctx *ctx;
182 struct llist_node *node;
184 ctx = container_of(work, struct io_ring_ctx, rsrc_put_work.work);
185 node = llist_del_all(&ctx->rsrc_put_llist);
188 struct io_rsrc_node *ref_node;
189 struct llist_node *next = node->next;
191 ref_node = llist_entry(node, struct io_rsrc_node, llist);
192 __io_rsrc_put_work(ref_node);
197 void io_rsrc_put_tw(struct callback_head *cb)
199 struct io_ring_ctx *ctx = container_of(cb, struct io_ring_ctx,
202 io_rsrc_put_work(&ctx->rsrc_put_work.work);
205 void io_wait_rsrc_data(struct io_rsrc_data *data)
207 if (data && !atomic_dec_and_test(&data->refs))
208 wait_for_completion(&data->done);
211 void io_rsrc_node_destroy(struct io_rsrc_node *ref_node)
216 void io_rsrc_node_ref_zero(struct io_rsrc_node *node)
217 __must_hold(&node->rsrc_data->ctx->uring_lock)
219 struct io_ring_ctx *ctx = node->rsrc_data->ctx;
220 bool first_add = false;
221 unsigned long delay = HZ;
225 /* if we are mid-quiesce then do not delay */
226 if (node->rsrc_data->quiesce)
229 while (!list_empty(&ctx->rsrc_ref_list)) {
230 node = list_first_entry(&ctx->rsrc_ref_list,
231 struct io_rsrc_node, node);
232 /* recycle ref nodes in order */
235 list_del(&node->node);
236 first_add |= llist_add(&node->llist, &ctx->rsrc_put_llist);
242 if (ctx->submitter_task) {
243 if (!task_work_add(ctx->submitter_task, &ctx->rsrc_put_tw,
247 mod_delayed_work(system_wq, &ctx->rsrc_put_work, delay);
250 static struct io_rsrc_node *io_rsrc_node_alloc(void)
252 struct io_rsrc_node *ref_node;
254 ref_node = kzalloc(sizeof(*ref_node), GFP_KERNEL);
259 INIT_LIST_HEAD(&ref_node->node);
260 INIT_LIST_HEAD(&ref_node->item_list);
261 ref_node->done = false;
262 ref_node->inline_items = 0;
266 void io_rsrc_node_switch(struct io_ring_ctx *ctx,
267 struct io_rsrc_data *data_to_kill)
268 __must_hold(&ctx->uring_lock)
270 WARN_ON_ONCE(!ctx->rsrc_backup_node);
271 WARN_ON_ONCE(data_to_kill && !ctx->rsrc_node);
274 struct io_rsrc_node *rsrc_node = ctx->rsrc_node;
276 rsrc_node->rsrc_data = data_to_kill;
277 list_add_tail(&rsrc_node->node, &ctx->rsrc_ref_list);
279 atomic_inc(&data_to_kill->refs);
281 io_put_rsrc_node(rsrc_node);
282 ctx->rsrc_node = NULL;
285 if (!ctx->rsrc_node) {
286 ctx->rsrc_node = ctx->rsrc_backup_node;
287 ctx->rsrc_backup_node = NULL;
291 int io_rsrc_node_switch_start(struct io_ring_ctx *ctx)
293 if (ctx->rsrc_backup_node)
295 ctx->rsrc_backup_node = io_rsrc_node_alloc();
296 return ctx->rsrc_backup_node ? 0 : -ENOMEM;
299 __cold static int io_rsrc_ref_quiesce(struct io_rsrc_data *data,
300 struct io_ring_ctx *ctx)
304 /* As we may drop ->uring_lock, other task may have started quiesce */
307 ret = io_rsrc_node_switch_start(ctx);
310 io_rsrc_node_switch(ctx, data);
312 /* kill initial ref, already quiesced if zero */
313 if (atomic_dec_and_test(&data->refs))
316 data->quiesce = true;
317 mutex_unlock(&ctx->uring_lock);
319 ret = io_run_task_work_sig(ctx);
321 atomic_inc(&data->refs);
322 /* wait for all works potentially completing data->done */
323 flush_delayed_work(&ctx->rsrc_put_work);
324 reinit_completion(&data->done);
325 mutex_lock(&ctx->uring_lock);
329 flush_delayed_work(&ctx->rsrc_put_work);
330 ret = wait_for_completion_interruptible(&data->done);
332 mutex_lock(&ctx->uring_lock);
333 if (atomic_read(&data->refs) <= 0)
336 * it has been revived by another thread while
339 mutex_unlock(&ctx->uring_lock);
342 data->quiesce = false;
347 static void io_free_page_table(void **table, size_t size)
349 unsigned i, nr_tables = DIV_ROUND_UP(size, PAGE_SIZE);
351 for (i = 0; i < nr_tables; i++)
356 static void io_rsrc_data_free(struct io_rsrc_data *data)
358 size_t size = data->nr * sizeof(data->tags[0][0]);
361 io_free_page_table((void **)data->tags, size);
365 static __cold void **io_alloc_page_table(size_t size)
367 unsigned i, nr_tables = DIV_ROUND_UP(size, PAGE_SIZE);
368 size_t init_size = size;
371 table = kcalloc(nr_tables, sizeof(*table), GFP_KERNEL_ACCOUNT);
375 for (i = 0; i < nr_tables; i++) {
376 unsigned int this_size = min_t(size_t, size, PAGE_SIZE);
378 table[i] = kzalloc(this_size, GFP_KERNEL_ACCOUNT);
380 io_free_page_table(table, init_size);
388 __cold static int io_rsrc_data_alloc(struct io_ring_ctx *ctx,
389 rsrc_put_fn *do_put, u64 __user *utags,
390 unsigned nr, struct io_rsrc_data **pdata)
392 struct io_rsrc_data *data;
396 data = kzalloc(sizeof(*data), GFP_KERNEL);
399 data->tags = (u64 **)io_alloc_page_table(nr * sizeof(data->tags[0][0]));
407 data->do_put = do_put;
410 for (i = 0; i < nr; i++) {
411 u64 *tag_slot = io_get_tag_slot(data, i);
413 if (copy_from_user(tag_slot, &utags[i],
419 atomic_set(&data->refs, 1);
420 init_completion(&data->done);
424 io_rsrc_data_free(data);
428 static int __io_sqe_files_update(struct io_ring_ctx *ctx,
429 struct io_uring_rsrc_update2 *up,
432 u64 __user *tags = u64_to_user_ptr(up->tags);
433 __s32 __user *fds = u64_to_user_ptr(up->data);
434 struct io_rsrc_data *data = ctx->file_data;
435 struct io_fixed_file *file_slot;
439 bool needs_switch = false;
443 if (up->offset + nr_args > ctx->nr_user_files)
446 for (done = 0; done < nr_args; done++) {
449 if ((tags && copy_from_user(&tag, &tags[done], sizeof(tag))) ||
450 copy_from_user(&fd, &fds[done], sizeof(fd))) {
454 if ((fd == IORING_REGISTER_FILES_SKIP || fd == -1) && tag) {
458 if (fd == IORING_REGISTER_FILES_SKIP)
461 i = array_index_nospec(up->offset + done, ctx->nr_user_files);
462 file_slot = io_fixed_file_slot(&ctx->file_table, i);
464 if (file_slot->file_ptr) {
465 file = (struct file *)(file_slot->file_ptr & FFS_MASK);
466 err = io_queue_rsrc_removal(data, i, ctx->rsrc_node, file);
469 file_slot->file_ptr = 0;
470 io_file_bitmap_clear(&ctx->file_table, i);
480 * Don't allow io_uring instances to be registered. If
481 * UNIX isn't enabled, then this causes a reference
482 * cycle and this instance can never get freed. If UNIX
483 * is enabled we'll handle it just fine, but there's
484 * still no point in allowing a ring fd as it doesn't
485 * support regular read/write anyway.
487 if (io_is_uring_fops(file)) {
492 err = io_scm_file_account(ctx, file);
497 *io_get_tag_slot(data, i) = tag;
498 io_fixed_file_set(file_slot, file);
499 io_file_bitmap_set(&ctx->file_table, i);
504 io_rsrc_node_switch(ctx, data);
505 return done ? done : err;
508 static int __io_sqe_buffers_update(struct io_ring_ctx *ctx,
509 struct io_uring_rsrc_update2 *up,
510 unsigned int nr_args)
512 u64 __user *tags = u64_to_user_ptr(up->tags);
513 struct iovec iov, __user *iovs = u64_to_user_ptr(up->data);
514 struct page *last_hpage = NULL;
515 bool needs_switch = false;
521 if (up->offset + nr_args > ctx->nr_user_bufs)
524 for (done = 0; done < nr_args; done++) {
525 struct io_mapped_ubuf *imu;
526 int offset = up->offset + done;
529 err = io_copy_iov(ctx, &iov, iovs, done);
532 if (tags && copy_from_user(&tag, &tags[done], sizeof(tag))) {
536 err = io_buffer_validate(&iov);
539 if (!iov.iov_base && tag) {
543 err = io_sqe_buffer_register(ctx, &iov, &imu, &last_hpage);
547 i = array_index_nospec(offset, ctx->nr_user_bufs);
548 if (ctx->user_bufs[i] != ctx->dummy_ubuf) {
549 err = io_queue_rsrc_removal(ctx->buf_data, i,
550 ctx->rsrc_node, ctx->user_bufs[i]);
552 io_buffer_unmap(ctx, &imu);
555 ctx->user_bufs[i] = ctx->dummy_ubuf;
559 ctx->user_bufs[i] = imu;
560 *io_get_tag_slot(ctx->buf_data, offset) = tag;
564 io_rsrc_node_switch(ctx, ctx->buf_data);
565 return done ? done : err;
568 static int __io_register_rsrc_update(struct io_ring_ctx *ctx, unsigned type,
569 struct io_uring_rsrc_update2 *up,
575 if (check_add_overflow(up->offset, nr_args, &tmp))
577 err = io_rsrc_node_switch_start(ctx);
582 case IORING_RSRC_FILE:
583 return __io_sqe_files_update(ctx, up, nr_args);
584 case IORING_RSRC_BUFFER:
585 return __io_sqe_buffers_update(ctx, up, nr_args);
590 int io_register_files_update(struct io_ring_ctx *ctx, void __user *arg,
593 struct io_uring_rsrc_update2 up;
597 memset(&up, 0, sizeof(up));
598 if (copy_from_user(&up, arg, sizeof(struct io_uring_rsrc_update)))
600 if (up.resv || up.resv2)
602 return __io_register_rsrc_update(ctx, IORING_RSRC_FILE, &up, nr_args);
605 int io_register_rsrc_update(struct io_ring_ctx *ctx, void __user *arg,
606 unsigned size, unsigned type)
608 struct io_uring_rsrc_update2 up;
610 if (size != sizeof(up))
612 if (copy_from_user(&up, arg, sizeof(up)))
614 if (!up.nr || up.resv || up.resv2)
616 return __io_register_rsrc_update(ctx, type, &up, up.nr);
619 __cold int io_register_rsrc(struct io_ring_ctx *ctx, void __user *arg,
620 unsigned int size, unsigned int type)
622 struct io_uring_rsrc_register rr;
624 /* keep it extendible */
625 if (size != sizeof(rr))
628 memset(&rr, 0, sizeof(rr));
629 if (copy_from_user(&rr, arg, size))
631 if (!rr.nr || rr.resv2)
633 if (rr.flags & ~IORING_RSRC_REGISTER_SPARSE)
637 case IORING_RSRC_FILE:
638 if (rr.flags & IORING_RSRC_REGISTER_SPARSE && rr.data)
640 return io_sqe_files_register(ctx, u64_to_user_ptr(rr.data),
641 rr.nr, u64_to_user_ptr(rr.tags));
642 case IORING_RSRC_BUFFER:
643 if (rr.flags & IORING_RSRC_REGISTER_SPARSE && rr.data)
645 return io_sqe_buffers_register(ctx, u64_to_user_ptr(rr.data),
646 rr.nr, u64_to_user_ptr(rr.tags));
651 int io_files_update_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
653 struct io_rsrc_update *up = io_kiocb_to_cmd(req, struct io_rsrc_update);
655 if (unlikely(req->flags & (REQ_F_FIXED_FILE | REQ_F_BUFFER_SELECT)))
657 if (sqe->rw_flags || sqe->splice_fd_in)
660 up->offset = READ_ONCE(sqe->off);
661 up->nr_args = READ_ONCE(sqe->len);
664 up->arg = READ_ONCE(sqe->addr);
668 static int io_files_update_with_index_alloc(struct io_kiocb *req,
669 unsigned int issue_flags)
671 struct io_rsrc_update *up = io_kiocb_to_cmd(req, struct io_rsrc_update);
672 __s32 __user *fds = u64_to_user_ptr(up->arg);
677 if (!req->ctx->file_data)
680 for (done = 0; done < up->nr_args; done++) {
681 if (copy_from_user(&fd, &fds[done], sizeof(fd))) {
691 ret = io_fixed_fd_install(req, issue_flags, file,
692 IORING_FILE_INDEX_ALLOC);
695 if (copy_to_user(&fds[done], &ret, sizeof(ret))) {
696 __io_close_fixed(req->ctx, issue_flags, ret);
707 int io_files_update(struct io_kiocb *req, unsigned int issue_flags)
709 struct io_rsrc_update *up = io_kiocb_to_cmd(req, struct io_rsrc_update);
710 struct io_ring_ctx *ctx = req->ctx;
711 struct io_uring_rsrc_update2 up2;
714 up2.offset = up->offset;
721 if (up->offset == IORING_FILE_INDEX_ALLOC) {
722 ret = io_files_update_with_index_alloc(req, issue_flags);
724 io_ring_submit_lock(ctx, issue_flags);
725 ret = __io_register_rsrc_update(ctx, IORING_RSRC_FILE,
727 io_ring_submit_unlock(ctx, issue_flags);
732 io_req_set_res(req, ret, 0);
736 int io_queue_rsrc_removal(struct io_rsrc_data *data, unsigned idx,
737 struct io_rsrc_node *node, void *rsrc)
739 u64 *tag_slot = io_get_tag_slot(data, idx);
740 struct io_rsrc_put *prsrc;
741 bool inline_item = true;
743 if (!node->inline_items) {
745 node->inline_items++;
747 prsrc = kzalloc(sizeof(*prsrc), GFP_KERNEL);
753 prsrc->tag = *tag_slot;
757 list_add(&prsrc->list, &node->item_list);
761 void __io_sqe_files_unregister(struct io_ring_ctx *ctx)
765 for (i = 0; i < ctx->nr_user_files; i++) {
766 struct file *file = io_file_from_index(&ctx->file_table, i);
768 /* skip scm accounted files, they'll be freed by ->ring_sock */
769 if (!file || io_file_need_scm(file))
771 io_file_bitmap_clear(&ctx->file_table, i);
775 #if defined(CONFIG_UNIX)
776 if (ctx->ring_sock) {
777 struct sock *sock = ctx->ring_sock->sk;
780 while ((skb = skb_dequeue(&sock->sk_receive_queue)) != NULL)
784 io_free_file_tables(&ctx->file_table);
785 io_file_table_set_alloc_range(ctx, 0, 0);
786 io_rsrc_data_free(ctx->file_data);
787 ctx->file_data = NULL;
788 ctx->nr_user_files = 0;
791 int io_sqe_files_unregister(struct io_ring_ctx *ctx)
793 unsigned nr = ctx->nr_user_files;
800 * Quiesce may unlock ->uring_lock, and while it's not held
801 * prevent new requests using the table.
803 ctx->nr_user_files = 0;
804 ret = io_rsrc_ref_quiesce(ctx->file_data, ctx);
805 ctx->nr_user_files = nr;
807 __io_sqe_files_unregister(ctx);
812 * Ensure the UNIX gc is aware of our file set, so we are certain that
813 * the io_uring can be safely unregistered on process exit, even if we have
814 * loops in the file referencing. We account only files that can hold other
815 * files because otherwise they can't form a loop and so are not interesting
818 int __io_scm_file_account(struct io_ring_ctx *ctx, struct file *file)
820 #if defined(CONFIG_UNIX)
821 struct sock *sk = ctx->ring_sock->sk;
822 struct sk_buff_head *head = &sk->sk_receive_queue;
823 struct scm_fp_list *fpl;
826 if (likely(!io_file_need_scm(file)))
830 * See if we can merge this file into an existing skb SCM_RIGHTS
831 * file set. If there's no room, fall back to allocating a new skb
834 spin_lock_irq(&head->lock);
835 skb = skb_peek(head);
836 if (skb && UNIXCB(skb).fp->count < SCM_MAX_FD)
837 __skb_unlink(skb, head);
840 spin_unlock_irq(&head->lock);
843 fpl = kzalloc(sizeof(*fpl), GFP_KERNEL);
847 skb = alloc_skb(0, GFP_KERNEL);
853 fpl->user = get_uid(current_user());
854 fpl->max = SCM_MAX_FD;
857 UNIXCB(skb).fp = fpl;
859 skb->scm_io_uring = 1;
860 skb->destructor = unix_destruct_scm;
861 refcount_add(skb->truesize, &sk->sk_wmem_alloc);
864 fpl = UNIXCB(skb).fp;
865 fpl->fp[fpl->count++] = get_file(file);
866 unix_inflight(fpl->user, file);
867 skb_queue_head(head, skb);
873 static void io_rsrc_file_put(struct io_ring_ctx *ctx, struct io_rsrc_put *prsrc)
875 struct file *file = prsrc->file;
876 #if defined(CONFIG_UNIX)
877 struct sock *sock = ctx->ring_sock->sk;
878 struct sk_buff_head list, *head = &sock->sk_receive_queue;
882 if (!io_file_need_scm(file)) {
887 __skb_queue_head_init(&list);
890 * Find the skb that holds this file in its SCM_RIGHTS. When found,
891 * remove this entry and rearrange the file array.
893 skb = skb_dequeue(head);
895 struct scm_fp_list *fp;
898 for (i = 0; i < fp->count; i++) {
901 if (fp->fp[i] != file)
904 unix_notinflight(fp->user, fp->fp[i]);
905 left = fp->count - 1 - i;
907 memmove(&fp->fp[i], &fp->fp[i + 1],
908 left * sizeof(struct file *));
915 __skb_queue_tail(&list, skb);
925 __skb_queue_tail(&list, skb);
927 skb = skb_dequeue(head);
930 if (skb_peek(&list)) {
931 spin_lock_irq(&head->lock);
932 while ((skb = __skb_dequeue(&list)) != NULL)
933 __skb_queue_tail(head, skb);
934 spin_unlock_irq(&head->lock);
941 int io_sqe_files_register(struct io_ring_ctx *ctx, void __user *arg,
942 unsigned nr_args, u64 __user *tags)
944 __s32 __user *fds = (__s32 __user *) arg;
953 if (nr_args > IORING_MAX_FIXED_FILES)
955 if (nr_args > rlimit(RLIMIT_NOFILE))
957 ret = io_rsrc_node_switch_start(ctx);
960 ret = io_rsrc_data_alloc(ctx, io_rsrc_file_put, tags, nr_args,
965 if (!io_alloc_file_tables(&ctx->file_table, nr_args)) {
966 io_rsrc_data_free(ctx->file_data);
967 ctx->file_data = NULL;
971 for (i = 0; i < nr_args; i++, ctx->nr_user_files++) {
972 struct io_fixed_file *file_slot;
974 if (fds && copy_from_user(&fd, &fds[i], sizeof(fd))) {
978 /* allow sparse sets */
979 if (!fds || fd == -1) {
981 if (unlikely(*io_get_tag_slot(ctx->file_data, i)))
992 * Don't allow io_uring instances to be registered. If UNIX
993 * isn't enabled, then this causes a reference cycle and this
994 * instance can never get freed. If UNIX is enabled we'll
995 * handle it just fine, but there's still no point in allowing
996 * a ring fd as it doesn't support regular read/write anyway.
998 if (io_is_uring_fops(file)) {
1002 ret = io_scm_file_account(ctx, file);
1007 file_slot = io_fixed_file_slot(&ctx->file_table, i);
1008 io_fixed_file_set(file_slot, file);
1009 io_file_bitmap_set(&ctx->file_table, i);
1012 /* default it to the whole table */
1013 io_file_table_set_alloc_range(ctx, 0, ctx->nr_user_files);
1014 io_rsrc_node_switch(ctx, NULL);
1017 __io_sqe_files_unregister(ctx);
1021 static void io_rsrc_buf_put(struct io_ring_ctx *ctx, struct io_rsrc_put *prsrc)
1023 io_buffer_unmap(ctx, &prsrc->buf);
1027 void __io_sqe_buffers_unregister(struct io_ring_ctx *ctx)
1031 for (i = 0; i < ctx->nr_user_bufs; i++)
1032 io_buffer_unmap(ctx, &ctx->user_bufs[i]);
1033 kfree(ctx->user_bufs);
1034 io_rsrc_data_free(ctx->buf_data);
1035 ctx->user_bufs = NULL;
1036 ctx->buf_data = NULL;
1037 ctx->nr_user_bufs = 0;
1040 int io_sqe_buffers_unregister(struct io_ring_ctx *ctx)
1042 unsigned nr = ctx->nr_user_bufs;
1049 * Quiesce may unlock ->uring_lock, and while it's not held
1050 * prevent new requests using the table.
1052 ctx->nr_user_bufs = 0;
1053 ret = io_rsrc_ref_quiesce(ctx->buf_data, ctx);
1054 ctx->nr_user_bufs = nr;
1056 __io_sqe_buffers_unregister(ctx);
1061 * Not super efficient, but this is just a registration time. And we do cache
1062 * the last compound head, so generally we'll only do a full search if we don't
1065 * We check if the given compound head page has already been accounted, to
1066 * avoid double accounting it. This allows us to account the full size of the
1067 * page, not just the constituent pages of a huge page.
1069 static bool headpage_already_acct(struct io_ring_ctx *ctx, struct page **pages,
1070 int nr_pages, struct page *hpage)
1074 /* check current page array */
1075 for (i = 0; i < nr_pages; i++) {
1076 if (!PageCompound(pages[i]))
1078 if (compound_head(pages[i]) == hpage)
1082 /* check previously registered pages */
1083 for (i = 0; i < ctx->nr_user_bufs; i++) {
1084 struct io_mapped_ubuf *imu = ctx->user_bufs[i];
1086 for (j = 0; j < imu->nr_bvecs; j++) {
1087 if (!PageCompound(imu->bvec[j].bv_page))
1089 if (compound_head(imu->bvec[j].bv_page) == hpage)
1097 static int io_buffer_account_pin(struct io_ring_ctx *ctx, struct page **pages,
1098 int nr_pages, struct io_mapped_ubuf *imu,
1099 struct page **last_hpage)
1103 imu->acct_pages = 0;
1104 for (i = 0; i < nr_pages; i++) {
1105 if (!PageCompound(pages[i])) {
1110 hpage = compound_head(pages[i]);
1111 if (hpage == *last_hpage)
1113 *last_hpage = hpage;
1114 if (headpage_already_acct(ctx, pages, i, hpage))
1116 imu->acct_pages += page_size(hpage) >> PAGE_SHIFT;
1120 if (!imu->acct_pages)
1123 ret = io_account_mem(ctx, imu->acct_pages);
1125 imu->acct_pages = 0;
1129 struct page **io_pin_pages(unsigned long ubuf, unsigned long len, int *npages)
1131 unsigned long start, end, nr_pages;
1132 struct vm_area_struct **vmas = NULL;
1133 struct page **pages = NULL;
1134 int i, pret, ret = -ENOMEM;
1136 end = (ubuf + len + PAGE_SIZE - 1) >> PAGE_SHIFT;
1137 start = ubuf >> PAGE_SHIFT;
1138 nr_pages = end - start;
1140 pages = kvmalloc_array(nr_pages, sizeof(struct page *), GFP_KERNEL);
1144 vmas = kvmalloc_array(nr_pages, sizeof(struct vm_area_struct *),
1150 mmap_read_lock(current->mm);
1151 pret = pin_user_pages(ubuf, nr_pages, FOLL_WRITE | FOLL_LONGTERM,
1153 if (pret == nr_pages) {
1154 struct file *file = vmas[0]->vm_file;
1156 /* don't support file backed memory */
1157 for (i = 0; i < nr_pages; i++) {
1158 if (vmas[i]->vm_file != file) {
1164 if (!vma_is_shmem(vmas[i]) && !is_file_hugepages(file)) {
1171 ret = pret < 0 ? pret : -EFAULT;
1173 mmap_read_unlock(current->mm);
1176 * if we did partial map, or found file backed vmas,
1177 * release any pages we did get
1180 unpin_user_pages(pages, pret);
1188 pages = ERR_PTR(ret);
1193 static int io_sqe_buffer_register(struct io_ring_ctx *ctx, struct iovec *iov,
1194 struct io_mapped_ubuf **pimu,
1195 struct page **last_hpage)
1197 struct io_mapped_ubuf *imu = NULL;
1198 struct page **pages = NULL;
1201 int ret, nr_pages, i;
1202 struct folio *folio = NULL;
1204 *pimu = ctx->dummy_ubuf;
1209 pages = io_pin_pages((unsigned long) iov->iov_base, iov->iov_len,
1211 if (IS_ERR(pages)) {
1212 ret = PTR_ERR(pages);
1217 /* If it's a huge page, try to coalesce them into a single bvec entry */
1219 folio = page_folio(pages[0]);
1220 for (i = 1; i < nr_pages; i++) {
1221 if (page_folio(pages[i]) != folio) {
1228 * The pages are bound to the folio, it doesn't
1229 * actually unpin them but drops all but one reference,
1230 * which is usually put down by io_buffer_unmap().
1231 * Note, needs a better helper.
1233 unpin_user_pages(&pages[1], nr_pages - 1);
1238 imu = kvmalloc(struct_size(imu, bvec, nr_pages), GFP_KERNEL);
1242 ret = io_buffer_account_pin(ctx, pages, nr_pages, imu, last_hpage);
1244 unpin_user_pages(pages, nr_pages);
1248 off = (unsigned long) iov->iov_base & ~PAGE_MASK;
1249 size = iov->iov_len;
1250 /* store original address for later verification */
1251 imu->ubuf = (unsigned long) iov->iov_base;
1252 imu->ubuf_end = imu->ubuf + iov->iov_len;
1253 imu->nr_bvecs = nr_pages;
1258 bvec_set_page(&imu->bvec[0], pages[0], size, off);
1261 for (i = 0; i < nr_pages; i++) {
1264 vec_len = min_t(size_t, size, PAGE_SIZE - off);
1265 bvec_set_page(&imu->bvec[i], pages[i], vec_len, off);
1276 static int io_buffers_map_alloc(struct io_ring_ctx *ctx, unsigned int nr_args)
1278 ctx->user_bufs = kcalloc(nr_args, sizeof(*ctx->user_bufs), GFP_KERNEL);
1279 return ctx->user_bufs ? 0 : -ENOMEM;
1282 int io_sqe_buffers_register(struct io_ring_ctx *ctx, void __user *arg,
1283 unsigned int nr_args, u64 __user *tags)
1285 struct page *last_hpage = NULL;
1286 struct io_rsrc_data *data;
1290 BUILD_BUG_ON(IORING_MAX_REG_BUFFERS >= (1u << 16));
1294 if (!nr_args || nr_args > IORING_MAX_REG_BUFFERS)
1296 ret = io_rsrc_node_switch_start(ctx);
1299 ret = io_rsrc_data_alloc(ctx, io_rsrc_buf_put, tags, nr_args, &data);
1302 ret = io_buffers_map_alloc(ctx, nr_args);
1304 io_rsrc_data_free(data);
1308 for (i = 0; i < nr_args; i++, ctx->nr_user_bufs++) {
1310 ret = io_copy_iov(ctx, &iov, arg, i);
1313 ret = io_buffer_validate(&iov);
1317 memset(&iov, 0, sizeof(iov));
1320 if (!iov.iov_base && *io_get_tag_slot(data, i)) {
1325 ret = io_sqe_buffer_register(ctx, &iov, &ctx->user_bufs[i],
1331 WARN_ON_ONCE(ctx->buf_data);
1333 ctx->buf_data = data;
1335 __io_sqe_buffers_unregister(ctx);
1337 io_rsrc_node_switch(ctx, NULL);
1341 int io_import_fixed(int ddir, struct iov_iter *iter,
1342 struct io_mapped_ubuf *imu,
1343 u64 buf_addr, size_t len)
1348 if (WARN_ON_ONCE(!imu))
1350 if (unlikely(check_add_overflow(buf_addr, (u64)len, &buf_end)))
1352 /* not inside the mapped region */
1353 if (unlikely(buf_addr < imu->ubuf || buf_end > imu->ubuf_end))
1357 * Might not be a start of buffer, set size appropriately
1358 * and advance us to the beginning.
1360 offset = buf_addr - imu->ubuf;
1361 iov_iter_bvec(iter, ddir, imu->bvec, imu->nr_bvecs, offset + len);
1365 * Don't use iov_iter_advance() here, as it's really slow for
1366 * using the latter parts of a big fixed buffer - it iterates
1367 * over each segment manually. We can cheat a bit here, because
1370 * 1) it's a BVEC iter, we set it up
1371 * 2) all bvecs are PAGE_SIZE in size, except potentially the
1372 * first and last bvec
1374 * So just find our index, and adjust the iterator afterwards.
1375 * If the offset is within the first bvec (or the whole first
1376 * bvec, just use iov_iter_advance(). This makes it easier
1377 * since we can just skip the first segment, which may not
1378 * be PAGE_SIZE aligned.
1380 const struct bio_vec *bvec = imu->bvec;
1382 if (offset <= bvec->bv_len) {
1384 * Note, huge pages buffers consists of one large
1385 * bvec entry and should always go this way. The other
1386 * branch doesn't expect non PAGE_SIZE'd chunks.
1389 iter->nr_segs = bvec->bv_len;
1390 iter->count -= offset;
1391 iter->iov_offset = offset;
1393 unsigned long seg_skip;
1395 /* skip first vec */
1396 offset -= bvec->bv_len;
1397 seg_skip = 1 + (offset >> PAGE_SHIFT);
1399 iter->bvec = bvec + seg_skip;
1400 iter->nr_segs -= seg_skip;
1401 iter->count -= bvec->bv_len + offset;
1402 iter->iov_offset = offset & ~PAGE_MASK;
projects / platform / kernel / linux-starfive.git / blob