search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge tag 'trace-printf-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/trace...
[drm/drm-misc.git] / io_uring / rw.c
blob0bcb83e4ce3cf9b0d02da3f6cd504a377931ccde
1 // SPDX-License-Identifier: GPL-2.0
2 #include <linux/kernel.h>
3 #include <linux/errno.h>
4 #include <linux/fs.h>
5 #include <linux/file.h>
6 #include <linux/blk-mq.h>
7 #include <linux/mm.h>
8 #include <linux/slab.h>
9 #include <linux/fsnotify.h>
10 #include <linux/poll.h>
11 #include <linux/nospec.h>
12 #include <linux/compat.h>
13 #include <linux/io_uring/cmd.h>
14 #include <linux/indirect_call_wrapper.h>
15
16 #include <uapi/linux/io_uring.h>
17
18 #include "io_uring.h"
19 #include "opdef.h"
20 #include "kbuf.h"
21 #include "alloc_cache.h"
22 #include "rsrc.h"
23 #include "poll.h"
24 #include "rw.h"
25
26 struct io_rw {
27 /* NOTE: kiocb has the file as the first member, so don't do it here */
28 struct kiocb kiocb;
29 u64 addr;
30 u32 len;
31 rwf_t flags;
32 };
33
34 static bool io_file_supports_nowait(struct io_kiocb *req, __poll_t mask)
35 {
36 /* If FMODE_NOWAIT is set for a file, we're golden */
37 if (req->flags & REQ_F_SUPPORT_NOWAIT)
38 return true;
39 /* No FMODE_NOWAIT, if we can poll, check the status */
40 if (io_file_can_poll(req)) {
41 struct poll_table_struct pt = { ._key = mask };
42
43 return vfs_poll(req->file, &pt) & mask;
44 }
45 /* No FMODE_NOWAIT support, and file isn't pollable. Tough luck. */
46 return false;
47 }
48
49 #ifdef CONFIG_COMPAT
50 static int io_iov_compat_buffer_select_prep(struct io_rw *rw)
51 {
52 struct compat_iovec __user *uiov;
53 compat_ssize_t clen;
54
55 uiov = u64_to_user_ptr(rw->addr);
56 if (!access_ok(uiov, sizeof(*uiov)))
57 return -EFAULT;
58 if (__get_user(clen, &uiov->iov_len))
59 return -EFAULT;
60 if (clen < 0)
61 return -EINVAL;
62
63 rw->len = clen;
64 return 0;
65 }
66 #endif
67
68 static int io_iov_buffer_select_prep(struct io_kiocb *req)
69 {
70 struct iovec __user *uiov;
71 struct iovec iov;
72 struct io_rw *rw = io_kiocb_to_cmd(req, struct io_rw);
73
74 if (rw->len != 1)
75 return -EINVAL;
76
77 #ifdef CONFIG_COMPAT
78 if (req->ctx->compat)
79 return io_iov_compat_buffer_select_prep(rw);
80 #endif
81
82 uiov = u64_to_user_ptr(rw->addr);
83 if (copy_from_user(&iov, uiov, sizeof(*uiov)))
84 return -EFAULT;
85 rw->len = iov.iov_len;
86 return 0;
87 }
88
89 static int __io_import_iovec(int ddir, struct io_kiocb *req,
90 struct io_async_rw *io,
91 unsigned int issue_flags)
92 {
93 const struct io_issue_def *def = &io_issue_defs[req->opcode];
94 struct io_rw *rw = io_kiocb_to_cmd(req, struct io_rw);
95 struct iovec *iov;
96 void __user *buf;
97 int nr_segs, ret;
98 size_t sqe_len;
99
100 buf = u64_to_user_ptr(rw->addr);
101 sqe_len = rw->len;
102
103 if (!def->vectored || req->flags & REQ_F_BUFFER_SELECT) {
104 if (io_do_buffer_select(req)) {
105 buf = io_buffer_select(req, &sqe_len, issue_flags);
106 if (!buf)
107 return -ENOBUFS;
108 rw->addr = (unsigned long) buf;
109 rw->len = sqe_len;
110 }
111
112 return import_ubuf(ddir, buf, sqe_len, &io->iter);
113 }
114
115 if (io->free_iovec) {
116 nr_segs = io->free_iov_nr;
117 iov = io->free_iovec;
118 } else {
119 iov = &io->fast_iov;
120 nr_segs = 1;
121 }
122 ret = __import_iovec(ddir, buf, sqe_len, nr_segs, &iov, &io->iter,
123 req->ctx->compat);
124 if (unlikely(ret < 0))
125 return ret;
126 if (iov) {
127 req->flags |= REQ_F_NEED_CLEANUP;
128 io->free_iov_nr = io->iter.nr_segs;
129 kfree(io->free_iovec);
130 io->free_iovec = iov;
131 }
132 return 0;
133 }
134
135 static inline int io_import_iovec(int rw, struct io_kiocb *req,
136 struct io_async_rw *io,
137 unsigned int issue_flags)
138 {
139 int ret;
140
141 ret = __io_import_iovec(rw, req, io, issue_flags);
142 if (unlikely(ret < 0))
143 return ret;
144
145 iov_iter_save_state(&io->iter, &io->iter_state);
146 return 0;
147 }
148
149 static void io_rw_iovec_free(struct io_async_rw *rw)
150 {
151 if (rw->free_iovec) {
152 kfree(rw->free_iovec);
153 rw->free_iov_nr = 0;
154 rw->free_iovec = NULL;
155 }
156 }
157
158 static void io_rw_recycle(struct io_kiocb *req, unsigned int issue_flags)
159 {
160 struct io_async_rw *rw = req->async_data;
161 struct iovec *iov;
162
163 if (unlikely(issue_flags & IO_URING_F_UNLOCKED)) {
164 io_rw_iovec_free(rw);
165 return;
166 }
167 iov = rw->free_iovec;
168 if (io_alloc_cache_put(&req->ctx->rw_cache, rw)) {
169 if (iov)
170 kasan_mempool_poison_object(iov);
171 req->async_data = NULL;
172 req->flags &= ~REQ_F_ASYNC_DATA;
173 }
174 }
175
176 static void io_req_rw_cleanup(struct io_kiocb *req, unsigned int issue_flags)
177 {
178 /*
179 * Disable quick recycling for anything that's gone through io-wq.
180 * In theory, this should be fine to cleanup. However, some read or
181 * write iter handling touches the iovec AFTER having called into the
182 * handler, eg to reexpand or revert. This means we can have:
183 *
184 * task io-wq
185 * issue
186 * punt to io-wq
187 * issue
188 * blkdev_write_iter()
189 * ->ki_complete()
190 * io_complete_rw()
191 * queue tw complete
192 * run tw
193 * req_rw_cleanup
194 * iov_iter_count() <- look at iov_iter again
195 *
196 * which can lead to a UAF. This is only possible for io-wq offload
197 * as the cleanup can run in parallel. As io-wq is not the fast path,
198 * just leave cleanup to the end.
199 *
200 * This is really a bug in the core code that does this, any issue
201 * path should assume that a successful (or -EIOCBQUEUED) return can
202 * mean that the underlying data can be gone at any time. But that
203 * should be fixed seperately, and then this check could be killed.
204 */
205 if (!(req->flags & REQ_F_REFCOUNT)) {
206 req->flags &= ~REQ_F_NEED_CLEANUP;
207 io_rw_recycle(req, issue_flags);
208 }
209 }
210
211 static int io_rw_alloc_async(struct io_kiocb *req)
212 {
213 struct io_ring_ctx *ctx = req->ctx;
214 struct io_async_rw *rw;
215
216 rw = io_alloc_cache_get(&ctx->rw_cache);
217 if (rw) {
218 if (rw->free_iovec) {
219 kasan_mempool_unpoison_object(rw->free_iovec,
220 rw->free_iov_nr * sizeof(struct iovec));
221 req->flags |= REQ_F_NEED_CLEANUP;
222 }
223 req->flags |= REQ_F_ASYNC_DATA;
224 req->async_data = rw;
225 goto done;
226 }
227
228 if (!io_alloc_async_data(req)) {
229 rw = req->async_data;
230 rw->free_iovec = NULL;
231 rw->free_iov_nr = 0;
232 done:
233 rw->bytes_done = 0;
234 return 0;
235 }
236
237 return -ENOMEM;
238 }
239
240 static int io_prep_rw_setup(struct io_kiocb *req, int ddir, bool do_import)
241 {
242 struct io_async_rw *rw;
243 int ret;
244
245 if (io_rw_alloc_async(req))
246 return -ENOMEM;
247
248 if (!do_import || io_do_buffer_select(req))
249 return 0;
250
251 rw = req->async_data;
252 ret = io_import_iovec(ddir, req, rw, 0);
253 if (unlikely(ret < 0))
254 return ret;
255
256 iov_iter_save_state(&rw->iter, &rw->iter_state);
257 return 0;
258 }
259
260 static int io_prep_rw(struct io_kiocb *req, const struct io_uring_sqe *sqe,
261 int ddir, bool do_import)
262 {
263 struct io_rw *rw = io_kiocb_to_cmd(req, struct io_rw);
264 unsigned ioprio;
265 int ret;
266
267 rw->kiocb.ki_pos = READ_ONCE(sqe->off);
268 /* used for fixed read/write too - just read unconditionally */
269 req->buf_index = READ_ONCE(sqe->buf_index);
270
271 ioprio = READ_ONCE(sqe->ioprio);
272 if (ioprio) {
273 ret = ioprio_check_cap(ioprio);
274 if (ret)
275 return ret;
276
277 rw->kiocb.ki_ioprio = ioprio;
278 } else {
279 rw->kiocb.ki_ioprio = get_current_ioprio();
280 }
281 rw->kiocb.dio_complete = NULL;
282
283 rw->addr = READ_ONCE(sqe->addr);
284 rw->len = READ_ONCE(sqe->len);
285 rw->flags = READ_ONCE(sqe->rw_flags);
286 return io_prep_rw_setup(req, ddir, do_import);
287 }
288
289 int io_prep_read(struct io_kiocb *req, const struct io_uring_sqe *sqe)
290 {
291 return io_prep_rw(req, sqe, ITER_DEST, true);
292 }
293
294 int io_prep_write(struct io_kiocb *req, const struct io_uring_sqe *sqe)
295 {
296 return io_prep_rw(req, sqe, ITER_SOURCE, true);
297 }
298
299 static int io_prep_rwv(struct io_kiocb *req, const struct io_uring_sqe *sqe,
300 int ddir)
301 {
302 const bool do_import = !(req->flags & REQ_F_BUFFER_SELECT);
303 int ret;
304
305 ret = io_prep_rw(req, sqe, ddir, do_import);
306 if (unlikely(ret))
307 return ret;
308 if (do_import)
309 return 0;
310
311 /*
312 * Have to do this validation here, as this is in io_read() rw->len
313 * might have chanaged due to buffer selection
314 */
315 return io_iov_buffer_select_prep(req);
316 }
317
318 int io_prep_readv(struct io_kiocb *req, const struct io_uring_sqe *sqe)
319 {
320 return io_prep_rwv(req, sqe, ITER_DEST);
321 }
322
323 int io_prep_writev(struct io_kiocb *req, const struct io_uring_sqe *sqe)
324 {
325 return io_prep_rwv(req, sqe, ITER_SOURCE);
326 }
327
328 static int io_prep_rw_fixed(struct io_kiocb *req, const struct io_uring_sqe *sqe,
329 int ddir)
330 {
331 struct io_rw *rw = io_kiocb_to_cmd(req, struct io_rw);
332 struct io_ring_ctx *ctx = req->ctx;
333 struct io_rsrc_node *node;
334 struct io_async_rw *io;
335 int ret;
336
337 ret = io_prep_rw(req, sqe, ddir, false);
338 if (unlikely(ret))
339 return ret;
340
341 node = io_rsrc_node_lookup(&ctx->buf_table, req->buf_index);
342 if (!node)
343 return -EFAULT;
344 io_req_assign_buf_node(req, node);
345
346 io = req->async_data;
347 ret = io_import_fixed(ddir, &io->iter, node->buf, rw->addr, rw->len);
348 iov_iter_save_state(&io->iter, &io->iter_state);
349 return ret;
350 }
351
352 int io_prep_read_fixed(struct io_kiocb *req, const struct io_uring_sqe *sqe)
353 {
354 return io_prep_rw_fixed(req, sqe, ITER_DEST);
355 }
356
357 int io_prep_write_fixed(struct io_kiocb *req, const struct io_uring_sqe *sqe)
358 {
359 return io_prep_rw_fixed(req, sqe, ITER_SOURCE);
360 }
361
362 /*
363 * Multishot read is prepared just like a normal read/write request, only
364 * difference is that we set the MULTISHOT flag.
365 */
366 int io_read_mshot_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
367 {
368 struct io_rw *rw = io_kiocb_to_cmd(req, struct io_rw);
369 int ret;
370
371 /* must be used with provided buffers */
372 if (!(req->flags & REQ_F_BUFFER_SELECT))
373 return -EINVAL;
374
375 ret = io_prep_rw(req, sqe, ITER_DEST, false);
376 if (unlikely(ret))
377 return ret;
378
379 if (rw->addr || rw->len)
380 return -EINVAL;
381
382 req->flags |= REQ_F_APOLL_MULTISHOT;
383 return 0;
384 }
385
386 void io_readv_writev_cleanup(struct io_kiocb *req)
387 {
388 io_rw_iovec_free(req->async_data);
389 }
390
391 static inline loff_t *io_kiocb_update_pos(struct io_kiocb *req)
392 {
393 struct io_rw *rw = io_kiocb_to_cmd(req, struct io_rw);
394
395 if (rw->kiocb.ki_pos != -1)
396 return &rw->kiocb.ki_pos;
397
398 if (!(req->file->f_mode & FMODE_STREAM)) {
399 req->flags |= REQ_F_CUR_POS;
400 rw->kiocb.ki_pos = req->file->f_pos;
401 return &rw->kiocb.ki_pos;
402 }
403
404 rw->kiocb.ki_pos = 0;
405 return NULL;
406 }
407
408 #ifdef CONFIG_BLOCK
409 static void io_resubmit_prep(struct io_kiocb *req)
410 {
411 struct io_async_rw *io = req->async_data;
412
413 iov_iter_restore(&io->iter, &io->iter_state);
414 }
415
416 static bool io_rw_should_reissue(struct io_kiocb *req)
417 {
418 umode_t mode = file_inode(req->file)->i_mode;
419 struct io_ring_ctx *ctx = req->ctx;
420
421 if (!S_ISBLK(mode) && !S_ISREG(mode))
422 return false;
423 if ((req->flags & REQ_F_NOWAIT) || (io_wq_current_is_worker() &&
424 !(ctx->flags & IORING_SETUP_IOPOLL)))
425 return false;
426 /*
427 * If ref is dying, we might be running poll reap from the exit work.
428 * Don't attempt to reissue from that path, just let it fail with
429 * -EAGAIN.
430 */
431 if (percpu_ref_is_dying(&ctx->refs))
432 return false;
433 /*
434 * Play it safe and assume not safe to re-import and reissue if we're
435 * not in the original thread group (or in task context).
436 */
437 if (!same_thread_group(req->tctx->task, current) || !in_task())
438 return false;
439 return true;
440 }
441 #else
442 static void io_resubmit_prep(struct io_kiocb *req)
443 {
444 }
445 static bool io_rw_should_reissue(struct io_kiocb *req)
446 {
447 return false;
448 }
449 #endif
450
451 static void io_req_end_write(struct io_kiocb *req)
452 {
453 if (req->flags & REQ_F_ISREG) {
454 struct io_rw *rw = io_kiocb_to_cmd(req, struct io_rw);
455
456 kiocb_end_write(&rw->kiocb);
457 }
458 }
459
460 /*
461 * Trigger the notifications after having done some IO, and finish the write
462 * accounting, if any.
463 */
464 static void io_req_io_end(struct io_kiocb *req)
465 {
466 struct io_rw *rw = io_kiocb_to_cmd(req, struct io_rw);
467
468 if (rw->kiocb.ki_flags & IOCB_WRITE) {
469 io_req_end_write(req);
470 fsnotify_modify(req->file);
471 } else {
472 fsnotify_access(req->file);
473 }
474 }
475
476 static bool __io_complete_rw_common(struct io_kiocb *req, long res)
477 {
478 if (unlikely(res != req->cqe.res)) {
479 if (res == -EAGAIN && io_rw_should_reissue(req)) {
480 /*
481 * Reissue will start accounting again, finish the
482 * current cycle.
483 */
484 io_req_io_end(req);
485 req->flags |= REQ_F_REISSUE | REQ_F_BL_NO_RECYCLE;
486 return true;
487 }
488 req_set_fail(req);
489 req->cqe.res = res;
490 }
491 return false;
492 }
493
494 static inline int io_fixup_rw_res(struct io_kiocb *req, long res)
495 {
496 struct io_async_rw *io = req->async_data;
497
498 /* add previously done IO, if any */
499 if (req_has_async_data(req) && io->bytes_done > 0) {
500 if (res < 0)
501 res = io->bytes_done;
502 else
503 res += io->bytes_done;
504 }
505 return res;
506 }
507
508 void io_req_rw_complete(struct io_kiocb *req, struct io_tw_state *ts)
509 {
510 struct io_rw *rw = io_kiocb_to_cmd(req, struct io_rw);
511 struct kiocb *kiocb = &rw->kiocb;
512
513 if ((kiocb->ki_flags & IOCB_DIO_CALLER_COMP) && kiocb->dio_complete) {
514 long res = kiocb->dio_complete(rw->kiocb.private);
515
516 io_req_set_res(req, io_fixup_rw_res(req, res), 0);
517 }
518
519 io_req_io_end(req);
520
521 if (req->flags & (REQ_F_BUFFER_SELECTED|REQ_F_BUFFER_RING))
522 req->cqe.flags |= io_put_kbuf(req, req->cqe.res, 0);
523
524 io_req_rw_cleanup(req, 0);
525 io_req_task_complete(req, ts);
526 }
527
528 static void io_complete_rw(struct kiocb *kiocb, long res)
529 {
530 struct io_rw *rw = container_of(kiocb, struct io_rw, kiocb);
531 struct io_kiocb *req = cmd_to_io_kiocb(rw);
532
533 if (!kiocb->dio_complete || !(kiocb->ki_flags & IOCB_DIO_CALLER_COMP)) {
534 if (__io_complete_rw_common(req, res))
535 return;
536 io_req_set_res(req, io_fixup_rw_res(req, res), 0);
537 }
538 req->io_task_work.func = io_req_rw_complete;
539 __io_req_task_work_add(req, IOU_F_TWQ_LAZY_WAKE);
540 }
541
542 static void io_complete_rw_iopoll(struct kiocb *kiocb, long res)
543 {
544 struct io_rw *rw = container_of(kiocb, struct io_rw, kiocb);
545 struct io_kiocb *req = cmd_to_io_kiocb(rw);
546
547 if (kiocb->ki_flags & IOCB_WRITE)
548 io_req_end_write(req);
549 if (unlikely(res != req->cqe.res)) {
550 if (res == -EAGAIN && io_rw_should_reissue(req)) {
551 req->flags |= REQ_F_REISSUE | REQ_F_BL_NO_RECYCLE;
552 return;
553 }
554 req->cqe.res = res;
555 }
556
557 /* order with io_iopoll_complete() checking ->iopoll_completed */
558 smp_store_release(&req->iopoll_completed, 1);
559 }
560
561 static inline void io_rw_done(struct kiocb *kiocb, ssize_t ret)
562 {
563 /* IO was queued async, completion will happen later */
564 if (ret == -EIOCBQUEUED)
565 return;
566
567 /* transform internal restart error codes */
568 if (unlikely(ret < 0)) {
569 switch (ret) {
570 case -ERESTARTSYS:
571 case -ERESTARTNOINTR:
572 case -ERESTARTNOHAND:
573 case -ERESTART_RESTARTBLOCK:
574 /*
575 * We can't just restart the syscall, since previously
576 * submitted sqes may already be in progress. Just fail
577 * this IO with EINTR.
578 */
579 ret = -EINTR;
580 break;
581 }
582 }
583
584 INDIRECT_CALL_2(kiocb->ki_complete, io_complete_rw_iopoll,
585 io_complete_rw, kiocb, ret);
586 }
587
588 static int kiocb_done(struct io_kiocb *req, ssize_t ret,
589 unsigned int issue_flags)
590 {
591 struct io_rw *rw = io_kiocb_to_cmd(req, struct io_rw);
592 unsigned final_ret = io_fixup_rw_res(req, ret);
593
594 if (ret >= 0 && req->flags & REQ_F_CUR_POS)
595 req->file->f_pos = rw->kiocb.ki_pos;
596 if (ret >= 0 && (rw->kiocb.ki_complete == io_complete_rw)) {
597 if (!__io_complete_rw_common(req, ret)) {
598 /*
599 * Safe to call io_end from here as we're inline
600 * from the submission path.
601 */
602 io_req_io_end(req);
603 io_req_set_res(req, final_ret,
604 io_put_kbuf(req, ret, issue_flags));
605 io_req_rw_cleanup(req, issue_flags);
606 return IOU_OK;
607 }
608 } else {
609 io_rw_done(&rw->kiocb, ret);
610 }
611
612 if (req->flags & REQ_F_REISSUE) {
613 req->flags &= ~REQ_F_REISSUE;
614 io_resubmit_prep(req);
615 return -EAGAIN;
616 }
617 return IOU_ISSUE_SKIP_COMPLETE;
618 }
619
620 static inline loff_t *io_kiocb_ppos(struct kiocb *kiocb)
621 {
622 return (kiocb->ki_filp->f_mode & FMODE_STREAM) ? NULL : &kiocb->ki_pos;
623 }
624
625 /*
626 * For files that don't have ->read_iter() and ->write_iter(), handle them
627 * by looping over ->read() or ->write() manually.
628 */
629 static ssize_t loop_rw_iter(int ddir, struct io_rw *rw, struct iov_iter *iter)
630 {
631 struct kiocb *kiocb = &rw->kiocb;
632 struct file *file = kiocb->ki_filp;
633 ssize_t ret = 0;
634 loff_t *ppos;
635
636 /*
637 * Don't support polled IO through this interface, and we can't
638 * support non-blocking either. For the latter, this just causes
639 * the kiocb to be handled from an async context.
640 */
641 if (kiocb->ki_flags & IOCB_HIPRI)
642 return -EOPNOTSUPP;
643 if ((kiocb->ki_flags & IOCB_NOWAIT) &&
644 !(kiocb->ki_filp->f_flags & O_NONBLOCK))
645 return -EAGAIN;
646
647 ppos = io_kiocb_ppos(kiocb);
648
649 while (iov_iter_count(iter)) {
650 void __user *addr;
651 size_t len;
652 ssize_t nr;
653
654 if (iter_is_ubuf(iter)) {
655 addr = iter->ubuf + iter->iov_offset;
656 len = iov_iter_count(iter);
657 } else if (!iov_iter_is_bvec(iter)) {
658 addr = iter_iov_addr(iter);
659 len = iter_iov_len(iter);
660 } else {
661 addr = u64_to_user_ptr(rw->addr);
662 len = rw->len;
663 }
664
665 if (ddir == READ)
666 nr = file->f_op->read(file, addr, len, ppos);
667 else
668 nr = file->f_op->write(file, addr, len, ppos);
669
670 if (nr < 0) {
671 if (!ret)
672 ret = nr;
673 break;
674 }
675 ret += nr;
676 if (!iov_iter_is_bvec(iter)) {
677 iov_iter_advance(iter, nr);
678 } else {
679 rw->addr += nr;
680 rw->len -= nr;
681 if (!rw->len)
682 break;
683 }
684 if (nr != len)
685 break;
686 }
687
688 return ret;
689 }
690
691 /*
692 * This is our waitqueue callback handler, registered through __folio_lock_async()
693 * when we initially tried to do the IO with the iocb armed our waitqueue.
694 * This gets called when the page is unlocked, and we generally expect that to
695 * happen when the page IO is completed and the page is now uptodate. This will
696 * queue a task_work based retry of the operation, attempting to copy the data
697 * again. If the latter fails because the page was NOT uptodate, then we will
698 * do a thread based blocking retry of the operation. That's the unexpected
699 * slow path.
700 */
701 static int io_async_buf_func(struct wait_queue_entry *wait, unsigned mode,
702 int sync, void *arg)
703 {
704 struct wait_page_queue *wpq;
705 struct io_kiocb *req = wait->private;
706 struct io_rw *rw = io_kiocb_to_cmd(req, struct io_rw);
707 struct wait_page_key *key = arg;
708
709 wpq = container_of(wait, struct wait_page_queue, wait);
710
711 if (!wake_page_match(wpq, key))
712 return 0;
713
714 rw->kiocb.ki_flags &= ~IOCB_WAITQ;
715 list_del_init(&wait->entry);
716 io_req_task_queue(req);
717 return 1;
718 }
719
720 /*
721 * This controls whether a given IO request should be armed for async page
722 * based retry. If we return false here, the request is handed to the async
723 * worker threads for retry. If we're doing buffered reads on a regular file,
724 * we prepare a private wait_page_queue entry and retry the operation. This
725 * will either succeed because the page is now uptodate and unlocked, or it
726 * will register a callback when the page is unlocked at IO completion. Through
727 * that callback, io_uring uses task_work to setup a retry of the operation.
728 * That retry will attempt the buffered read again. The retry will generally
729 * succeed, or in rare cases where it fails, we then fall back to using the
730 * async worker threads for a blocking retry.
731 */
732 static bool io_rw_should_retry(struct io_kiocb *req)
733 {
734 struct io_async_rw *io = req->async_data;
735 struct wait_page_queue *wait = &io->wpq;
736 struct io_rw *rw = io_kiocb_to_cmd(req, struct io_rw);
737 struct kiocb *kiocb = &rw->kiocb;
738
739 /* never retry for NOWAIT, we just complete with -EAGAIN */
740 if (req->flags & REQ_F_NOWAIT)
741 return false;
742
743 /* Only for buffered IO */
744 if (kiocb->ki_flags & (IOCB_DIRECT | IOCB_HIPRI))
745 return false;
746
747 /*
748 * just use poll if we can, and don't attempt if the fs doesn't
749 * support callback based unlocks
750 */
751 if (io_file_can_poll(req) ||
752 !(req->file->f_op->fop_flags & FOP_BUFFER_RASYNC))
753 return false;
754
755 wait->wait.func = io_async_buf_func;
756 wait->wait.private = req;
757 wait->wait.flags = 0;
758 INIT_LIST_HEAD(&wait->wait.entry);
759 kiocb->ki_flags |= IOCB_WAITQ;
760 kiocb->ki_flags &= ~IOCB_NOWAIT;
761 kiocb->ki_waitq = wait;
762 return true;
763 }
764
765 static inline int io_iter_do_read(struct io_rw *rw, struct iov_iter *iter)
766 {
767 struct file *file = rw->kiocb.ki_filp;
768
769 if (likely(file->f_op->read_iter))
770 return file->f_op->read_iter(&rw->kiocb, iter);
771 else if (file->f_op->read)
772 return loop_rw_iter(READ, rw, iter);
773 else
774 return -EINVAL;
775 }
776
777 static bool need_complete_io(struct io_kiocb *req)
778 {
779 return req->flags & REQ_F_ISREG ||
780 S_ISBLK(file_inode(req->file)->i_mode);
781 }
782
783 static int io_rw_init_file(struct io_kiocb *req, fmode_t mode, int rw_type)
784 {
785 struct io_rw *rw = io_kiocb_to_cmd(req, struct io_rw);
786 struct kiocb *kiocb = &rw->kiocb;
787 struct io_ring_ctx *ctx = req->ctx;
788 struct file *file = req->file;
789 int ret;
790
791 if (unlikely(!(file->f_mode & mode)))
792 return -EBADF;
793
794 if (!(req->flags & REQ_F_FIXED_FILE))
795 req->flags |= io_file_get_flags(file);
796
797 kiocb->ki_flags = file->f_iocb_flags;
798 ret = kiocb_set_rw_flags(kiocb, rw->flags, rw_type);
799 if (unlikely(ret))
800 return ret;
801 kiocb->ki_flags |= IOCB_ALLOC_CACHE;
802
803 /*
804 * If the file is marked O_NONBLOCK, still allow retry for it if it
805 * supports async. Otherwise it's impossible to use O_NONBLOCK files
806 * reliably. If not, or it IOCB_NOWAIT is set, don't retry.
807 */
808 if (kiocb->ki_flags & IOCB_NOWAIT ||
809 ((file->f_flags & O_NONBLOCK && !(req->flags & REQ_F_SUPPORT_NOWAIT))))
810 req->flags |= REQ_F_NOWAIT;
811
812 if (ctx->flags & IORING_SETUP_IOPOLL) {
813 if (!(kiocb->ki_flags & IOCB_DIRECT) || !file->f_op->iopoll)
814 return -EOPNOTSUPP;
815
816 kiocb->private = NULL;
817 kiocb->ki_flags |= IOCB_HIPRI;
818 kiocb->ki_complete = io_complete_rw_iopoll;
819 req->iopoll_completed = 0;
820 if (ctx->flags & IORING_SETUP_HYBRID_IOPOLL) {
821 /* make sure every req only blocks once*/
822 req->flags &= ~REQ_F_IOPOLL_STATE;
823 req->iopoll_start = ktime_get_ns();
824 }
825 } else {
826 if (kiocb->ki_flags & IOCB_HIPRI)
827 return -EINVAL;
828 kiocb->ki_complete = io_complete_rw;
829 }
830
831 return 0;
832 }
833
834 static int __io_read(struct io_kiocb *req, unsigned int issue_flags)
835 {
836 bool force_nonblock = issue_flags & IO_URING_F_NONBLOCK;
837 struct io_rw *rw = io_kiocb_to_cmd(req, struct io_rw);
838 struct io_async_rw *io = req->async_data;
839 struct kiocb *kiocb = &rw->kiocb;
840 ssize_t ret;
841 loff_t *ppos;
842
843 if (io_do_buffer_select(req)) {
844 ret = io_import_iovec(ITER_DEST, req, io, issue_flags);
845 if (unlikely(ret < 0))
846 return ret;
847 }
848 ret = io_rw_init_file(req, FMODE_READ, READ);
849 if (unlikely(ret))
850 return ret;
851 req->cqe.res = iov_iter_count(&io->iter);
852
853 if (force_nonblock) {
854 /* If the file doesn't support async, just async punt */
855 if (unlikely(!io_file_supports_nowait(req, EPOLLIN)))
856 return -EAGAIN;
857 kiocb->ki_flags |= IOCB_NOWAIT;
858 } else {
859 /* Ensure we clear previously set non-block flag */
860 kiocb->ki_flags &= ~IOCB_NOWAIT;
861 }
862
863 ppos = io_kiocb_update_pos(req);
864
865 ret = rw_verify_area(READ, req->file, ppos, req->cqe.res);
866 if (unlikely(ret))
867 return ret;
868
869 ret = io_iter_do_read(rw, &io->iter);
870
871 /*
872 * Some file systems like to return -EOPNOTSUPP for an IOCB_NOWAIT
873 * issue, even though they should be returning -EAGAIN. To be safe,
874 * retry from blocking context for either.
875 */
876 if (ret == -EOPNOTSUPP && force_nonblock)
877 ret = -EAGAIN;
878
879 if (ret == -EAGAIN || (req->flags & REQ_F_REISSUE)) {
880 req->flags &= ~REQ_F_REISSUE;
881 /* If we can poll, just do that. */
882 if (io_file_can_poll(req))
883 return -EAGAIN;
884 /* IOPOLL retry should happen for io-wq threads */
885 if (!force_nonblock && !(req->ctx->flags & IORING_SETUP_IOPOLL))
886 goto done;
887 /* no retry on NONBLOCK nor RWF_NOWAIT */
888 if (req->flags & REQ_F_NOWAIT)
889 goto done;
890 ret = 0;
891 } else if (ret == -EIOCBQUEUED) {
892 return IOU_ISSUE_SKIP_COMPLETE;
893 } else if (ret == req->cqe.res || ret <= 0 || !force_nonblock ||
894 (req->flags & REQ_F_NOWAIT) || !need_complete_io(req)) {
895 /* read all, failed, already did sync or don't want to retry */
896 goto done;
897 }
898
899 /*
900 * Don't depend on the iter state matching what was consumed, or being
901 * untouched in case of error. Restore it and we'll advance it
902 * manually if we need to.
903 */
904 iov_iter_restore(&io->iter, &io->iter_state);
905
906 do {
907 /*
908 * We end up here because of a partial read, either from
909 * above or inside this loop. Advance the iter by the bytes
910 * that were consumed.
911 */
912 iov_iter_advance(&io->iter, ret);
913 if (!iov_iter_count(&io->iter))
914 break;
915 io->bytes_done += ret;
916 iov_iter_save_state(&io->iter, &io->iter_state);
917
918 /* if we can retry, do so with the callbacks armed */
919 if (!io_rw_should_retry(req)) {
920 kiocb->ki_flags &= ~IOCB_WAITQ;
921 return -EAGAIN;
922 }
923
924 req->cqe.res = iov_iter_count(&io->iter);
925 /*
926 * Now retry read with the IOCB_WAITQ parts set in the iocb. If
927 * we get -EIOCBQUEUED, then we'll get a notification when the
928 * desired page gets unlocked. We can also get a partial read
929 * here, and if we do, then just retry at the new offset.
930 */
931 ret = io_iter_do_read(rw, &io->iter);
932 if (ret == -EIOCBQUEUED)
933 return IOU_ISSUE_SKIP_COMPLETE;
934 /* we got some bytes, but not all. retry. */
935 kiocb->ki_flags &= ~IOCB_WAITQ;
936 iov_iter_restore(&io->iter, &io->iter_state);
937 } while (ret > 0);
938 done:
939 /* it's faster to check here then delegate to kfree */
940 return ret;
941 }
942
943 int io_read(struct io_kiocb *req, unsigned int issue_flags)
944 {
945 int ret;
946
947 ret = __io_read(req, issue_flags);
948 if (ret >= 0)
949 return kiocb_done(req, ret, issue_flags);
950
951 return ret;
952 }
953
954 int io_read_mshot(struct io_kiocb *req, unsigned int issue_flags)
955 {
956 struct io_rw *rw = io_kiocb_to_cmd(req, struct io_rw);
957 unsigned int cflags = 0;
958 int ret;
959
960 /*
961 * Multishot MUST be used on a pollable file
962 */
963 if (!io_file_can_poll(req))
964 return -EBADFD;
965
966 ret = __io_read(req, issue_flags);
967
968 /*
969 * If we get -EAGAIN, recycle our buffer and just let normal poll
970 * handling arm it.
971 */
972 if (ret == -EAGAIN) {
973 /*
974 * Reset rw->len to 0 again to avoid clamping future mshot
975 * reads, in case the buffer size varies.
976 */
977 if (io_kbuf_recycle(req, issue_flags))
978 rw->len = 0;
979 if (issue_flags & IO_URING_F_MULTISHOT)
980 return IOU_ISSUE_SKIP_COMPLETE;
981 return -EAGAIN;
982 } else if (ret <= 0) {
983 io_kbuf_recycle(req, issue_flags);
984 if (ret < 0)
985 req_set_fail(req);
986 } else {
987 /*
988 * Any successful return value will keep the multishot read
989 * armed, if it's still set. Put our buffer and post a CQE. If
990 * we fail to post a CQE, or multishot is no longer set, then
991 * jump to the termination path. This request is then done.
992 */
993 cflags = io_put_kbuf(req, ret, issue_flags);
994 rw->len = 0; /* similarly to above, reset len to 0 */
995
996 if (io_req_post_cqe(req, ret, cflags | IORING_CQE_F_MORE)) {
997 if (issue_flags & IO_URING_F_MULTISHOT) {
998 /*
999 * Force retry, as we might have more data to
1000 * be read and otherwise it won't get retried
1001 * until (if ever) another poll is triggered.
1002 */
1003 io_poll_multishot_retry(req);
1004 return IOU_ISSUE_SKIP_COMPLETE;
1005 }
1006 return -EAGAIN;
1007 }
1008 }
1009
1010 /*
1011 * Either an error, or we've hit overflow posting the CQE. For any
1012 * multishot request, hitting overflow will terminate it.
1013 */
1014 io_req_set_res(req, ret, cflags);
1015 io_req_rw_cleanup(req, issue_flags);
1016 if (issue_flags & IO_URING_F_MULTISHOT)
1017 return IOU_STOP_MULTISHOT;
1018 return IOU_OK;
1019 }
1020
1021 static bool io_kiocb_start_write(struct io_kiocb *req, struct kiocb *kiocb)
1022 {
1023 struct inode *inode;
1024 bool ret;
1025
1026 if (!(req->flags & REQ_F_ISREG))
1027 return true;
1028 if (!(kiocb->ki_flags & IOCB_NOWAIT)) {
1029 kiocb_start_write(kiocb);
1030 return true;
1031 }
1032
1033 inode = file_inode(kiocb->ki_filp);
1034 ret = sb_start_write_trylock(inode->i_sb);
1035 if (ret)
1036 __sb_writers_release(inode->i_sb, SB_FREEZE_WRITE);
1037 return ret;
1038 }
1039
1040 int io_write(struct io_kiocb *req, unsigned int issue_flags)
1041 {
1042 bool force_nonblock = issue_flags & IO_URING_F_NONBLOCK;
1043 struct io_rw *rw = io_kiocb_to_cmd(req, struct io_rw);
1044 struct io_async_rw *io = req->async_data;
1045 struct kiocb *kiocb = &rw->kiocb;
1046 ssize_t ret, ret2;
1047 loff_t *ppos;
1048
1049 ret = io_rw_init_file(req, FMODE_WRITE, WRITE);
1050 if (unlikely(ret))
1051 return ret;
1052 req->cqe.res = iov_iter_count(&io->iter);
1053
1054 if (force_nonblock) {
1055 /* If the file doesn't support async, just async punt */
1056 if (unlikely(!io_file_supports_nowait(req, EPOLLOUT)))
1057 goto ret_eagain;
1058
1059 /* Check if we can support NOWAIT. */
1060 if (!(kiocb->ki_flags & IOCB_DIRECT) &&
1061 !(req->file->f_op->fop_flags & FOP_BUFFER_WASYNC) &&
1062 (req->flags & REQ_F_ISREG))
1063 goto ret_eagain;
1064
1065 kiocb->ki_flags |= IOCB_NOWAIT;
1066 } else {
1067 /* Ensure we clear previously set non-block flag */
1068 kiocb->ki_flags &= ~IOCB_NOWAIT;
1069 }
1070
1071 ppos = io_kiocb_update_pos(req);
1072
1073 ret = rw_verify_area(WRITE, req->file, ppos, req->cqe.res);
1074 if (unlikely(ret))
1075 return ret;
1076
1077 if (unlikely(!io_kiocb_start_write(req, kiocb)))
1078 return -EAGAIN;
1079 kiocb->ki_flags |= IOCB_WRITE;
1080
1081 if (likely(req->file->f_op->write_iter))
1082 ret2 = req->file->f_op->write_iter(kiocb, &io->iter);
1083 else if (req->file->f_op->write)
1084 ret2 = loop_rw_iter(WRITE, rw, &io->iter);
1085 else
1086 ret2 = -EINVAL;
1087
1088 if (req->flags & REQ_F_REISSUE) {
1089 req->flags &= ~REQ_F_REISSUE;
1090 ret2 = -EAGAIN;
1091 }
1092
1093 /*
1094 * Raw bdev writes will return -EOPNOTSUPP for IOCB_NOWAIT. Just
1095 * retry them without IOCB_NOWAIT.
1096 */
1097 if (ret2 == -EOPNOTSUPP && (kiocb->ki_flags & IOCB_NOWAIT))
1098 ret2 = -EAGAIN;
1099 /* no retry on NONBLOCK nor RWF_NOWAIT */
1100 if (ret2 == -EAGAIN && (req->flags & REQ_F_NOWAIT))
1101 goto done;
1102 if (!force_nonblock || ret2 != -EAGAIN) {
1103 /* IOPOLL retry should happen for io-wq threads */
1104 if (ret2 == -EAGAIN && (req->ctx->flags & IORING_SETUP_IOPOLL))
1105 goto ret_eagain;
1106
1107 if (ret2 != req->cqe.res && ret2 >= 0 && need_complete_io(req)) {
1108 trace_io_uring_short_write(req->ctx, kiocb->ki_pos - ret2,
1109 req->cqe.res, ret2);
1110
1111 /* This is a partial write. The file pos has already been
1112 * updated, setup the async struct to complete the request
1113 * in the worker. Also update bytes_done to account for
1114 * the bytes already written.
1115 */
1116 iov_iter_save_state(&io->iter, &io->iter_state);
1117 io->bytes_done += ret2;
1118
1119 if (kiocb->ki_flags & IOCB_WRITE)
1120 io_req_end_write(req);
1121 return -EAGAIN;
1122 }
1123 done:
1124 return kiocb_done(req, ret2, issue_flags);
1125 } else {
1126 ret_eagain:
1127 iov_iter_restore(&io->iter, &io->iter_state);
1128 if (kiocb->ki_flags & IOCB_WRITE)
1129 io_req_end_write(req);
1130 return -EAGAIN;
1131 }
1132 }
1133
1134 void io_rw_fail(struct io_kiocb *req)
1135 {
1136 int res;
1137
1138 res = io_fixup_rw_res(req, req->cqe.res);
1139 io_req_set_res(req, res, req->cqe.flags);
1140 }
1141
1142 static int io_uring_classic_poll(struct io_kiocb *req, struct io_comp_batch *iob,
1143 unsigned int poll_flags)
1144 {
1145 struct file *file = req->file;
1146
1147 if (req->opcode == IORING_OP_URING_CMD) {
1148 struct io_uring_cmd *ioucmd;
1149
1150 ioucmd = io_kiocb_to_cmd(req, struct io_uring_cmd);
1151 return file->f_op->uring_cmd_iopoll(ioucmd, iob, poll_flags);
1152 } else {
1153 struct io_rw *rw = io_kiocb_to_cmd(req, struct io_rw);
1154
1155 return file->f_op->iopoll(&rw->kiocb, iob, poll_flags);
1156 }
1157 }
1158
1159 static u64 io_hybrid_iopoll_delay(struct io_ring_ctx *ctx, struct io_kiocb *req)
1160 {
1161 struct hrtimer_sleeper timer;
1162 enum hrtimer_mode mode;
1163 ktime_t kt;
1164 u64 sleep_time;
1165
1166 if (req->flags & REQ_F_IOPOLL_STATE)
1167 return 0;
1168
1169 if (ctx->hybrid_poll_time == LLONG_MAX)
1170 return 0;
1171
1172 /* Using half the running time to do schedule */
1173 sleep_time = ctx->hybrid_poll_time / 2;
1174
1175 kt = ktime_set(0, sleep_time);
1176 req->flags |= REQ_F_IOPOLL_STATE;
1177
1178 mode = HRTIMER_MODE_REL;
1179 hrtimer_setup_sleeper_on_stack(&timer, CLOCK_MONOTONIC, mode);
1180 hrtimer_set_expires(&timer.timer, kt);
1181 set_current_state(TASK_INTERRUPTIBLE);
1182 hrtimer_sleeper_start_expires(&timer, mode);
1183
1184 if (timer.task)
1185 io_schedule();
1186
1187 hrtimer_cancel(&timer.timer);
1188 __set_current_state(TASK_RUNNING);
1189 destroy_hrtimer_on_stack(&timer.timer);
1190 return sleep_time;
1191 }
1192
1193 static int io_uring_hybrid_poll(struct io_kiocb *req,
1194 struct io_comp_batch *iob, unsigned int poll_flags)
1195 {
1196 struct io_ring_ctx *ctx = req->ctx;
1197 u64 runtime, sleep_time;
1198 int ret;
1199
1200 sleep_time = io_hybrid_iopoll_delay(ctx, req);
1201 ret = io_uring_classic_poll(req, iob, poll_flags);
1202 runtime = ktime_get_ns() - req->iopoll_start - sleep_time;
1203
1204 /*
1205 * Use minimum sleep time if we're polling devices with different
1206 * latencies. We could get more completions from the faster ones.
1207 */
1208 if (ctx->hybrid_poll_time > runtime)
1209 ctx->hybrid_poll_time = runtime;
1210
1211 return ret;
1212 }
1213
1214 int io_do_iopoll(struct io_ring_ctx *ctx, bool force_nonspin)
1215 {
1216 struct io_wq_work_node *pos, *start, *prev;
1217 unsigned int poll_flags = 0;
1218 DEFINE_IO_COMP_BATCH(iob);
1219 int nr_events = 0;
1220
1221 /*
1222 * Only spin for completions if we don't have multiple devices hanging
1223 * off our complete list.
1224 */
1225 if (ctx->poll_multi_queue || force_nonspin)
1226 poll_flags |= BLK_POLL_ONESHOT;
1227
1228 wq_list_for_each(pos, start, &ctx->iopoll_list) {
1229 struct io_kiocb *req = container_of(pos, struct io_kiocb, comp_list);
1230 int ret;
1231
1232 /*
1233 * Move completed and retryable entries to our local lists.
1234 * If we find a request that requires polling, break out
1235 * and complete those lists first, if we have entries there.
1236 */
1237 if (READ_ONCE(req->iopoll_completed))
1238 break;
1239
1240 if (ctx->flags & IORING_SETUP_HYBRID_IOPOLL)
1241 ret = io_uring_hybrid_poll(req, &iob, poll_flags);
1242 else
1243 ret = io_uring_classic_poll(req, &iob, poll_flags);
1244
1245 if (unlikely(ret < 0))
1246 return ret;
1247 else if (ret)
1248 poll_flags |= BLK_POLL_ONESHOT;
1249
1250 /* iopoll may have completed current req */
1251 if (!rq_list_empty(&iob.req_list) ||
1252 READ_ONCE(req->iopoll_completed))
1253 break;
1254 }
1255
1256 if (!rq_list_empty(&iob.req_list))
1257 iob.complete(&iob);
1258 else if (!pos)
1259 return 0;
1260
1261 prev = start;
1262 wq_list_for_each_resume(pos, prev) {
1263 struct io_kiocb *req = container_of(pos, struct io_kiocb, comp_list);
1264
1265 /* order with io_complete_rw_iopoll(), e.g. ->result updates */
1266 if (!smp_load_acquire(&req->iopoll_completed))
1267 break;
1268 nr_events++;
1269 req->cqe.flags = io_put_kbuf(req, req->cqe.res, 0);
1270 if (req->opcode != IORING_OP_URING_CMD)
1271 io_req_rw_cleanup(req, 0);
1272 }
1273 if (unlikely(!nr_events))
1274 return 0;
1275
1276 pos = start ? start->next : ctx->iopoll_list.first;
1277 wq_list_cut(&ctx->iopoll_list, prev, start);
1278
1279 if (WARN_ON_ONCE(!wq_list_empty(&ctx->submit_state.compl_reqs)))
1280 return 0;
1281 ctx->submit_state.compl_reqs.first = pos;
1282 __io_submit_flush_completions(ctx);
1283 return nr_events;
1284 }
1285
1286 void io_rw_cache_free(const void *entry)
1287 {
1288 struct io_async_rw *rw = (struct io_async_rw *) entry;
1289
1290 if (rw->free_iovec) {
1291 kasan_mempool_unpoison_object(rw->free_iovec,
1292 rw->free_iov_nr * sizeof(struct iovec));
1293 io_rw_iovec_free(rw);
1294 }
1295 kfree(rw);
1296 }
Kernel DRM miscellaneous fixes and cross-tree changes