2 * An async IO implementation for Linux
3 * Written by Benjamin LaHaise <bcrl@kvack.org>
5 * Implements an efficient asynchronous io interface.
7 * Copyright 2000, 2001, 2002 Red Hat, Inc. All Rights Reserved.
9 * See ../COPYING for licensing terms.
11 #define pr_fmt(fmt) "%s: " fmt, __func__
13 #include <linux/kernel.h>
14 #include <linux/init.h>
15 #include <linux/errno.h>
16 #include <linux/time.h>
17 #include <linux/aio_abi.h>
18 #include <linux/export.h>
19 #include <linux/syscalls.h>
20 #include <linux/backing-dev.h>
21 #include <linux/uio.h>
23 #include <linux/sched.h>
25 #include <linux/file.h>
27 #include <linux/mman.h>
28 #include <linux/bio.h>
29 #include <linux/mmu_context.h>
30 #include <linux/percpu.h>
31 #include <linux/slab.h>
32 #include <linux/timer.h>
33 #include <linux/aio.h>
34 #include <linux/highmem.h>
35 #include <linux/workqueue.h>
36 #include <linux/security.h>
37 #include <linux/eventfd.h>
38 #include <linux/blkdev.h>
39 #include <linux/compat.h>
40 #include <linux/percpu-refcount.h>
42 #include <asm/kmap_types.h>
43 #include <asm/uaccess.h>
45 #define AIO_RING_MAGIC 0xa10a10a1
46 #define AIO_RING_COMPAT_FEATURES 1
47 #define AIO_RING_INCOMPAT_FEATURES 0
49 unsigned id; /* kernel internal index number */
50 unsigned nr; /* number of io_events */
55 unsigned compat_features;
56 unsigned incompat_features;
57 unsigned header_length; /* size of aio_ring */
60 struct io_event io_events[0];
61 }; /* 128 bytes + ring size */
63 #define AIO_RING_PAGES 8
66 unsigned reqs_available;
70 struct percpu_ref users;
72 /* This needs improving */
73 unsigned long user_id;
74 struct hlist_node list;
76 struct __percpu kioctx_cpu *cpu;
82 /* sys_io_setup currently limits this to an unsigned int */
85 unsigned long mmap_base;
86 unsigned long mmap_size;
88 struct page **ring_pages;
91 struct rcu_head rcu_head;
92 struct work_struct rcu_work;
95 atomic_t reqs_available;
96 } ____cacheline_aligned_in_smp;
100 struct list_head active_reqs; /* used for cancellation */
101 } ____cacheline_aligned_in_smp;
104 struct mutex ring_lock;
105 wait_queue_head_t wait;
106 unsigned shadow_tail;
107 } ____cacheline_aligned_in_smp;
111 } ____cacheline_aligned_in_smp;
113 struct page *internal_pages[AIO_RING_PAGES];
116 /*------ sysctl variables----*/
117 static DEFINE_SPINLOCK(aio_nr_lock);
118 unsigned long aio_nr; /* current system wide number of aio requests */
119 unsigned long aio_max_nr = 0x10000; /* system wide maximum number of aio requests */
120 /*----end sysctl variables---*/
122 static struct kmem_cache *kiocb_cachep;
123 static struct kmem_cache *kioctx_cachep;
126 * Creates the slab caches used by the aio routines, panic on
127 * failure as this is done early during the boot sequence.
129 static int __init aio_setup(void)
131 kiocb_cachep = KMEM_CACHE(kiocb, SLAB_HWCACHE_ALIGN|SLAB_PANIC);
132 kioctx_cachep = KMEM_CACHE(kioctx,SLAB_HWCACHE_ALIGN|SLAB_PANIC);
134 pr_debug("sizeof(struct page) = %zu\n", sizeof(struct page));
138 __initcall(aio_setup);
140 static void aio_free_ring(struct kioctx *ctx)
144 for (i = 0; i < ctx->nr_pages; i++)
145 put_page(ctx->ring_pages[i]);
148 vm_munmap(ctx->mmap_base, ctx->mmap_size);
150 if (ctx->ring_pages && ctx->ring_pages != ctx->internal_pages)
151 kfree(ctx->ring_pages);
154 static int aio_setup_ring(struct kioctx *ctx)
156 struct aio_ring *ring;
157 unsigned nr_events = ctx->max_reqs;
158 struct mm_struct *mm = current->mm;
159 unsigned long size, populate;
162 nr_events = max(nr_events, num_possible_cpus() * 4);
165 /* Compensate for the ring buffer's head/tail overlap entry */
166 nr_events += 2; /* 1 is required, 2 for good luck */
168 size = sizeof(struct aio_ring);
169 size += sizeof(struct io_event) * nr_events;
170 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
175 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
178 ctx->ring_pages = ctx->internal_pages;
179 if (nr_pages > AIO_RING_PAGES) {
180 ctx->ring_pages = kcalloc(nr_pages, sizeof(struct page *),
182 if (!ctx->ring_pages)
186 ctx->mmap_size = nr_pages * PAGE_SIZE;
187 pr_debug("attempting mmap of %lu bytes\n", ctx->mmap_size);
188 down_write(&mm->mmap_sem);
189 ctx->mmap_base = do_mmap_pgoff(NULL, 0, ctx->mmap_size,
190 PROT_READ|PROT_WRITE,
191 MAP_ANONYMOUS|MAP_PRIVATE, 0, &populate);
192 if (IS_ERR((void *)ctx->mmap_base)) {
193 up_write(&mm->mmap_sem);
199 pr_debug("mmap address: 0x%08lx\n", ctx->mmap_base);
200 ctx->nr_pages = get_user_pages(current, mm, ctx->mmap_base, nr_pages,
201 1, 0, ctx->ring_pages, NULL);
202 up_write(&mm->mmap_sem);
204 if (unlikely(ctx->nr_pages != nr_pages)) {
209 mm_populate(ctx->mmap_base, populate);
211 ctx->user_id = ctx->mmap_base;
212 ctx->nr = nr_events; /* trusted copy */
214 ring = kmap_atomic(ctx->ring_pages[0]);
215 ring->nr = nr_events; /* user copy */
216 ring->id = ctx->user_id;
217 ring->head = ring->tail = 0;
218 ring->magic = AIO_RING_MAGIC;
219 ring->compat_features = AIO_RING_COMPAT_FEATURES;
220 ring->incompat_features = AIO_RING_INCOMPAT_FEATURES;
221 ring->header_length = sizeof(struct aio_ring);
223 flush_dcache_page(ctx->ring_pages[0]);
228 #define AIO_EVENTS_PER_PAGE (PAGE_SIZE / sizeof(struct io_event))
229 #define AIO_EVENTS_FIRST_PAGE ((PAGE_SIZE - sizeof(struct aio_ring)) / sizeof(struct io_event))
230 #define AIO_EVENTS_OFFSET (AIO_EVENTS_PER_PAGE - AIO_EVENTS_FIRST_PAGE)
232 void kiocb_set_cancel_fn(struct kiocb *req, kiocb_cancel_fn *cancel)
234 struct kioctx *ctx = req->ki_ctx;
237 spin_lock_irqsave(&ctx->ctx_lock, flags);
239 if (!req->ki_list.next)
240 list_add(&req->ki_list, &ctx->active_reqs);
242 req->ki_cancel = cancel;
244 spin_unlock_irqrestore(&ctx->ctx_lock, flags);
246 EXPORT_SYMBOL(kiocb_set_cancel_fn);
248 static int kiocb_cancel(struct kioctx *ctx, struct kiocb *kiocb,
249 struct io_event *res)
251 kiocb_cancel_fn *old, *cancel;
255 * Don't want to set kiocb->ki_cancel = KIOCB_CANCELLED unless it
256 * actually has a cancel function, hence the cmpxchg()
259 cancel = ACCESS_ONCE(kiocb->ki_cancel);
261 if (!cancel || cancel == KIOCB_CANCELLED)
265 cancel = cmpxchg(&kiocb->ki_cancel, old, KIOCB_CANCELLED);
266 } while (cancel != old);
268 atomic_inc(&kiocb->ki_users);
269 spin_unlock_irq(&ctx->ctx_lock);
271 memset(res, 0, sizeof(*res));
272 res->obj = (u64)(unsigned long)kiocb->ki_obj.user;
273 res->data = kiocb->ki_user_data;
274 ret = cancel(kiocb, res);
276 spin_lock_irq(&ctx->ctx_lock);
281 static void free_ioctx_rcu(struct rcu_head *head)
283 struct kioctx *ctx = container_of(head, struct kioctx, rcu_head);
285 free_percpu(ctx->cpu);
286 kmem_cache_free(kioctx_cachep, ctx);
290 * When this function runs, the kioctx has been removed from the "hash table"
291 * and ctx->users has dropped to 0, so we know no more kiocbs can be submitted -
292 * now it's safe to cancel any that need to be.
294 static void free_ioctx(struct kioctx *ctx)
296 struct aio_ring *ring;
299 unsigned cpu, head, avail;
301 spin_lock_irq(&ctx->ctx_lock);
303 while (!list_empty(&ctx->active_reqs)) {
304 req = list_first_entry(&ctx->active_reqs,
305 struct kiocb, ki_list);
307 list_del_init(&req->ki_list);
308 kiocb_cancel(ctx, req, &res);
311 spin_unlock_irq(&ctx->ctx_lock);
313 for_each_possible_cpu(cpu) {
314 struct kioctx_cpu *kcpu = per_cpu_ptr(ctx->cpu, cpu);
316 atomic_add(kcpu->reqs_available, &ctx->reqs_available);
317 kcpu->reqs_available = 0;
320 ring = kmap_atomic(ctx->ring_pages[0]);
324 while (atomic_read(&ctx->reqs_available) < ctx->nr) {
325 wait_event(ctx->wait, head != ctx->shadow_tail);
327 avail = (head < ctx->shadow_tail ? ctx->shadow_tail : ctx->nr) - head;
329 atomic_add(avail, &ctx->reqs_available);
334 WARN_ON(atomic_read(&ctx->reqs_available) > ctx->nr);
338 spin_lock(&aio_nr_lock);
339 BUG_ON(aio_nr - ctx->max_reqs > aio_nr);
340 aio_nr -= ctx->max_reqs;
341 spin_unlock(&aio_nr_lock);
343 pr_debug("freeing %p\n", ctx);
346 * Here the call_rcu() is between the wait_event() for reqs_active to
347 * hit 0, and freeing the ioctx.
349 * aio_complete() decrements reqs_active, but it has to touch the ioctx
350 * after to issue a wakeup so we use rcu.
352 call_rcu(&ctx->rcu_head, free_ioctx_rcu);
355 static void put_ioctx(struct kioctx *ctx)
357 if (percpu_ref_put(&ctx->users))
362 * Allocates and initializes an ioctx. Returns an ERR_PTR if it failed.
364 static struct kioctx *ioctx_alloc(unsigned nr_events)
366 struct mm_struct *mm = current->mm;
370 /* Prevent overflows */
371 if ((nr_events > (0x10000000U / sizeof(struct io_event))) ||
372 (nr_events > (0x10000000U / sizeof(struct kiocb)))) {
373 pr_debug("ENOMEM: nr_events too high\n");
374 return ERR_PTR(-EINVAL);
377 if (!nr_events || (unsigned long)nr_events > aio_max_nr)
378 return ERR_PTR(-EAGAIN);
380 ctx = kmem_cache_zalloc(kioctx_cachep, GFP_KERNEL);
382 return ERR_PTR(-ENOMEM);
384 ctx->max_reqs = nr_events;
386 percpu_ref_init(&ctx->users);
388 percpu_ref_get(&ctx->users);
391 spin_lock_init(&ctx->ctx_lock);
392 mutex_init(&ctx->ring_lock);
393 init_waitqueue_head(&ctx->wait);
395 INIT_LIST_HEAD(&ctx->active_reqs);
397 ctx->cpu = alloc_percpu(struct kioctx_cpu);
401 if (aio_setup_ring(ctx) < 0)
404 atomic_set(&ctx->reqs_available, ctx->nr);
405 ctx->req_batch = ctx->nr / (num_possible_cpus() * 4);
406 BUG_ON(!ctx->req_batch);
408 /* limit the number of system wide aios */
409 spin_lock(&aio_nr_lock);
410 if (aio_nr + nr_events > aio_max_nr ||
411 aio_nr + nr_events < aio_nr) {
412 spin_unlock(&aio_nr_lock);
415 aio_nr += ctx->max_reqs;
416 spin_unlock(&aio_nr_lock);
418 /* now link into global list. */
419 spin_lock(&mm->ioctx_lock);
420 hlist_add_head_rcu(&ctx->list, &mm->ioctx_list);
421 spin_unlock(&mm->ioctx_lock);
423 pr_debug("allocated ioctx %p[%ld]: mm=%p mask=0x%x\n",
424 ctx, ctx->user_id, mm, ctx->nr);
431 free_percpu(ctx->cpu);
433 kmem_cache_free(kioctx_cachep, ctx);
434 pr_debug("error allocating ioctx %d\n", err);
438 static void kill_ioctx_work(struct work_struct *work)
440 struct kioctx *ctx = container_of(work, struct kioctx, rcu_work);
442 wake_up_all(&ctx->wait);
446 static void kill_ioctx_rcu(struct rcu_head *head)
448 struct kioctx *ctx = container_of(head, struct kioctx, rcu_head);
450 INIT_WORK(&ctx->rcu_work, kill_ioctx_work);
451 schedule_work(&ctx->rcu_work);
455 * Cancels all outstanding aio requests on an aio context. Used
456 * when the processes owning a context have all exited to encourage
457 * the rapid destruction of the kioctx.
459 static void kill_ioctx(struct kioctx *ctx)
461 if (percpu_ref_kill(&ctx->users)) {
462 hlist_del_rcu(&ctx->list);
463 /* Between hlist_del_rcu() and dropping the initial ref */
467 * We can't punt to workqueue here because put_ioctx() ->
468 * free_ioctx() will unmap the ringbuffer, and that has to be
469 * done in the original process's context. kill_ioctx_rcu/work()
470 * exist for exit_aio(), as in that path free_ioctx() won't do
473 kill_ioctx_work(&ctx->rcu_work);
477 /* wait_on_sync_kiocb:
478 * Waits on the given sync kiocb to complete.
480 ssize_t wait_on_sync_kiocb(struct kiocb *iocb)
482 while (atomic_read(&iocb->ki_users)) {
483 set_current_state(TASK_UNINTERRUPTIBLE);
484 if (!atomic_read(&iocb->ki_users))
488 __set_current_state(TASK_RUNNING);
489 return iocb->ki_user_data;
491 EXPORT_SYMBOL(wait_on_sync_kiocb);
494 * exit_aio: called when the last user of mm goes away. At this point, there is
495 * no way for any new requests to be submited or any of the io_* syscalls to be
496 * called on the context.
498 * There may be outstanding kiocbs, but free_ioctx() will explicitly wait on
501 void exit_aio(struct mm_struct *mm)
504 struct hlist_node *n;
506 hlist_for_each_entry_safe(ctx, n, &mm->ioctx_list, list) {
508 * We don't need to bother with munmap() here -
509 * exit_mmap(mm) is coming and it'll unmap everything.
510 * Since aio_free_ring() uses non-zero ->mmap_size
511 * as indicator that it needs to unmap the area,
512 * just set it to 0; aio_free_ring() is the only
513 * place that uses ->mmap_size, so it's safe.
517 if (percpu_ref_kill(&ctx->users)) {
518 hlist_del_rcu(&ctx->list);
519 call_rcu(&ctx->rcu_head, kill_ioctx_rcu);
524 static void put_reqs_available(struct kioctx *ctx, unsigned nr)
526 struct kioctx_cpu *kcpu;
529 kcpu = this_cpu_ptr(ctx->cpu);
531 kcpu->reqs_available += nr;
532 while (kcpu->reqs_available >= ctx->req_batch * 2) {
533 kcpu->reqs_available -= ctx->req_batch;
534 atomic_add(ctx->req_batch, &ctx->reqs_available);
540 static bool get_reqs_available(struct kioctx *ctx)
542 struct kioctx_cpu *kcpu;
546 kcpu = this_cpu_ptr(ctx->cpu);
548 if (!kcpu->reqs_available) {
549 int old, avail = atomic_read(&ctx->reqs_available);
552 if (avail < ctx->req_batch)
556 avail = atomic_cmpxchg(&ctx->reqs_available,
557 avail, avail - ctx->req_batch);
558 } while (avail != old);
560 kcpu->reqs_available += ctx->req_batch;
564 kcpu->reqs_available--;
571 * Allocate a slot for an aio request. Increments the ki_users count
572 * of the kioctx so that the kioctx stays around until all requests are
573 * complete. Returns NULL if no requests are free.
575 * Returns with kiocb->ki_users set to 2. The io submit code path holds
576 * an extra reference while submitting the i/o.
577 * This prevents races between the aio code path referencing the
578 * req (after submitting it) and aio_complete() freeing the req.
580 static inline struct kiocb *aio_get_req(struct kioctx *ctx)
584 if (!get_reqs_available(ctx))
587 req = kmem_cache_alloc(kiocb_cachep, GFP_KERNEL|__GFP_ZERO);
591 atomic_set(&req->ki_users, 2);
595 put_reqs_available(ctx, 1);
599 static void kiocb_free(struct kiocb *req)
603 if (req->ki_eventfd != NULL)
604 eventfd_ctx_put(req->ki_eventfd);
607 if (req->ki_iovec != &req->ki_inline_vec)
608 kfree(req->ki_iovec);
609 kmem_cache_free(kiocb_cachep, req);
612 void aio_put_req(struct kiocb *req)
614 if (atomic_dec_and_test(&req->ki_users))
617 EXPORT_SYMBOL(aio_put_req);
619 static struct kioctx *lookup_ioctx(unsigned long ctx_id)
621 struct mm_struct *mm = current->mm;
622 struct kioctx *ctx, *ret = NULL;
626 hlist_for_each_entry_rcu(ctx, &mm->ioctx_list, list) {
627 if (ctx->user_id == ctx_id){
628 percpu_ref_get(&ctx->users);
638 static inline unsigned kioctx_ring_put(struct kioctx *ctx, struct kiocb *req,
641 struct io_event *ev_page, *event;
642 unsigned pos = tail + AIO_EVENTS_OFFSET;
644 if (++tail >= ctx->nr)
647 ev_page = kmap_atomic(ctx->ring_pages[pos / AIO_EVENTS_PER_PAGE]);
648 event = ev_page + pos % AIO_EVENTS_PER_PAGE;
650 event->obj = (u64)(unsigned long)req->ki_obj.user;
651 event->data = req->ki_user_data;
652 event->res = req->ki_res;
653 event->res2 = req->ki_res2;
655 kunmap_atomic(ev_page);
656 flush_dcache_page(ctx->ring_pages[pos / AIO_EVENTS_PER_PAGE]);
658 pr_debug("%p[%u]: %p: %p %Lx %lx %lx\n",
659 ctx, tail, req, req->ki_obj.user, req->ki_user_data,
660 req->ki_res, req->ki_res2);
665 static inline unsigned kioctx_ring_lock(struct kioctx *ctx)
670 * ctx->tail is both our lock and the canonical version of the tail
673 while ((tail = xchg(&ctx->tail, UINT_MAX)) == UINT_MAX)
679 static inline void kioctx_ring_unlock(struct kioctx *ctx, unsigned tail)
681 struct aio_ring *ring;
684 /* make event visible before updating tail */
686 ctx->shadow_tail = tail;
688 ring = kmap_atomic(ctx->ring_pages[0]);
691 flush_dcache_page(ctx->ring_pages[0]);
693 /* unlock, make new tail visible before checking waitlist */
698 if (waitqueue_active(&ctx->wait))
702 void batch_complete_aio(struct batch_complete *batch)
704 struct kioctx *ctx = NULL;
705 struct eventfd_ctx *eventfd = NULL;
710 if (RB_EMPTY_ROOT(&batch->kiocb))
714 * Take rcu_read_lock() in case the kioctx is being destroyed, as we
715 * need to issue a wakeup after incrementing reqs_available.
718 local_irq_save(flags);
720 n = rb_first(&batch->kiocb);
722 struct kiocb *req = container_of(n, struct kiocb, ki_node);
725 n->rb_right->__rb_parent_color = n->__rb_parent_color;
734 if (unlikely(xchg(&req->ki_cancel,
735 KIOCB_CANCELLED) == KIOCB_CANCELLED)) {
737 * Can't use the percpu reqs_available here - could race
740 atomic_inc(&req->ki_ctx->reqs_available);
745 if (unlikely(req->ki_eventfd != eventfd)) {
747 /* Make event visible */
748 kioctx_ring_unlock(ctx, tail);
751 eventfd_signal(eventfd, 1);
752 eventfd_ctx_put(eventfd);
755 eventfd = req->ki_eventfd;
756 req->ki_eventfd = NULL;
759 if (unlikely(req->ki_ctx != ctx)) {
761 kioctx_ring_unlock(ctx, tail);
764 tail = kioctx_ring_lock(ctx);
767 tail = kioctx_ring_put(ctx, req, tail);
771 kioctx_ring_unlock(ctx, tail);
772 local_irq_restore(flags);
776 * Check if the user asked us to deliver the result through an
777 * eventfd. The eventfd_signal() function is safe to be called
781 eventfd_signal(eventfd, 1);
782 eventfd_ctx_put(eventfd);
785 EXPORT_SYMBOL(batch_complete_aio);
787 /* aio_complete_batch
788 * Called when the io request on the given iocb is complete; @batch may be
791 void aio_complete_batch(struct kiocb *req, long res, long res2,
792 struct batch_complete *batch)
797 if (req->ki_list.next) {
798 struct kioctx *ctx = req->ki_ctx;
801 spin_lock_irqsave(&ctx->ctx_lock, flags);
802 list_del(&req->ki_list);
803 spin_unlock_irqrestore(&ctx->ctx_lock, flags);
807 * Special case handling for sync iocbs:
808 * - events go directly into the iocb for fast handling
809 * - the sync task with the iocb in its stack holds the single iocb
810 * ref, no other paths have a way to get another ref
811 * - the sync task helpfully left a reference to itself in the iocb
813 if (is_sync_kiocb(req)) {
814 BUG_ON(atomic_read(&req->ki_users) != 1);
815 req->ki_user_data = req->ki_res;
816 atomic_set(&req->ki_users, 0);
817 wake_up_process(req->ki_obj.tsk);
821 struct rb_node **n = &batch->kiocb.rb_node, *parent = NULL;
825 t = container_of(*n, struct kiocb, ki_node);
827 res = req->ki_ctx != t->ki_ctx
828 ? req->ki_ctx < t->ki_ctx
829 : req->ki_eventfd != t->ki_eventfd
830 ? req->ki_eventfd < t->ki_eventfd
833 n = res ? &(*n)->rb_left : &(*n)->rb_right;
836 rb_link_node(&req->ki_node, parent, n);
837 rb_insert_color(&req->ki_node, &batch->kiocb);
839 struct batch_complete batch_stack;
841 memset(&req->ki_node, 0, sizeof(req->ki_node));
842 batch_stack.kiocb.rb_node = &req->ki_node;
844 batch_complete_aio(&batch_stack);
847 EXPORT_SYMBOL(aio_complete_batch);
850 * Pull an event off of the ioctx's event ring. Returns the number of
853 static int aio_read_events_ring(struct kioctx *ctx,
854 struct io_event __user *event, long nr)
856 struct aio_ring *ring;
858 int ret = 0, copy_ret;
860 if (!mutex_trylock(&ctx->ring_lock)) {
861 __set_current_state(TASK_RUNNING);
862 mutex_lock(&ctx->ring_lock);
865 ring = kmap_atomic(ctx->ring_pages[0]);
869 pr_debug("h%u t%u m%u\n", head, ctx->shadow_tail, ctx->nr);
871 if (head == ctx->shadow_tail)
874 __set_current_state(TASK_RUNNING);
877 unsigned i = (head < ctx->shadow_tail ? ctx->shadow_tail : ctx->nr) - head;
881 if (head == ctx->shadow_tail)
884 i = min_t(int, i, nr - ret);
885 i = min_t(int, i, AIO_EVENTS_PER_PAGE -
886 ((head + AIO_EVENTS_OFFSET) % AIO_EVENTS_PER_PAGE));
888 pos = head + AIO_EVENTS_OFFSET;
889 page = ctx->ring_pages[pos / AIO_EVENTS_PER_PAGE];
890 pos %= AIO_EVENTS_PER_PAGE;
893 copy_ret = copy_to_user(event + ret, ev + pos, sizeof(*ev) * i);
896 if (unlikely(copy_ret)) {
906 ring = kmap_atomic(ctx->ring_pages[0]);
909 flush_dcache_page(ctx->ring_pages[0]);
911 pr_debug("%d h%u t%u\n", ret, head, ctx->shadow_tail);
913 put_reqs_available(ctx, ret);
915 mutex_unlock(&ctx->ring_lock);
920 static bool aio_read_events(struct kioctx *ctx, long min_nr, long nr,
921 struct io_event __user *event, long *i)
923 long ret = aio_read_events_ring(ctx, event + *i, nr - *i);
928 if (unlikely(percpu_ref_dead(&ctx->users)))
934 return ret < 0 || *i >= min_nr;
937 static long read_events(struct kioctx *ctx, long min_nr, long nr,
938 struct io_event __user *event,
939 struct timespec __user *timeout)
941 ktime_t until = { .tv64 = KTIME_MAX };
947 if (unlikely(copy_from_user(&ts, timeout, sizeof(ts))))
950 until = timespec_to_ktime(ts);
953 wait_event_interruptible_hrtimeout(ctx->wait,
954 aio_read_events(ctx, min_nr, nr, event, &ret), until);
956 if (!ret && signal_pending(current))
963 * Create an aio_context capable of receiving at least nr_events.
964 * ctxp must not point to an aio_context that already exists, and
965 * must be initialized to 0 prior to the call. On successful
966 * creation of the aio_context, *ctxp is filled in with the resulting
967 * handle. May fail with -EINVAL if *ctxp is not initialized,
968 * if the specified nr_events exceeds internal limits. May fail
969 * with -EAGAIN if the specified nr_events exceeds the user's limit
970 * of available events. May fail with -ENOMEM if insufficient kernel
971 * resources are available. May fail with -EFAULT if an invalid
972 * pointer is passed for ctxp. Will fail with -ENOSYS if not
975 SYSCALL_DEFINE2(io_setup, unsigned, nr_events, aio_context_t __user *, ctxp)
977 struct kioctx *ioctx = NULL;
981 ret = get_user(ctx, ctxp);
986 if (unlikely(ctx || nr_events == 0)) {
987 pr_debug("EINVAL: io_setup: ctx %lu nr_events %u\n",
992 ioctx = ioctx_alloc(nr_events);
993 ret = PTR_ERR(ioctx);
994 if (!IS_ERR(ioctx)) {
995 ret = put_user(ioctx->user_id, ctxp);
1006 * Destroy the aio_context specified. May cancel any outstanding
1007 * AIOs and block on completion. Will fail with -ENOSYS if not
1008 * implemented. May fail with -EINVAL if the context pointed to
1011 SYSCALL_DEFINE1(io_destroy, aio_context_t, ctx)
1013 struct kioctx *ioctx = lookup_ioctx(ctx);
1014 if (likely(NULL != ioctx)) {
1019 pr_debug("EINVAL: io_destroy: invalid context id\n");
1023 static void aio_advance_iovec(struct kiocb *iocb, ssize_t ret)
1025 struct iovec *iov = &iocb->ki_iovec[iocb->ki_cur_seg];
1029 while (iocb->ki_cur_seg < iocb->ki_nr_segs && ret > 0) {
1030 ssize_t this = min((ssize_t)iov->iov_len, ret);
1031 iov->iov_base += this;
1032 iov->iov_len -= this;
1033 iocb->ki_left -= this;
1035 if (iov->iov_len == 0) {
1041 /* the caller should not have done more io than what fit in
1042 * the remaining iovecs */
1043 BUG_ON(ret > 0 && iocb->ki_left == 0);
1046 typedef ssize_t (aio_rw_op)(struct kiocb *, const struct iovec *,
1047 unsigned long, loff_t);
1049 static ssize_t aio_rw_vect_retry(struct kiocb *iocb, int rw, aio_rw_op *rw_op)
1051 struct file *file = iocb->ki_filp;
1052 struct address_space *mapping = file->f_mapping;
1053 struct inode *inode = mapping->host;
1056 /* This matches the pread()/pwrite() logic */
1057 if (iocb->ki_pos < 0)
1061 ret = rw_op(iocb, &iocb->ki_iovec[iocb->ki_cur_seg],
1062 iocb->ki_nr_segs - iocb->ki_cur_seg,
1065 aio_advance_iovec(iocb, ret);
1067 /* retry all partial writes. retry partial reads as long as its a
1069 } while (ret > 0 && iocb->ki_left > 0 &&
1071 (!S_ISFIFO(inode->i_mode) && !S_ISSOCK(inode->i_mode))));
1073 /* This means we must have transferred all that we could */
1074 /* No need to retry anymore */
1075 if ((ret == 0) || (iocb->ki_left == 0))
1076 ret = iocb->ki_nbytes - iocb->ki_left;
1078 /* If we managed to write some out we return that, rather than
1079 * the eventual error. */
1081 && ret < 0 && ret != -EIOCBQUEUED
1082 && iocb->ki_nbytes - iocb->ki_left)
1083 ret = iocb->ki_nbytes - iocb->ki_left;
1088 static ssize_t aio_setup_vectored_rw(int rw, struct kiocb *kiocb, bool compat)
1092 kiocb->ki_nr_segs = kiocb->ki_nbytes;
1094 #ifdef CONFIG_COMPAT
1096 ret = compat_rw_copy_check_uvector(rw,
1097 (struct compat_iovec __user *)kiocb->ki_buf,
1098 kiocb->ki_nr_segs, 1, &kiocb->ki_inline_vec,
1102 ret = rw_copy_check_uvector(rw,
1103 (struct iovec __user *)kiocb->ki_buf,
1104 kiocb->ki_nr_segs, 1, &kiocb->ki_inline_vec,
1109 /* ki_nbytes now reflect bytes instead of segs */
1110 kiocb->ki_nbytes = ret;
1114 static ssize_t aio_setup_single_vector(int rw, struct kiocb *kiocb)
1116 if (unlikely(!access_ok(!rw, kiocb->ki_buf, kiocb->ki_nbytes)))
1119 kiocb->ki_iovec = &kiocb->ki_inline_vec;
1120 kiocb->ki_iovec->iov_base = kiocb->ki_buf;
1121 kiocb->ki_iovec->iov_len = kiocb->ki_nbytes;
1122 kiocb->ki_nr_segs = 1;
1128 * Performs the initial checks and aio retry method
1129 * setup for the kiocb at the time of io submission.
1131 static ssize_t aio_run_iocb(struct kiocb *req, bool compat)
1133 struct file *file = req->ki_filp;
1139 switch (req->ki_opcode) {
1140 case IOCB_CMD_PREAD:
1141 case IOCB_CMD_PREADV:
1144 rw_op = file->f_op->aio_read;
1147 case IOCB_CMD_PWRITE:
1148 case IOCB_CMD_PWRITEV:
1151 rw_op = file->f_op->aio_write;
1154 if (unlikely(!(file->f_mode & mode)))
1160 ret = (req->ki_opcode == IOCB_CMD_PREADV ||
1161 req->ki_opcode == IOCB_CMD_PWRITEV)
1162 ? aio_setup_vectored_rw(rw, req, compat)
1163 : aio_setup_single_vector(rw, req);
1167 ret = rw_verify_area(rw, file, &req->ki_pos, req->ki_nbytes);
1171 req->ki_nbytes = ret;
1174 ret = aio_rw_vect_retry(req, rw, rw_op);
1177 case IOCB_CMD_FDSYNC:
1178 if (!file->f_op->aio_fsync)
1181 ret = file->f_op->aio_fsync(req, 1);
1184 case IOCB_CMD_FSYNC:
1185 if (!file->f_op->aio_fsync)
1188 ret = file->f_op->aio_fsync(req, 0);
1192 pr_debug("EINVAL: no operation provided\n");
1196 if (ret != -EIOCBQUEUED) {
1198 * There's no easy way to restart the syscall since other AIO's
1199 * may be already running. Just fail this IO with EINTR.
1201 if (unlikely(ret == -ERESTARTSYS || ret == -ERESTARTNOINTR ||
1202 ret == -ERESTARTNOHAND || ret == -ERESTART_RESTARTBLOCK))
1204 aio_complete(req, ret, 0);
1210 static int io_submit_one(struct kioctx *ctx, struct iocb __user *user_iocb,
1211 struct iocb *iocb, bool compat)
1216 /* enforce forwards compatibility on users */
1217 if (unlikely(iocb->aio_reserved1 || iocb->aio_reserved2)) {
1218 pr_debug("EINVAL: reserve field set\n");
1222 /* prevent overflows */
1224 (iocb->aio_buf != (unsigned long)iocb->aio_buf) ||
1225 (iocb->aio_nbytes != (size_t)iocb->aio_nbytes) ||
1226 ((ssize_t)iocb->aio_nbytes < 0)
1228 pr_debug("EINVAL: io_submit: overflow check\n");
1232 req = aio_get_req(ctx);
1236 req->ki_filp = fget(iocb->aio_fildes);
1237 if (unlikely(!req->ki_filp)) {
1242 if (iocb->aio_flags & IOCB_FLAG_RESFD) {
1244 * If the IOCB_FLAG_RESFD flag of aio_flags is set, get an
1245 * instance of the file* now. The file descriptor must be
1246 * an eventfd() fd, and will be signaled for each completed
1247 * event using the eventfd_signal() function.
1249 req->ki_eventfd = eventfd_ctx_fdget((int) iocb->aio_resfd);
1250 if (IS_ERR(req->ki_eventfd)) {
1251 ret = PTR_ERR(req->ki_eventfd);
1252 req->ki_eventfd = NULL;
1257 ret = put_user(KIOCB_KEY, &user_iocb->aio_key);
1258 if (unlikely(ret)) {
1259 pr_debug("EFAULT: aio_key\n");
1263 req->ki_obj.user = user_iocb;
1264 req->ki_user_data = iocb->aio_data;
1265 req->ki_pos = iocb->aio_offset;
1267 req->ki_buf = (char __user *)(unsigned long)iocb->aio_buf;
1268 req->ki_left = req->ki_nbytes = iocb->aio_nbytes;
1269 req->ki_opcode = iocb->aio_lio_opcode;
1271 ret = aio_run_iocb(req, compat);
1275 aio_put_req(req); /* drop extra ref to req */
1278 put_reqs_available(ctx, 1);
1279 aio_put_req(req); /* drop extra ref to req */
1280 aio_put_req(req); /* drop i/o ref to req */
1284 long do_io_submit(aio_context_t ctx_id, long nr,
1285 struct iocb __user *__user *iocbpp, bool compat)
1290 struct blk_plug plug;
1292 if (unlikely(nr < 0))
1295 if (unlikely(nr > LONG_MAX/sizeof(*iocbpp)))
1296 nr = LONG_MAX/sizeof(*iocbpp);
1298 if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(*iocbpp)))))
1301 ctx = lookup_ioctx(ctx_id);
1302 if (unlikely(!ctx)) {
1303 pr_debug("EINVAL: invalid context id\n");
1307 blk_start_plug(&plug);
1310 * AKPM: should this return a partial result if some of the IOs were
1311 * successfully submitted?
1313 for (i=0; i<nr; i++) {
1314 struct iocb __user *user_iocb;
1317 if (unlikely(__get_user(user_iocb, iocbpp + i))) {
1322 if (unlikely(copy_from_user(&tmp, user_iocb, sizeof(tmp)))) {
1327 ret = io_submit_one(ctx, user_iocb, &tmp, compat);
1331 blk_finish_plug(&plug);
1338 * Queue the nr iocbs pointed to by iocbpp for processing. Returns
1339 * the number of iocbs queued. May return -EINVAL if the aio_context
1340 * specified by ctx_id is invalid, if nr is < 0, if the iocb at
1341 * *iocbpp[0] is not properly initialized, if the operation specified
1342 * is invalid for the file descriptor in the iocb. May fail with
1343 * -EFAULT if any of the data structures point to invalid data. May
1344 * fail with -EBADF if the file descriptor specified in the first
1345 * iocb is invalid. May fail with -EAGAIN if insufficient resources
1346 * are available to queue any iocbs. Will return 0 if nr is 0. Will
1347 * fail with -ENOSYS if not implemented.
1349 SYSCALL_DEFINE3(io_submit, aio_context_t, ctx_id, long, nr,
1350 struct iocb __user * __user *, iocbpp)
1352 return do_io_submit(ctx_id, nr, iocbpp, 0);
1356 * Finds a given iocb for cancellation.
1358 static struct kiocb *lookup_kiocb(struct kioctx *ctx, struct iocb __user *iocb,
1361 struct list_head *pos;
1363 assert_spin_locked(&ctx->ctx_lock);
1365 if (key != KIOCB_KEY)
1368 /* TODO: use a hash or array, this sucks. */
1369 list_for_each(pos, &ctx->active_reqs) {
1370 struct kiocb *kiocb = list_kiocb(pos);
1371 if (kiocb->ki_obj.user == iocb)
1378 * Attempts to cancel an iocb previously passed to io_submit. If
1379 * the operation is successfully cancelled, the resulting event is
1380 * copied into the memory pointed to by result without being placed
1381 * into the completion queue and 0 is returned. May fail with
1382 * -EFAULT if any of the data structures pointed to are invalid.
1383 * May fail with -EINVAL if aio_context specified by ctx_id is
1384 * invalid. May fail with -EAGAIN if the iocb specified was not
1385 * cancelled. Will fail with -ENOSYS if not implemented.
1387 SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id, struct iocb __user *, iocb,
1388 struct io_event __user *, result)
1390 struct io_event res;
1392 struct kiocb *kiocb;
1396 ret = get_user(key, &iocb->aio_key);
1400 ctx = lookup_ioctx(ctx_id);
1404 spin_lock_irq(&ctx->ctx_lock);
1406 kiocb = lookup_kiocb(ctx, iocb, key);
1408 ret = kiocb_cancel(ctx, kiocb, &res);
1412 spin_unlock_irq(&ctx->ctx_lock);
1415 /* Cancellation succeeded -- copy the result
1416 * into the user's buffer.
1418 if (copy_to_user(result, &res, sizeof(res)))
1428 * Attempts to read at least min_nr events and up to nr events from
1429 * the completion queue for the aio_context specified by ctx_id. If
1430 * it succeeds, the number of read events is returned. May fail with
1431 * -EINVAL if ctx_id is invalid, if min_nr is out of range, if nr is
1432 * out of range, if timeout is out of range. May fail with -EFAULT
1433 * if any of the memory specified is invalid. May return 0 or
1434 * < min_nr if the timeout specified by timeout has elapsed
1435 * before sufficient events are available, where timeout == NULL
1436 * specifies an infinite timeout. Note that the timeout pointed to by
1437 * timeout is relative and will be updated if not NULL and the
1438 * operation blocks. Will fail with -ENOSYS if not implemented.
1440 SYSCALL_DEFINE5(io_getevents, aio_context_t, ctx_id,
1443 struct io_event __user *, events,
1444 struct timespec __user *, timeout)
1446 struct kioctx *ioctx = lookup_ioctx(ctx_id);
1449 if (likely(ioctx)) {
1450 if (likely(min_nr <= nr && min_nr >= 0))
1451 ret = read_events(ioctx, min_nr, nr, events, timeout);