1 // SPDX-License-Identifier: GPL-2.0
2 #include <linux/kernel.h>
3 #include <linux/errno.h>
5 #include <linux/file.h>
7 #include <linux/slab.h>
8 #include <linux/namei.h>
9 #include <linux/poll.h>
10 #include <linux/io_uring.h>
12 #include <uapi/linux/io_uring.h>
18 #define IO_BUFFER_LIST_BUF_PER_PAGE (PAGE_SIZE / sizeof(struct io_uring_buf))
22 /* BIDs are addressed by a 16-bit field in a CQE */
23 #define MAX_BIDS_PER_BGID (1 << 16)
25 struct kmem_cache *io_buf_cachep;
27 struct io_provide_buf {
36 static inline struct io_buffer_list *io_buffer_get_list(struct io_ring_ctx *ctx,
39 if (ctx->io_bl && bgid < BGID_ARRAY)
40 return &ctx->io_bl[bgid];
42 return xa_load(&ctx->io_bl_xa, bgid);
45 static int io_buffer_add_list(struct io_ring_ctx *ctx,
46 struct io_buffer_list *bl, unsigned int bgid)
49 if (bgid < BGID_ARRAY)
52 return xa_err(xa_store(&ctx->io_bl_xa, bgid, bl, GFP_KERNEL));
55 bool io_kbuf_recycle_legacy(struct io_kiocb *req, unsigned issue_flags)
57 struct io_ring_ctx *ctx = req->ctx;
58 struct io_buffer_list *bl;
59 struct io_buffer *buf;
62 * For legacy provided buffer mode, don't recycle if we already did
63 * IO to this buffer. For ring-mapped provided buffer mode, we should
64 * increment ring->head to explicitly monopolize the buffer to avoid
67 if (req->flags & REQ_F_PARTIAL_IO)
70 io_ring_submit_lock(ctx, issue_flags);
73 bl = io_buffer_get_list(ctx, buf->bgid);
74 list_add(&buf->list, &bl->buf_list);
75 req->flags &= ~REQ_F_BUFFER_SELECTED;
76 req->buf_index = buf->bgid;
78 io_ring_submit_unlock(ctx, issue_flags);
82 unsigned int __io_put_kbuf(struct io_kiocb *req, unsigned issue_flags)
87 * We can add this buffer back to two lists:
89 * 1) The io_buffers_cache list. This one is protected by the
90 * ctx->uring_lock. If we already hold this lock, add back to this
91 * list as we can grab it from issue as well.
92 * 2) The io_buffers_comp list. This one is protected by the
93 * ctx->completion_lock.
95 * We migrate buffers from the comp_list to the issue cache list
98 if (req->flags & REQ_F_BUFFER_RING) {
99 /* no buffers to recycle for this case */
100 cflags = __io_put_kbuf_list(req, NULL);
101 } else if (issue_flags & IO_URING_F_UNLOCKED) {
102 struct io_ring_ctx *ctx = req->ctx;
104 spin_lock(&ctx->completion_lock);
105 cflags = __io_put_kbuf_list(req, &ctx->io_buffers_comp);
106 spin_unlock(&ctx->completion_lock);
108 lockdep_assert_held(&req->ctx->uring_lock);
110 cflags = __io_put_kbuf_list(req, &req->ctx->io_buffers_cache);
115 static void __user *io_provided_buffer_select(struct io_kiocb *req, size_t *len,
116 struct io_buffer_list *bl)
118 if (!list_empty(&bl->buf_list)) {
119 struct io_buffer *kbuf;
121 kbuf = list_first_entry(&bl->buf_list, struct io_buffer, list);
122 list_del(&kbuf->list);
123 if (*len == 0 || *len > kbuf->len)
125 req->flags |= REQ_F_BUFFER_SELECTED;
127 req->buf_index = kbuf->bid;
128 return u64_to_user_ptr(kbuf->addr);
133 static void __user *io_ring_buffer_select(struct io_kiocb *req, size_t *len,
134 struct io_buffer_list *bl,
135 unsigned int issue_flags)
137 struct io_uring_buf_ring *br = bl->buf_ring;
138 struct io_uring_buf *buf;
139 __u16 head = bl->head;
141 if (unlikely(smp_load_acquire(&br->tail) == head))
145 /* mmaped buffers are always contig */
146 if (bl->is_mmap || head < IO_BUFFER_LIST_BUF_PER_PAGE) {
147 buf = &br->bufs[head];
149 int off = head & (IO_BUFFER_LIST_BUF_PER_PAGE - 1);
150 int index = head / IO_BUFFER_LIST_BUF_PER_PAGE;
151 buf = page_address(bl->buf_pages[index]);
154 if (*len == 0 || *len > buf->len)
156 req->flags |= REQ_F_BUFFER_RING;
158 req->buf_index = buf->bid;
160 if (issue_flags & IO_URING_F_UNLOCKED || !file_can_poll(req->file)) {
162 * If we came in unlocked, we have no choice but to consume the
163 * buffer here, otherwise nothing ensures that the buffer won't
164 * get used by others. This does mean it'll be pinned until the
165 * IO completes, coming in unlocked means we're being called from
166 * io-wq context and there may be further retries in async hybrid
167 * mode. For the locked case, the caller must call commit when
168 * the transfer completes (or if we get -EAGAIN and must poll of
171 req->buf_list = NULL;
174 return u64_to_user_ptr(buf->addr);
177 void __user *io_buffer_select(struct io_kiocb *req, size_t *len,
178 unsigned int issue_flags)
180 struct io_ring_ctx *ctx = req->ctx;
181 struct io_buffer_list *bl;
182 void __user *ret = NULL;
184 io_ring_submit_lock(req->ctx, issue_flags);
186 bl = io_buffer_get_list(ctx, req->buf_index);
189 ret = io_ring_buffer_select(req, len, bl, issue_flags);
191 ret = io_provided_buffer_select(req, len, bl);
193 io_ring_submit_unlock(req->ctx, issue_flags);
197 static __cold int io_init_bl_list(struct io_ring_ctx *ctx)
201 ctx->io_bl = kcalloc(BGID_ARRAY, sizeof(struct io_buffer_list),
206 for (i = 0; i < BGID_ARRAY; i++) {
207 INIT_LIST_HEAD(&ctx->io_bl[i].buf_list);
208 ctx->io_bl[i].bgid = i;
214 static int __io_remove_buffers(struct io_ring_ctx *ctx,
215 struct io_buffer_list *bl, unsigned nbufs)
219 /* shouldn't happen */
224 i = bl->buf_ring->tail - bl->head;
226 folio_put(virt_to_folio(bl->buf_ring));
229 } else if (bl->buf_nr_pages) {
232 for (j = 0; j < bl->buf_nr_pages; j++)
233 unpin_user_page(bl->buf_pages[j]);
234 kvfree(bl->buf_pages);
235 bl->buf_pages = NULL;
236 bl->buf_nr_pages = 0;
238 /* make sure it's seen as empty */
239 INIT_LIST_HEAD(&bl->buf_list);
244 /* protects io_buffers_cache */
245 lockdep_assert_held(&ctx->uring_lock);
247 while (!list_empty(&bl->buf_list)) {
248 struct io_buffer *nxt;
250 nxt = list_first_entry(&bl->buf_list, struct io_buffer, list);
251 list_move(&nxt->list, &ctx->io_buffers_cache);
260 void io_destroy_buffers(struct io_ring_ctx *ctx)
262 struct io_buffer_list *bl;
263 struct list_head *item, *tmp;
264 struct io_buffer *buf;
268 for (i = 0; i < BGID_ARRAY; i++) {
271 __io_remove_buffers(ctx, &ctx->io_bl[i], -1U);
274 xa_for_each(&ctx->io_bl_xa, index, bl) {
275 xa_erase(&ctx->io_bl_xa, bl->bgid);
276 __io_remove_buffers(ctx, bl, -1U);
280 list_for_each_safe(item, tmp, &ctx->io_buffers_cache) {
281 buf = list_entry(item, struct io_buffer, list);
282 kmem_cache_free(io_buf_cachep, buf);
286 int io_remove_buffers_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
288 struct io_provide_buf *p = io_kiocb_to_cmd(req, struct io_provide_buf);
291 if (sqe->rw_flags || sqe->addr || sqe->len || sqe->off ||
295 tmp = READ_ONCE(sqe->fd);
296 if (!tmp || tmp > MAX_BIDS_PER_BGID)
299 memset(p, 0, sizeof(*p));
301 p->bgid = READ_ONCE(sqe->buf_group);
305 int io_remove_buffers(struct io_kiocb *req, unsigned int issue_flags)
307 struct io_provide_buf *p = io_kiocb_to_cmd(req, struct io_provide_buf);
308 struct io_ring_ctx *ctx = req->ctx;
309 struct io_buffer_list *bl;
312 io_ring_submit_lock(ctx, issue_flags);
315 bl = io_buffer_get_list(ctx, p->bgid);
318 /* can't use provide/remove buffers command on mapped buffers */
320 ret = __io_remove_buffers(ctx, bl, p->nbufs);
322 io_ring_submit_unlock(ctx, issue_flags);
325 io_req_set_res(req, ret, 0);
329 int io_provide_buffers_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
331 unsigned long size, tmp_check;
332 struct io_provide_buf *p = io_kiocb_to_cmd(req, struct io_provide_buf);
335 if (sqe->rw_flags || sqe->splice_fd_in)
338 tmp = READ_ONCE(sqe->fd);
339 if (!tmp || tmp > MAX_BIDS_PER_BGID)
342 p->addr = READ_ONCE(sqe->addr);
343 p->len = READ_ONCE(sqe->len);
345 if (check_mul_overflow((unsigned long)p->len, (unsigned long)p->nbufs,
348 if (check_add_overflow((unsigned long)p->addr, size, &tmp_check))
351 size = (unsigned long)p->len * p->nbufs;
352 if (!access_ok(u64_to_user_ptr(p->addr), size))
355 p->bgid = READ_ONCE(sqe->buf_group);
356 tmp = READ_ONCE(sqe->off);
359 if (tmp + p->nbufs > MAX_BIDS_PER_BGID)
365 #define IO_BUFFER_ALLOC_BATCH 64
367 static int io_refill_buffer_cache(struct io_ring_ctx *ctx)
369 struct io_buffer *bufs[IO_BUFFER_ALLOC_BATCH];
373 * Completions that don't happen inline (eg not under uring_lock) will
374 * add to ->io_buffers_comp. If we don't have any free buffers, check
375 * the completion list and splice those entries first.
377 if (!list_empty_careful(&ctx->io_buffers_comp)) {
378 spin_lock(&ctx->completion_lock);
379 if (!list_empty(&ctx->io_buffers_comp)) {
380 list_splice_init(&ctx->io_buffers_comp,
381 &ctx->io_buffers_cache);
382 spin_unlock(&ctx->completion_lock);
385 spin_unlock(&ctx->completion_lock);
389 * No free buffers and no completion entries either. Allocate a new
390 * batch of buffer entries and add those to our freelist.
393 allocated = kmem_cache_alloc_bulk(io_buf_cachep, GFP_KERNEL_ACCOUNT,
394 ARRAY_SIZE(bufs), (void **) bufs);
395 if (unlikely(!allocated)) {
397 * Bulk alloc is all-or-nothing. If we fail to get a batch,
398 * retry single alloc to be on the safe side.
400 bufs[0] = kmem_cache_alloc(io_buf_cachep, GFP_KERNEL);
407 list_add_tail(&bufs[--allocated]->list, &ctx->io_buffers_cache);
412 static int io_add_buffers(struct io_ring_ctx *ctx, struct io_provide_buf *pbuf,
413 struct io_buffer_list *bl)
415 struct io_buffer *buf;
416 u64 addr = pbuf->addr;
417 int i, bid = pbuf->bid;
419 for (i = 0; i < pbuf->nbufs; i++) {
420 if (list_empty(&ctx->io_buffers_cache) &&
421 io_refill_buffer_cache(ctx))
423 buf = list_first_entry(&ctx->io_buffers_cache, struct io_buffer,
425 list_move_tail(&buf->list, &bl->buf_list);
427 buf->len = min_t(__u32, pbuf->len, MAX_RW_COUNT);
429 buf->bgid = pbuf->bgid;
435 return i ? 0 : -ENOMEM;
438 int io_provide_buffers(struct io_kiocb *req, unsigned int issue_flags)
440 struct io_provide_buf *p = io_kiocb_to_cmd(req, struct io_provide_buf);
441 struct io_ring_ctx *ctx = req->ctx;
442 struct io_buffer_list *bl;
445 io_ring_submit_lock(ctx, issue_flags);
447 if (unlikely(p->bgid < BGID_ARRAY && !ctx->io_bl)) {
448 ret = io_init_bl_list(ctx);
453 bl = io_buffer_get_list(ctx, p->bgid);
455 bl = kzalloc(sizeof(*bl), GFP_KERNEL_ACCOUNT);
460 INIT_LIST_HEAD(&bl->buf_list);
461 ret = io_buffer_add_list(ctx, bl, p->bgid);
467 /* can't add buffers via this command for a mapped buffer ring */
473 ret = io_add_buffers(ctx, p, bl);
475 io_ring_submit_unlock(ctx, issue_flags);
479 io_req_set_res(req, ret, 0);
483 static int io_pin_pbuf_ring(struct io_uring_buf_reg *reg,
484 struct io_buffer_list *bl)
486 struct io_uring_buf_ring *br;
490 pages = io_pin_pages(reg->ring_addr,
491 flex_array_size(br, bufs, reg->ring_entries),
494 return PTR_ERR(pages);
497 * Apparently some 32-bit boxes (ARM) will return highmem pages,
498 * which then need to be mapped. We could support that, but it'd
499 * complicate the code and slowdown the common cases quite a bit.
500 * So just error out, returning -EINVAL just like we did on kernels
501 * that didn't support mapped buffer rings.
503 for (i = 0; i < nr_pages; i++)
504 if (PageHighMem(pages[i]))
507 br = page_address(pages[0]);
510 * On platforms that have specific aliasing requirements, SHM_COLOUR
511 * is set and we must guarantee that the kernel and user side align
512 * nicely. We cannot do that if IOU_PBUF_RING_MMAP isn't set and
513 * the application mmap's the provided ring buffer. Fail the request
514 * if we, by chance, don't end up with aligned addresses. The app
515 * should use IOU_PBUF_RING_MMAP instead, and liburing will handle
516 * this transparently.
518 if ((reg->ring_addr | (unsigned long) br) & (SHM_COLOUR - 1))
521 bl->buf_pages = pages;
522 bl->buf_nr_pages = nr_pages;
528 for (i = 0; i < nr_pages; i++)
529 unpin_user_page(pages[i]);
534 static int io_alloc_pbuf_ring(struct io_uring_buf_reg *reg,
535 struct io_buffer_list *bl)
537 gfp_t gfp = GFP_KERNEL_ACCOUNT | __GFP_ZERO | __GFP_NOWARN | __GFP_COMP;
541 ring_size = reg->ring_entries * sizeof(struct io_uring_buf_ring);
542 ptr = (void *) __get_free_pages(gfp, get_order(ring_size));
552 int io_register_pbuf_ring(struct io_ring_ctx *ctx, void __user *arg)
554 struct io_uring_buf_reg reg;
555 struct io_buffer_list *bl, *free_bl = NULL;
558 if (copy_from_user(®, arg, sizeof(reg)))
561 if (reg.resv[0] || reg.resv[1] || reg.resv[2])
563 if (reg.flags & ~IOU_PBUF_RING_MMAP)
565 if (!(reg.flags & IOU_PBUF_RING_MMAP)) {
568 if (reg.ring_addr & ~PAGE_MASK)
575 if (!is_power_of_2(reg.ring_entries))
578 /* cannot disambiguate full vs empty due to head/tail size */
579 if (reg.ring_entries >= 65536)
582 if (unlikely(reg.bgid < BGID_ARRAY && !ctx->io_bl)) {
583 int ret = io_init_bl_list(ctx);
588 bl = io_buffer_get_list(ctx, reg.bgid);
590 /* if mapped buffer ring OR classic exists, don't allow */
591 if (bl->is_mapped || !list_empty(&bl->buf_list))
594 free_bl = bl = kzalloc(sizeof(*bl), GFP_KERNEL);
599 if (!(reg.flags & IOU_PBUF_RING_MMAP))
600 ret = io_pin_pbuf_ring(®, bl);
602 ret = io_alloc_pbuf_ring(®, bl);
605 bl->nr_entries = reg.ring_entries;
606 bl->mask = reg.ring_entries - 1;
608 io_buffer_add_list(ctx, bl, reg.bgid);
616 int io_unregister_pbuf_ring(struct io_ring_ctx *ctx, void __user *arg)
618 struct io_uring_buf_reg reg;
619 struct io_buffer_list *bl;
621 if (copy_from_user(®, arg, sizeof(reg)))
623 if (reg.resv[0] || reg.resv[1] || reg.resv[2])
628 bl = io_buffer_get_list(ctx, reg.bgid);
634 __io_remove_buffers(ctx, bl, -1U);
635 if (bl->bgid >= BGID_ARRAY) {
636 xa_erase(&ctx->io_bl_xa, bl->bgid);
642 void *io_pbuf_get_address(struct io_ring_ctx *ctx, unsigned long bgid)
644 struct io_buffer_list *bl;
646 bl = io_buffer_get_list(ctx, bgid);
647 if (!bl || !bl->is_mmap)
git.samba.org / sfrench / cifs-2.6.git / blob