Loading...
1/*
2 * An async IO implementation for Linux
3 * Written by Benjamin LaHaise <bcrl@kvack.org>
4 *
5 * Implements an efficient asynchronous io interface.
6 *
7 * Copyright 2000, 2001, 2002 Red Hat, Inc. All Rights Reserved.
8 *
9 * See ../COPYING for licensing terms.
10 */
11#define pr_fmt(fmt) "%s: " fmt, __func__
12
13#include <linux/kernel.h>
14#include <linux/init.h>
15#include <linux/errno.h>
16#include <linux/time.h>
17#include <linux/aio_abi.h>
18#include <linux/export.h>
19#include <linux/syscalls.h>
20#include <linux/backing-dev.h>
21#include <linux/uio.h>
22
23#include <linux/sched/signal.h>
24#include <linux/fs.h>
25#include <linux/file.h>
26#include <linux/mm.h>
27#include <linux/mman.h>
28#include <linux/mmu_context.h>
29#include <linux/percpu.h>
30#include <linux/slab.h>
31#include <linux/timer.h>
32#include <linux/aio.h>
33#include <linux/highmem.h>
34#include <linux/workqueue.h>
35#include <linux/security.h>
36#include <linux/eventfd.h>
37#include <linux/blkdev.h>
38#include <linux/compat.h>
39#include <linux/migrate.h>
40#include <linux/ramfs.h>
41#include <linux/percpu-refcount.h>
42#include <linux/mount.h>
43
44#include <asm/kmap_types.h>
45#include <linux/uaccess.h>
46
47#include "internal.h"
48
49#define AIO_RING_MAGIC 0xa10a10a1
50#define AIO_RING_COMPAT_FEATURES 1
51#define AIO_RING_INCOMPAT_FEATURES 0
52struct aio_ring {
53 unsigned id; /* kernel internal index number */
54 unsigned nr; /* number of io_events */
55 unsigned head; /* Written to by userland or under ring_lock
56 * mutex by aio_read_events_ring(). */
57 unsigned tail;
58
59 unsigned magic;
60 unsigned compat_features;
61 unsigned incompat_features;
62 unsigned header_length; /* size of aio_ring */
63
64
65 struct io_event io_events[0];
66}; /* 128 bytes + ring size */
67
68#define AIO_RING_PAGES 8
69
70struct kioctx_table {
71 struct rcu_head rcu;
72 unsigned nr;
73 struct kioctx __rcu *table[];
74};
75
76struct kioctx_cpu {
77 unsigned reqs_available;
78};
79
80struct ctx_rq_wait {
81 struct completion comp;
82 atomic_t count;
83};
84
85struct kioctx {
86 struct percpu_ref users;
87 atomic_t dead;
88
89 struct percpu_ref reqs;
90
91 unsigned long user_id;
92
93 struct __percpu kioctx_cpu *cpu;
94
95 /*
96 * For percpu reqs_available, number of slots we move to/from global
97 * counter at a time:
98 */
99 unsigned req_batch;
100 /*
101 * This is what userspace passed to io_setup(), it's not used for
102 * anything but counting against the global max_reqs quota.
103 *
104 * The real limit is nr_events - 1, which will be larger (see
105 * aio_setup_ring())
106 */
107 unsigned max_reqs;
108
109 /* Size of ringbuffer, in units of struct io_event */
110 unsigned nr_events;
111
112 unsigned long mmap_base;
113 unsigned long mmap_size;
114
115 struct page **ring_pages;
116 long nr_pages;
117
118 struct rcu_work free_rwork; /* see free_ioctx() */
119
120 /*
121 * signals when all in-flight requests are done
122 */
123 struct ctx_rq_wait *rq_wait;
124
125 struct {
126 /*
127 * This counts the number of available slots in the ringbuffer,
128 * so we avoid overflowing it: it's decremented (if positive)
129 * when allocating a kiocb and incremented when the resulting
130 * io_event is pulled off the ringbuffer.
131 *
132 * We batch accesses to it with a percpu version.
133 */
134 atomic_t reqs_available;
135 } ____cacheline_aligned_in_smp;
136
137 struct {
138 spinlock_t ctx_lock;
139 struct list_head active_reqs; /* used for cancellation */
140 } ____cacheline_aligned_in_smp;
141
142 struct {
143 struct mutex ring_lock;
144 wait_queue_head_t wait;
145 } ____cacheline_aligned_in_smp;
146
147 struct {
148 unsigned tail;
149 unsigned completed_events;
150 spinlock_t completion_lock;
151 } ____cacheline_aligned_in_smp;
152
153 struct page *internal_pages[AIO_RING_PAGES];
154 struct file *aio_ring_file;
155
156 unsigned id;
157};
158
159/*
160 * We use ki_cancel == KIOCB_CANCELLED to indicate that a kiocb has been either
161 * cancelled or completed (this makes a certain amount of sense because
162 * successful cancellation - io_cancel() - does deliver the completion to
163 * userspace).
164 *
165 * And since most things don't implement kiocb cancellation and we'd really like
166 * kiocb completion to be lockless when possible, we use ki_cancel to
167 * synchronize cancellation and completion - we only set it to KIOCB_CANCELLED
168 * with xchg() or cmpxchg(), see batch_complete_aio() and kiocb_cancel().
169 */
170#define KIOCB_CANCELLED ((void *) (~0ULL))
171
172struct aio_kiocb {
173 struct kiocb common;
174
175 struct kioctx *ki_ctx;
176 kiocb_cancel_fn *ki_cancel;
177
178 struct iocb __user *ki_user_iocb; /* user's aiocb */
179 __u64 ki_user_data; /* user's data for completion */
180
181 struct list_head ki_list; /* the aio core uses this
182 * for cancellation */
183
184 /*
185 * If the aio_resfd field of the userspace iocb is not zero,
186 * this is the underlying eventfd context to deliver events to.
187 */
188 struct eventfd_ctx *ki_eventfd;
189};
190
191/*------ sysctl variables----*/
192static DEFINE_SPINLOCK(aio_nr_lock);
193unsigned long aio_nr; /* current system wide number of aio requests */
194unsigned long aio_max_nr = 0x10000; /* system wide maximum number of aio requests */
195/*----end sysctl variables---*/
196
197static struct kmem_cache *kiocb_cachep;
198static struct kmem_cache *kioctx_cachep;
199
200static struct vfsmount *aio_mnt;
201
202static const struct file_operations aio_ring_fops;
203static const struct address_space_operations aio_ctx_aops;
204
205static struct file *aio_private_file(struct kioctx *ctx, loff_t nr_pages)
206{
207 struct qstr this = QSTR_INIT("[aio]", 5);
208 struct file *file;
209 struct path path;
210 struct inode *inode = alloc_anon_inode(aio_mnt->mnt_sb);
211 if (IS_ERR(inode))
212 return ERR_CAST(inode);
213
214 inode->i_mapping->a_ops = &aio_ctx_aops;
215 inode->i_mapping->private_data = ctx;
216 inode->i_size = PAGE_SIZE * nr_pages;
217
218 path.dentry = d_alloc_pseudo(aio_mnt->mnt_sb, &this);
219 if (!path.dentry) {
220 iput(inode);
221 return ERR_PTR(-ENOMEM);
222 }
223 path.mnt = mntget(aio_mnt);
224
225 d_instantiate(path.dentry, inode);
226 file = alloc_file(&path, FMODE_READ | FMODE_WRITE, &aio_ring_fops);
227 if (IS_ERR(file)) {
228 path_put(&path);
229 return file;
230 }
231
232 file->f_flags = O_RDWR;
233 return file;
234}
235
236static struct dentry *aio_mount(struct file_system_type *fs_type,
237 int flags, const char *dev_name, void *data)
238{
239 static const struct dentry_operations ops = {
240 .d_dname = simple_dname,
241 };
242 struct dentry *root = mount_pseudo(fs_type, "aio:", NULL, &ops,
243 AIO_RING_MAGIC);
244
245 if (!IS_ERR(root))
246 root->d_sb->s_iflags |= SB_I_NOEXEC;
247 return root;
248}
249
250/* aio_setup
251 * Creates the slab caches used by the aio routines, panic on
252 * failure as this is done early during the boot sequence.
253 */
254static int __init aio_setup(void)
255{
256 static struct file_system_type aio_fs = {
257 .name = "aio",
258 .mount = aio_mount,
259 .kill_sb = kill_anon_super,
260 };
261 aio_mnt = kern_mount(&aio_fs);
262 if (IS_ERR(aio_mnt))
263 panic("Failed to create aio fs mount.");
264
265 kiocb_cachep = KMEM_CACHE(aio_kiocb, SLAB_HWCACHE_ALIGN|SLAB_PANIC);
266 kioctx_cachep = KMEM_CACHE(kioctx,SLAB_HWCACHE_ALIGN|SLAB_PANIC);
267
268 pr_debug("sizeof(struct page) = %zu\n", sizeof(struct page));
269
270 return 0;
271}
272__initcall(aio_setup);
273
274static void put_aio_ring_file(struct kioctx *ctx)
275{
276 struct file *aio_ring_file = ctx->aio_ring_file;
277 struct address_space *i_mapping;
278
279 if (aio_ring_file) {
280 truncate_setsize(file_inode(aio_ring_file), 0);
281
282 /* Prevent further access to the kioctx from migratepages */
283 i_mapping = aio_ring_file->f_mapping;
284 spin_lock(&i_mapping->private_lock);
285 i_mapping->private_data = NULL;
286 ctx->aio_ring_file = NULL;
287 spin_unlock(&i_mapping->private_lock);
288
289 fput(aio_ring_file);
290 }
291}
292
293static void aio_free_ring(struct kioctx *ctx)
294{
295 int i;
296
297 /* Disconnect the kiotx from the ring file. This prevents future
298 * accesses to the kioctx from page migration.
299 */
300 put_aio_ring_file(ctx);
301
302 for (i = 0; i < ctx->nr_pages; i++) {
303 struct page *page;
304 pr_debug("pid(%d) [%d] page->count=%d\n", current->pid, i,
305 page_count(ctx->ring_pages[i]));
306 page = ctx->ring_pages[i];
307 if (!page)
308 continue;
309 ctx->ring_pages[i] = NULL;
310 put_page(page);
311 }
312
313 if (ctx->ring_pages && ctx->ring_pages != ctx->internal_pages) {
314 kfree(ctx->ring_pages);
315 ctx->ring_pages = NULL;
316 }
317}
318
319static int aio_ring_mremap(struct vm_area_struct *vma)
320{
321 struct file *file = vma->vm_file;
322 struct mm_struct *mm = vma->vm_mm;
323 struct kioctx_table *table;
324 int i, res = -EINVAL;
325
326 spin_lock(&mm->ioctx_lock);
327 rcu_read_lock();
328 table = rcu_dereference(mm->ioctx_table);
329 for (i = 0; i < table->nr; i++) {
330 struct kioctx *ctx;
331
332 ctx = rcu_dereference(table->table[i]);
333 if (ctx && ctx->aio_ring_file == file) {
334 if (!atomic_read(&ctx->dead)) {
335 ctx->user_id = ctx->mmap_base = vma->vm_start;
336 res = 0;
337 }
338 break;
339 }
340 }
341
342 rcu_read_unlock();
343 spin_unlock(&mm->ioctx_lock);
344 return res;
345}
346
347static const struct vm_operations_struct aio_ring_vm_ops = {
348 .mremap = aio_ring_mremap,
349#if IS_ENABLED(CONFIG_MMU)
350 .fault = filemap_fault,
351 .map_pages = filemap_map_pages,
352 .page_mkwrite = filemap_page_mkwrite,
353#endif
354};
355
356static int aio_ring_mmap(struct file *file, struct vm_area_struct *vma)
357{
358 vma->vm_flags |= VM_DONTEXPAND;
359 vma->vm_ops = &aio_ring_vm_ops;
360 return 0;
361}
362
363static const struct file_operations aio_ring_fops = {
364 .mmap = aio_ring_mmap,
365};
366
367#if IS_ENABLED(CONFIG_MIGRATION)
368static int aio_migratepage(struct address_space *mapping, struct page *new,
369 struct page *old, enum migrate_mode mode)
370{
371 struct kioctx *ctx;
372 unsigned long flags;
373 pgoff_t idx;
374 int rc;
375
376 /*
377 * We cannot support the _NO_COPY case here, because copy needs to
378 * happen under the ctx->completion_lock. That does not work with the
379 * migration workflow of MIGRATE_SYNC_NO_COPY.
380 */
381 if (mode == MIGRATE_SYNC_NO_COPY)
382 return -EINVAL;
383
384 rc = 0;
385
386 /* mapping->private_lock here protects against the kioctx teardown. */
387 spin_lock(&mapping->private_lock);
388 ctx = mapping->private_data;
389 if (!ctx) {
390 rc = -EINVAL;
391 goto out;
392 }
393
394 /* The ring_lock mutex. The prevents aio_read_events() from writing
395 * to the ring's head, and prevents page migration from mucking in
396 * a partially initialized kiotx.
397 */
398 if (!mutex_trylock(&ctx->ring_lock)) {
399 rc = -EAGAIN;
400 goto out;
401 }
402
403 idx = old->index;
404 if (idx < (pgoff_t)ctx->nr_pages) {
405 /* Make sure the old page hasn't already been changed */
406 if (ctx->ring_pages[idx] != old)
407 rc = -EAGAIN;
408 } else
409 rc = -EINVAL;
410
411 if (rc != 0)
412 goto out_unlock;
413
414 /* Writeback must be complete */
415 BUG_ON(PageWriteback(old));
416 get_page(new);
417
418 rc = migrate_page_move_mapping(mapping, new, old, NULL, mode, 1);
419 if (rc != MIGRATEPAGE_SUCCESS) {
420 put_page(new);
421 goto out_unlock;
422 }
423
424 /* Take completion_lock to prevent other writes to the ring buffer
425 * while the old page is copied to the new. This prevents new
426 * events from being lost.
427 */
428 spin_lock_irqsave(&ctx->completion_lock, flags);
429 migrate_page_copy(new, old);
430 BUG_ON(ctx->ring_pages[idx] != old);
431 ctx->ring_pages[idx] = new;
432 spin_unlock_irqrestore(&ctx->completion_lock, flags);
433
434 /* The old page is no longer accessible. */
435 put_page(old);
436
437out_unlock:
438 mutex_unlock(&ctx->ring_lock);
439out:
440 spin_unlock(&mapping->private_lock);
441 return rc;
442}
443#endif
444
445static const struct address_space_operations aio_ctx_aops = {
446 .set_page_dirty = __set_page_dirty_no_writeback,
447#if IS_ENABLED(CONFIG_MIGRATION)
448 .migratepage = aio_migratepage,
449#endif
450};
451
452static int aio_setup_ring(struct kioctx *ctx, unsigned int nr_events)
453{
454 struct aio_ring *ring;
455 struct mm_struct *mm = current->mm;
456 unsigned long size, unused;
457 int nr_pages;
458 int i;
459 struct file *file;
460
461 /* Compensate for the ring buffer's head/tail overlap entry */
462 nr_events += 2; /* 1 is required, 2 for good luck */
463
464 size = sizeof(struct aio_ring);
465 size += sizeof(struct io_event) * nr_events;
466
467 nr_pages = PFN_UP(size);
468 if (nr_pages < 0)
469 return -EINVAL;
470
471 file = aio_private_file(ctx, nr_pages);
472 if (IS_ERR(file)) {
473 ctx->aio_ring_file = NULL;
474 return -ENOMEM;
475 }
476
477 ctx->aio_ring_file = file;
478 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring))
479 / sizeof(struct io_event);
480
481 ctx->ring_pages = ctx->internal_pages;
482 if (nr_pages > AIO_RING_PAGES) {
483 ctx->ring_pages = kcalloc(nr_pages, sizeof(struct page *),
484 GFP_KERNEL);
485 if (!ctx->ring_pages) {
486 put_aio_ring_file(ctx);
487 return -ENOMEM;
488 }
489 }
490
491 for (i = 0; i < nr_pages; i++) {
492 struct page *page;
493 page = find_or_create_page(file->f_mapping,
494 i, GFP_HIGHUSER | __GFP_ZERO);
495 if (!page)
496 break;
497 pr_debug("pid(%d) page[%d]->count=%d\n",
498 current->pid, i, page_count(page));
499 SetPageUptodate(page);
500 unlock_page(page);
501
502 ctx->ring_pages[i] = page;
503 }
504 ctx->nr_pages = i;
505
506 if (unlikely(i != nr_pages)) {
507 aio_free_ring(ctx);
508 return -ENOMEM;
509 }
510
511 ctx->mmap_size = nr_pages * PAGE_SIZE;
512 pr_debug("attempting mmap of %lu bytes\n", ctx->mmap_size);
513
514 if (down_write_killable(&mm->mmap_sem)) {
515 ctx->mmap_size = 0;
516 aio_free_ring(ctx);
517 return -EINTR;
518 }
519
520 ctx->mmap_base = do_mmap_pgoff(ctx->aio_ring_file, 0, ctx->mmap_size,
521 PROT_READ | PROT_WRITE,
522 MAP_SHARED, 0, &unused, NULL);
523 up_write(&mm->mmap_sem);
524 if (IS_ERR((void *)ctx->mmap_base)) {
525 ctx->mmap_size = 0;
526 aio_free_ring(ctx);
527 return -ENOMEM;
528 }
529
530 pr_debug("mmap address: 0x%08lx\n", ctx->mmap_base);
531
532 ctx->user_id = ctx->mmap_base;
533 ctx->nr_events = nr_events; /* trusted copy */
534
535 ring = kmap_atomic(ctx->ring_pages[0]);
536 ring->nr = nr_events; /* user copy */
537 ring->id = ~0U;
538 ring->head = ring->tail = 0;
539 ring->magic = AIO_RING_MAGIC;
540 ring->compat_features = AIO_RING_COMPAT_FEATURES;
541 ring->incompat_features = AIO_RING_INCOMPAT_FEATURES;
542 ring->header_length = sizeof(struct aio_ring);
543 kunmap_atomic(ring);
544 flush_dcache_page(ctx->ring_pages[0]);
545
546 return 0;
547}
548
549#define AIO_EVENTS_PER_PAGE (PAGE_SIZE / sizeof(struct io_event))
550#define AIO_EVENTS_FIRST_PAGE ((PAGE_SIZE - sizeof(struct aio_ring)) / sizeof(struct io_event))
551#define AIO_EVENTS_OFFSET (AIO_EVENTS_PER_PAGE - AIO_EVENTS_FIRST_PAGE)
552
553void kiocb_set_cancel_fn(struct kiocb *iocb, kiocb_cancel_fn *cancel)
554{
555 struct aio_kiocb *req = container_of(iocb, struct aio_kiocb, common);
556 struct kioctx *ctx = req->ki_ctx;
557 unsigned long flags;
558
559 spin_lock_irqsave(&ctx->ctx_lock, flags);
560
561 if (!req->ki_list.next)
562 list_add(&req->ki_list, &ctx->active_reqs);
563
564 req->ki_cancel = cancel;
565
566 spin_unlock_irqrestore(&ctx->ctx_lock, flags);
567}
568EXPORT_SYMBOL(kiocb_set_cancel_fn);
569
570static int kiocb_cancel(struct aio_kiocb *kiocb)
571{
572 kiocb_cancel_fn *old, *cancel;
573
574 /*
575 * Don't want to set kiocb->ki_cancel = KIOCB_CANCELLED unless it
576 * actually has a cancel function, hence the cmpxchg()
577 */
578
579 cancel = READ_ONCE(kiocb->ki_cancel);
580 do {
581 if (!cancel || cancel == KIOCB_CANCELLED)
582 return -EINVAL;
583
584 old = cancel;
585 cancel = cmpxchg(&kiocb->ki_cancel, old, KIOCB_CANCELLED);
586 } while (cancel != old);
587
588 return cancel(&kiocb->common);
589}
590
591/*
592 * free_ioctx() should be RCU delayed to synchronize against the RCU
593 * protected lookup_ioctx() and also needs process context to call
594 * aio_free_ring(). Use rcu_work.
595 */
596static void free_ioctx(struct work_struct *work)
597{
598 struct kioctx *ctx = container_of(to_rcu_work(work), struct kioctx,
599 free_rwork);
600 pr_debug("freeing %p\n", ctx);
601
602 aio_free_ring(ctx);
603 free_percpu(ctx->cpu);
604 percpu_ref_exit(&ctx->reqs);
605 percpu_ref_exit(&ctx->users);
606 kmem_cache_free(kioctx_cachep, ctx);
607}
608
609static void free_ioctx_reqs(struct percpu_ref *ref)
610{
611 struct kioctx *ctx = container_of(ref, struct kioctx, reqs);
612
613 /* At this point we know that there are no any in-flight requests */
614 if (ctx->rq_wait && atomic_dec_and_test(&ctx->rq_wait->count))
615 complete(&ctx->rq_wait->comp);
616
617 /* Synchronize against RCU protected table->table[] dereferences */
618 INIT_RCU_WORK(&ctx->free_rwork, free_ioctx);
619 queue_rcu_work(system_wq, &ctx->free_rwork);
620}
621
622/*
623 * When this function runs, the kioctx has been removed from the "hash table"
624 * and ctx->users has dropped to 0, so we know no more kiocbs can be submitted -
625 * now it's safe to cancel any that need to be.
626 */
627static void free_ioctx_users(struct percpu_ref *ref)
628{
629 struct kioctx *ctx = container_of(ref, struct kioctx, users);
630 struct aio_kiocb *req;
631
632 spin_lock_irq(&ctx->ctx_lock);
633
634 while (!list_empty(&ctx->active_reqs)) {
635 req = list_first_entry(&ctx->active_reqs,
636 struct aio_kiocb, ki_list);
637 kiocb_cancel(req);
638 list_del_init(&req->ki_list);
639 }
640
641 spin_unlock_irq(&ctx->ctx_lock);
642
643 percpu_ref_kill(&ctx->reqs);
644 percpu_ref_put(&ctx->reqs);
645}
646
647static int ioctx_add_table(struct kioctx *ctx, struct mm_struct *mm)
648{
649 unsigned i, new_nr;
650 struct kioctx_table *table, *old;
651 struct aio_ring *ring;
652
653 spin_lock(&mm->ioctx_lock);
654 table = rcu_dereference_raw(mm->ioctx_table);
655
656 while (1) {
657 if (table)
658 for (i = 0; i < table->nr; i++)
659 if (!rcu_access_pointer(table->table[i])) {
660 ctx->id = i;
661 rcu_assign_pointer(table->table[i], ctx);
662 spin_unlock(&mm->ioctx_lock);
663
664 /* While kioctx setup is in progress,
665 * we are protected from page migration
666 * changes ring_pages by ->ring_lock.
667 */
668 ring = kmap_atomic(ctx->ring_pages[0]);
669 ring->id = ctx->id;
670 kunmap_atomic(ring);
671 return 0;
672 }
673
674 new_nr = (table ? table->nr : 1) * 4;
675 spin_unlock(&mm->ioctx_lock);
676
677 table = kzalloc(sizeof(*table) + sizeof(struct kioctx *) *
678 new_nr, GFP_KERNEL);
679 if (!table)
680 return -ENOMEM;
681
682 table->nr = new_nr;
683
684 spin_lock(&mm->ioctx_lock);
685 old = rcu_dereference_raw(mm->ioctx_table);
686
687 if (!old) {
688 rcu_assign_pointer(mm->ioctx_table, table);
689 } else if (table->nr > old->nr) {
690 memcpy(table->table, old->table,
691 old->nr * sizeof(struct kioctx *));
692
693 rcu_assign_pointer(mm->ioctx_table, table);
694 kfree_rcu(old, rcu);
695 } else {
696 kfree(table);
697 table = old;
698 }
699 }
700}
701
702static void aio_nr_sub(unsigned nr)
703{
704 spin_lock(&aio_nr_lock);
705 if (WARN_ON(aio_nr - nr > aio_nr))
706 aio_nr = 0;
707 else
708 aio_nr -= nr;
709 spin_unlock(&aio_nr_lock);
710}
711
712/* ioctx_alloc
713 * Allocates and initializes an ioctx. Returns an ERR_PTR if it failed.
714 */
715static struct kioctx *ioctx_alloc(unsigned nr_events)
716{
717 struct mm_struct *mm = current->mm;
718 struct kioctx *ctx;
719 int err = -ENOMEM;
720
721 /*
722 * Store the original nr_events -- what userspace passed to io_setup(),
723 * for counting against the global limit -- before it changes.
724 */
725 unsigned int max_reqs = nr_events;
726
727 /*
728 * We keep track of the number of available ringbuffer slots, to prevent
729 * overflow (reqs_available), and we also use percpu counters for this.
730 *
731 * So since up to half the slots might be on other cpu's percpu counters
732 * and unavailable, double nr_events so userspace sees what they
733 * expected: additionally, we move req_batch slots to/from percpu
734 * counters at a time, so make sure that isn't 0:
735 */
736 nr_events = max(nr_events, num_possible_cpus() * 4);
737 nr_events *= 2;
738
739 /* Prevent overflows */
740 if (nr_events > (0x10000000U / sizeof(struct io_event))) {
741 pr_debug("ENOMEM: nr_events too high\n");
742 return ERR_PTR(-EINVAL);
743 }
744
745 if (!nr_events || (unsigned long)max_reqs > aio_max_nr)
746 return ERR_PTR(-EAGAIN);
747
748 ctx = kmem_cache_zalloc(kioctx_cachep, GFP_KERNEL);
749 if (!ctx)
750 return ERR_PTR(-ENOMEM);
751
752 ctx->max_reqs = max_reqs;
753
754 spin_lock_init(&ctx->ctx_lock);
755 spin_lock_init(&ctx->completion_lock);
756 mutex_init(&ctx->ring_lock);
757 /* Protect against page migration throughout kiotx setup by keeping
758 * the ring_lock mutex held until setup is complete. */
759 mutex_lock(&ctx->ring_lock);
760 init_waitqueue_head(&ctx->wait);
761
762 INIT_LIST_HEAD(&ctx->active_reqs);
763
764 if (percpu_ref_init(&ctx->users, free_ioctx_users, 0, GFP_KERNEL))
765 goto err;
766
767 if (percpu_ref_init(&ctx->reqs, free_ioctx_reqs, 0, GFP_KERNEL))
768 goto err;
769
770 ctx->cpu = alloc_percpu(struct kioctx_cpu);
771 if (!ctx->cpu)
772 goto err;
773
774 err = aio_setup_ring(ctx, nr_events);
775 if (err < 0)
776 goto err;
777
778 atomic_set(&ctx->reqs_available, ctx->nr_events - 1);
779 ctx->req_batch = (ctx->nr_events - 1) / (num_possible_cpus() * 4);
780 if (ctx->req_batch < 1)
781 ctx->req_batch = 1;
782
783 /* limit the number of system wide aios */
784 spin_lock(&aio_nr_lock);
785 if (aio_nr + ctx->max_reqs > aio_max_nr ||
786 aio_nr + ctx->max_reqs < aio_nr) {
787 spin_unlock(&aio_nr_lock);
788 err = -EAGAIN;
789 goto err_ctx;
790 }
791 aio_nr += ctx->max_reqs;
792 spin_unlock(&aio_nr_lock);
793
794 percpu_ref_get(&ctx->users); /* io_setup() will drop this ref */
795 percpu_ref_get(&ctx->reqs); /* free_ioctx_users() will drop this */
796
797 err = ioctx_add_table(ctx, mm);
798 if (err)
799 goto err_cleanup;
800
801 /* Release the ring_lock mutex now that all setup is complete. */
802 mutex_unlock(&ctx->ring_lock);
803
804 pr_debug("allocated ioctx %p[%ld]: mm=%p mask=0x%x\n",
805 ctx, ctx->user_id, mm, ctx->nr_events);
806 return ctx;
807
808err_cleanup:
809 aio_nr_sub(ctx->max_reqs);
810err_ctx:
811 atomic_set(&ctx->dead, 1);
812 if (ctx->mmap_size)
813 vm_munmap(ctx->mmap_base, ctx->mmap_size);
814 aio_free_ring(ctx);
815err:
816 mutex_unlock(&ctx->ring_lock);
817 free_percpu(ctx->cpu);
818 percpu_ref_exit(&ctx->reqs);
819 percpu_ref_exit(&ctx->users);
820 kmem_cache_free(kioctx_cachep, ctx);
821 pr_debug("error allocating ioctx %d\n", err);
822 return ERR_PTR(err);
823}
824
825/* kill_ioctx
826 * Cancels all outstanding aio requests on an aio context. Used
827 * when the processes owning a context have all exited to encourage
828 * the rapid destruction of the kioctx.
829 */
830static int kill_ioctx(struct mm_struct *mm, struct kioctx *ctx,
831 struct ctx_rq_wait *wait)
832{
833 struct kioctx_table *table;
834
835 spin_lock(&mm->ioctx_lock);
836 if (atomic_xchg(&ctx->dead, 1)) {
837 spin_unlock(&mm->ioctx_lock);
838 return -EINVAL;
839 }
840
841 table = rcu_dereference_raw(mm->ioctx_table);
842 WARN_ON(ctx != rcu_access_pointer(table->table[ctx->id]));
843 RCU_INIT_POINTER(table->table[ctx->id], NULL);
844 spin_unlock(&mm->ioctx_lock);
845
846 /* free_ioctx_reqs() will do the necessary RCU synchronization */
847 wake_up_all(&ctx->wait);
848
849 /*
850 * It'd be more correct to do this in free_ioctx(), after all
851 * the outstanding kiocbs have finished - but by then io_destroy
852 * has already returned, so io_setup() could potentially return
853 * -EAGAIN with no ioctxs actually in use (as far as userspace
854 * could tell).
855 */
856 aio_nr_sub(ctx->max_reqs);
857
858 if (ctx->mmap_size)
859 vm_munmap(ctx->mmap_base, ctx->mmap_size);
860
861 ctx->rq_wait = wait;
862 percpu_ref_kill(&ctx->users);
863 return 0;
864}
865
866/*
867 * exit_aio: called when the last user of mm goes away. At this point, there is
868 * no way for any new requests to be submited or any of the io_* syscalls to be
869 * called on the context.
870 *
871 * There may be outstanding kiocbs, but free_ioctx() will explicitly wait on
872 * them.
873 */
874void exit_aio(struct mm_struct *mm)
875{
876 struct kioctx_table *table = rcu_dereference_raw(mm->ioctx_table);
877 struct ctx_rq_wait wait;
878 int i, skipped;
879
880 if (!table)
881 return;
882
883 atomic_set(&wait.count, table->nr);
884 init_completion(&wait.comp);
885
886 skipped = 0;
887 for (i = 0; i < table->nr; ++i) {
888 struct kioctx *ctx =
889 rcu_dereference_protected(table->table[i], true);
890
891 if (!ctx) {
892 skipped++;
893 continue;
894 }
895
896 /*
897 * We don't need to bother with munmap() here - exit_mmap(mm)
898 * is coming and it'll unmap everything. And we simply can't,
899 * this is not necessarily our ->mm.
900 * Since kill_ioctx() uses non-zero ->mmap_size as indicator
901 * that it needs to unmap the area, just set it to 0.
902 */
903 ctx->mmap_size = 0;
904 kill_ioctx(mm, ctx, &wait);
905 }
906
907 if (!atomic_sub_and_test(skipped, &wait.count)) {
908 /* Wait until all IO for the context are done. */
909 wait_for_completion(&wait.comp);
910 }
911
912 RCU_INIT_POINTER(mm->ioctx_table, NULL);
913 kfree(table);
914}
915
916static void put_reqs_available(struct kioctx *ctx, unsigned nr)
917{
918 struct kioctx_cpu *kcpu;
919 unsigned long flags;
920
921 local_irq_save(flags);
922 kcpu = this_cpu_ptr(ctx->cpu);
923 kcpu->reqs_available += nr;
924
925 while (kcpu->reqs_available >= ctx->req_batch * 2) {
926 kcpu->reqs_available -= ctx->req_batch;
927 atomic_add(ctx->req_batch, &ctx->reqs_available);
928 }
929
930 local_irq_restore(flags);
931}
932
933static bool get_reqs_available(struct kioctx *ctx)
934{
935 struct kioctx_cpu *kcpu;
936 bool ret = false;
937 unsigned long flags;
938
939 local_irq_save(flags);
940 kcpu = this_cpu_ptr(ctx->cpu);
941 if (!kcpu->reqs_available) {
942 int old, avail = atomic_read(&ctx->reqs_available);
943
944 do {
945 if (avail < ctx->req_batch)
946 goto out;
947
948 old = avail;
949 avail = atomic_cmpxchg(&ctx->reqs_available,
950 avail, avail - ctx->req_batch);
951 } while (avail != old);
952
953 kcpu->reqs_available += ctx->req_batch;
954 }
955
956 ret = true;
957 kcpu->reqs_available--;
958out:
959 local_irq_restore(flags);
960 return ret;
961}
962
963/* refill_reqs_available
964 * Updates the reqs_available reference counts used for tracking the
965 * number of free slots in the completion ring. This can be called
966 * from aio_complete() (to optimistically update reqs_available) or
967 * from aio_get_req() (the we're out of events case). It must be
968 * called holding ctx->completion_lock.
969 */
970static void refill_reqs_available(struct kioctx *ctx, unsigned head,
971 unsigned tail)
972{
973 unsigned events_in_ring, completed;
974
975 /* Clamp head since userland can write to it. */
976 head %= ctx->nr_events;
977 if (head <= tail)
978 events_in_ring = tail - head;
979 else
980 events_in_ring = ctx->nr_events - (head - tail);
981
982 completed = ctx->completed_events;
983 if (events_in_ring < completed)
984 completed -= events_in_ring;
985 else
986 completed = 0;
987
988 if (!completed)
989 return;
990
991 ctx->completed_events -= completed;
992 put_reqs_available(ctx, completed);
993}
994
995/* user_refill_reqs_available
996 * Called to refill reqs_available when aio_get_req() encounters an
997 * out of space in the completion ring.
998 */
999static void user_refill_reqs_available(struct kioctx *ctx)
1000{
1001 spin_lock_irq(&ctx->completion_lock);
1002 if (ctx->completed_events) {
1003 struct aio_ring *ring;
1004 unsigned head;
1005
1006 /* Access of ring->head may race with aio_read_events_ring()
1007 * here, but that's okay since whether we read the old version
1008 * or the new version, and either will be valid. The important
1009 * part is that head cannot pass tail since we prevent
1010 * aio_complete() from updating tail by holding
1011 * ctx->completion_lock. Even if head is invalid, the check
1012 * against ctx->completed_events below will make sure we do the
1013 * safe/right thing.
1014 */
1015 ring = kmap_atomic(ctx->ring_pages[0]);
1016 head = ring->head;
1017 kunmap_atomic(ring);
1018
1019 refill_reqs_available(ctx, head, ctx->tail);
1020 }
1021
1022 spin_unlock_irq(&ctx->completion_lock);
1023}
1024
1025/* aio_get_req
1026 * Allocate a slot for an aio request.
1027 * Returns NULL if no requests are free.
1028 */
1029static inline struct aio_kiocb *aio_get_req(struct kioctx *ctx)
1030{
1031 struct aio_kiocb *req;
1032
1033 if (!get_reqs_available(ctx)) {
1034 user_refill_reqs_available(ctx);
1035 if (!get_reqs_available(ctx))
1036 return NULL;
1037 }
1038
1039 req = kmem_cache_alloc(kiocb_cachep, GFP_KERNEL|__GFP_ZERO);
1040 if (unlikely(!req))
1041 goto out_put;
1042
1043 percpu_ref_get(&ctx->reqs);
1044
1045 req->ki_ctx = ctx;
1046 return req;
1047out_put:
1048 put_reqs_available(ctx, 1);
1049 return NULL;
1050}
1051
1052static void kiocb_free(struct aio_kiocb *req)
1053{
1054 if (req->common.ki_filp)
1055 fput(req->common.ki_filp);
1056 if (req->ki_eventfd != NULL)
1057 eventfd_ctx_put(req->ki_eventfd);
1058 kmem_cache_free(kiocb_cachep, req);
1059}
1060
1061static struct kioctx *lookup_ioctx(unsigned long ctx_id)
1062{
1063 struct aio_ring __user *ring = (void __user *)ctx_id;
1064 struct mm_struct *mm = current->mm;
1065 struct kioctx *ctx, *ret = NULL;
1066 struct kioctx_table *table;
1067 unsigned id;
1068
1069 if (get_user(id, &ring->id))
1070 return NULL;
1071
1072 rcu_read_lock();
1073 table = rcu_dereference(mm->ioctx_table);
1074
1075 if (!table || id >= table->nr)
1076 goto out;
1077
1078 ctx = rcu_dereference(table->table[id]);
1079 if (ctx && ctx->user_id == ctx_id) {
1080 if (percpu_ref_tryget_live(&ctx->users))
1081 ret = ctx;
1082 }
1083out:
1084 rcu_read_unlock();
1085 return ret;
1086}
1087
1088/* aio_complete
1089 * Called when the io request on the given iocb is complete.
1090 */
1091static void aio_complete(struct kiocb *kiocb, long res, long res2)
1092{
1093 struct aio_kiocb *iocb = container_of(kiocb, struct aio_kiocb, common);
1094 struct kioctx *ctx = iocb->ki_ctx;
1095 struct aio_ring *ring;
1096 struct io_event *ev_page, *event;
1097 unsigned tail, pos, head;
1098 unsigned long flags;
1099
1100 if (kiocb->ki_flags & IOCB_WRITE) {
1101 struct file *file = kiocb->ki_filp;
1102
1103 /*
1104 * Tell lockdep we inherited freeze protection from submission
1105 * thread.
1106 */
1107 if (S_ISREG(file_inode(file)->i_mode))
1108 __sb_writers_acquired(file_inode(file)->i_sb, SB_FREEZE_WRITE);
1109 file_end_write(file);
1110 }
1111
1112 /*
1113 * Special case handling for sync iocbs:
1114 * - events go directly into the iocb for fast handling
1115 * - the sync task with the iocb in its stack holds the single iocb
1116 * ref, no other paths have a way to get another ref
1117 * - the sync task helpfully left a reference to itself in the iocb
1118 */
1119 BUG_ON(is_sync_kiocb(kiocb));
1120
1121 if (iocb->ki_list.next) {
1122 unsigned long flags;
1123
1124 spin_lock_irqsave(&ctx->ctx_lock, flags);
1125 list_del(&iocb->ki_list);
1126 spin_unlock_irqrestore(&ctx->ctx_lock, flags);
1127 }
1128
1129 /*
1130 * Add a completion event to the ring buffer. Must be done holding
1131 * ctx->completion_lock to prevent other code from messing with the tail
1132 * pointer since we might be called from irq context.
1133 */
1134 spin_lock_irqsave(&ctx->completion_lock, flags);
1135
1136 tail = ctx->tail;
1137 pos = tail + AIO_EVENTS_OFFSET;
1138
1139 if (++tail >= ctx->nr_events)
1140 tail = 0;
1141
1142 ev_page = kmap_atomic(ctx->ring_pages[pos / AIO_EVENTS_PER_PAGE]);
1143 event = ev_page + pos % AIO_EVENTS_PER_PAGE;
1144
1145 event->obj = (u64)(unsigned long)iocb->ki_user_iocb;
1146 event->data = iocb->ki_user_data;
1147 event->res = res;
1148 event->res2 = res2;
1149
1150 kunmap_atomic(ev_page);
1151 flush_dcache_page(ctx->ring_pages[pos / AIO_EVENTS_PER_PAGE]);
1152
1153 pr_debug("%p[%u]: %p: %p %Lx %lx %lx\n",
1154 ctx, tail, iocb, iocb->ki_user_iocb, iocb->ki_user_data,
1155 res, res2);
1156
1157 /* after flagging the request as done, we
1158 * must never even look at it again
1159 */
1160 smp_wmb(); /* make event visible before updating tail */
1161
1162 ctx->tail = tail;
1163
1164 ring = kmap_atomic(ctx->ring_pages[0]);
1165 head = ring->head;
1166 ring->tail = tail;
1167 kunmap_atomic(ring);
1168 flush_dcache_page(ctx->ring_pages[0]);
1169
1170 ctx->completed_events++;
1171 if (ctx->completed_events > 1)
1172 refill_reqs_available(ctx, head, tail);
1173 spin_unlock_irqrestore(&ctx->completion_lock, flags);
1174
1175 pr_debug("added to ring %p at [%u]\n", iocb, tail);
1176
1177 /*
1178 * Check if the user asked us to deliver the result through an
1179 * eventfd. The eventfd_signal() function is safe to be called
1180 * from IRQ context.
1181 */
1182 if (iocb->ki_eventfd != NULL)
1183 eventfd_signal(iocb->ki_eventfd, 1);
1184
1185 /* everything turned out well, dispose of the aiocb. */
1186 kiocb_free(iocb);
1187
1188 /*
1189 * We have to order our ring_info tail store above and test
1190 * of the wait list below outside the wait lock. This is
1191 * like in wake_up_bit() where clearing a bit has to be
1192 * ordered with the unlocked test.
1193 */
1194 smp_mb();
1195
1196 if (waitqueue_active(&ctx->wait))
1197 wake_up(&ctx->wait);
1198
1199 percpu_ref_put(&ctx->reqs);
1200}
1201
1202/* aio_read_events_ring
1203 * Pull an event off of the ioctx's event ring. Returns the number of
1204 * events fetched
1205 */
1206static long aio_read_events_ring(struct kioctx *ctx,
1207 struct io_event __user *event, long nr)
1208{
1209 struct aio_ring *ring;
1210 unsigned head, tail, pos;
1211 long ret = 0;
1212 int copy_ret;
1213
1214 /*
1215 * The mutex can block and wake us up and that will cause
1216 * wait_event_interruptible_hrtimeout() to schedule without sleeping
1217 * and repeat. This should be rare enough that it doesn't cause
1218 * peformance issues. See the comment in read_events() for more detail.
1219 */
1220 sched_annotate_sleep();
1221 mutex_lock(&ctx->ring_lock);
1222
1223 /* Access to ->ring_pages here is protected by ctx->ring_lock. */
1224 ring = kmap_atomic(ctx->ring_pages[0]);
1225 head = ring->head;
1226 tail = ring->tail;
1227 kunmap_atomic(ring);
1228
1229 /*
1230 * Ensure that once we've read the current tail pointer, that
1231 * we also see the events that were stored up to the tail.
1232 */
1233 smp_rmb();
1234
1235 pr_debug("h%u t%u m%u\n", head, tail, ctx->nr_events);
1236
1237 if (head == tail)
1238 goto out;
1239
1240 head %= ctx->nr_events;
1241 tail %= ctx->nr_events;
1242
1243 while (ret < nr) {
1244 long avail;
1245 struct io_event *ev;
1246 struct page *page;
1247
1248 avail = (head <= tail ? tail : ctx->nr_events) - head;
1249 if (head == tail)
1250 break;
1251
1252 avail = min(avail, nr - ret);
1253 avail = min_t(long, avail, AIO_EVENTS_PER_PAGE -
1254 ((head + AIO_EVENTS_OFFSET) % AIO_EVENTS_PER_PAGE));
1255
1256 pos = head + AIO_EVENTS_OFFSET;
1257 page = ctx->ring_pages[pos / AIO_EVENTS_PER_PAGE];
1258 pos %= AIO_EVENTS_PER_PAGE;
1259
1260 ev = kmap(page);
1261 copy_ret = copy_to_user(event + ret, ev + pos,
1262 sizeof(*ev) * avail);
1263 kunmap(page);
1264
1265 if (unlikely(copy_ret)) {
1266 ret = -EFAULT;
1267 goto out;
1268 }
1269
1270 ret += avail;
1271 head += avail;
1272 head %= ctx->nr_events;
1273 }
1274
1275 ring = kmap_atomic(ctx->ring_pages[0]);
1276 ring->head = head;
1277 kunmap_atomic(ring);
1278 flush_dcache_page(ctx->ring_pages[0]);
1279
1280 pr_debug("%li h%u t%u\n", ret, head, tail);
1281out:
1282 mutex_unlock(&ctx->ring_lock);
1283
1284 return ret;
1285}
1286
1287static bool aio_read_events(struct kioctx *ctx, long min_nr, long nr,
1288 struct io_event __user *event, long *i)
1289{
1290 long ret = aio_read_events_ring(ctx, event + *i, nr - *i);
1291
1292 if (ret > 0)
1293 *i += ret;
1294
1295 if (unlikely(atomic_read(&ctx->dead)))
1296 ret = -EINVAL;
1297
1298 if (!*i)
1299 *i = ret;
1300
1301 return ret < 0 || *i >= min_nr;
1302}
1303
1304static long read_events(struct kioctx *ctx, long min_nr, long nr,
1305 struct io_event __user *event,
1306 ktime_t until)
1307{
1308 long ret = 0;
1309
1310 /*
1311 * Note that aio_read_events() is being called as the conditional - i.e.
1312 * we're calling it after prepare_to_wait() has set task state to
1313 * TASK_INTERRUPTIBLE.
1314 *
1315 * But aio_read_events() can block, and if it blocks it's going to flip
1316 * the task state back to TASK_RUNNING.
1317 *
1318 * This should be ok, provided it doesn't flip the state back to
1319 * TASK_RUNNING and return 0 too much - that causes us to spin. That
1320 * will only happen if the mutex_lock() call blocks, and we then find
1321 * the ringbuffer empty. So in practice we should be ok, but it's
1322 * something to be aware of when touching this code.
1323 */
1324 if (until == 0)
1325 aio_read_events(ctx, min_nr, nr, event, &ret);
1326 else
1327 wait_event_interruptible_hrtimeout(ctx->wait,
1328 aio_read_events(ctx, min_nr, nr, event, &ret),
1329 until);
1330
1331 if (!ret && signal_pending(current))
1332 ret = -EINTR;
1333
1334 return ret;
1335}
1336
1337/* sys_io_setup:
1338 * Create an aio_context capable of receiving at least nr_events.
1339 * ctxp must not point to an aio_context that already exists, and
1340 * must be initialized to 0 prior to the call. On successful
1341 * creation of the aio_context, *ctxp is filled in with the resulting
1342 * handle. May fail with -EINVAL if *ctxp is not initialized,
1343 * if the specified nr_events exceeds internal limits. May fail
1344 * with -EAGAIN if the specified nr_events exceeds the user's limit
1345 * of available events. May fail with -ENOMEM if insufficient kernel
1346 * resources are available. May fail with -EFAULT if an invalid
1347 * pointer is passed for ctxp. Will fail with -ENOSYS if not
1348 * implemented.
1349 */
1350SYSCALL_DEFINE2(io_setup, unsigned, nr_events, aio_context_t __user *, ctxp)
1351{
1352 struct kioctx *ioctx = NULL;
1353 unsigned long ctx;
1354 long ret;
1355
1356 ret = get_user(ctx, ctxp);
1357 if (unlikely(ret))
1358 goto out;
1359
1360 ret = -EINVAL;
1361 if (unlikely(ctx || nr_events == 0)) {
1362 pr_debug("EINVAL: ctx %lu nr_events %u\n",
1363 ctx, nr_events);
1364 goto out;
1365 }
1366
1367 ioctx = ioctx_alloc(nr_events);
1368 ret = PTR_ERR(ioctx);
1369 if (!IS_ERR(ioctx)) {
1370 ret = put_user(ioctx->user_id, ctxp);
1371 if (ret)
1372 kill_ioctx(current->mm, ioctx, NULL);
1373 percpu_ref_put(&ioctx->users);
1374 }
1375
1376out:
1377 return ret;
1378}
1379
1380#ifdef CONFIG_COMPAT
1381COMPAT_SYSCALL_DEFINE2(io_setup, unsigned, nr_events, u32 __user *, ctx32p)
1382{
1383 struct kioctx *ioctx = NULL;
1384 unsigned long ctx;
1385 long ret;
1386
1387 ret = get_user(ctx, ctx32p);
1388 if (unlikely(ret))
1389 goto out;
1390
1391 ret = -EINVAL;
1392 if (unlikely(ctx || nr_events == 0)) {
1393 pr_debug("EINVAL: ctx %lu nr_events %u\n",
1394 ctx, nr_events);
1395 goto out;
1396 }
1397
1398 ioctx = ioctx_alloc(nr_events);
1399 ret = PTR_ERR(ioctx);
1400 if (!IS_ERR(ioctx)) {
1401 /* truncating is ok because it's a user address */
1402 ret = put_user((u32)ioctx->user_id, ctx32p);
1403 if (ret)
1404 kill_ioctx(current->mm, ioctx, NULL);
1405 percpu_ref_put(&ioctx->users);
1406 }
1407
1408out:
1409 return ret;
1410}
1411#endif
1412
1413/* sys_io_destroy:
1414 * Destroy the aio_context specified. May cancel any outstanding
1415 * AIOs and block on completion. Will fail with -ENOSYS if not
1416 * implemented. May fail with -EINVAL if the context pointed to
1417 * is invalid.
1418 */
1419SYSCALL_DEFINE1(io_destroy, aio_context_t, ctx)
1420{
1421 struct kioctx *ioctx = lookup_ioctx(ctx);
1422 if (likely(NULL != ioctx)) {
1423 struct ctx_rq_wait wait;
1424 int ret;
1425
1426 init_completion(&wait.comp);
1427 atomic_set(&wait.count, 1);
1428
1429 /* Pass requests_done to kill_ioctx() where it can be set
1430 * in a thread-safe way. If we try to set it here then we have
1431 * a race condition if two io_destroy() called simultaneously.
1432 */
1433 ret = kill_ioctx(current->mm, ioctx, &wait);
1434 percpu_ref_put(&ioctx->users);
1435
1436 /* Wait until all IO for the context are done. Otherwise kernel
1437 * keep using user-space buffers even if user thinks the context
1438 * is destroyed.
1439 */
1440 if (!ret)
1441 wait_for_completion(&wait.comp);
1442
1443 return ret;
1444 }
1445 pr_debug("EINVAL: invalid context id\n");
1446 return -EINVAL;
1447}
1448
1449static int aio_setup_rw(int rw, struct iocb *iocb, struct iovec **iovec,
1450 bool vectored, bool compat, struct iov_iter *iter)
1451{
1452 void __user *buf = (void __user *)(uintptr_t)iocb->aio_buf;
1453 size_t len = iocb->aio_nbytes;
1454
1455 if (!vectored) {
1456 ssize_t ret = import_single_range(rw, buf, len, *iovec, iter);
1457 *iovec = NULL;
1458 return ret;
1459 }
1460#ifdef CONFIG_COMPAT
1461 if (compat)
1462 return compat_import_iovec(rw, buf, len, UIO_FASTIOV, iovec,
1463 iter);
1464#endif
1465 return import_iovec(rw, buf, len, UIO_FASTIOV, iovec, iter);
1466}
1467
1468static inline ssize_t aio_ret(struct kiocb *req, ssize_t ret)
1469{
1470 switch (ret) {
1471 case -EIOCBQUEUED:
1472 return ret;
1473 case -ERESTARTSYS:
1474 case -ERESTARTNOINTR:
1475 case -ERESTARTNOHAND:
1476 case -ERESTART_RESTARTBLOCK:
1477 /*
1478 * There's no easy way to restart the syscall since other AIO's
1479 * may be already running. Just fail this IO with EINTR.
1480 */
1481 ret = -EINTR;
1482 /*FALLTHRU*/
1483 default:
1484 aio_complete(req, ret, 0);
1485 return 0;
1486 }
1487}
1488
1489static ssize_t aio_read(struct kiocb *req, struct iocb *iocb, bool vectored,
1490 bool compat)
1491{
1492 struct file *file = req->ki_filp;
1493 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
1494 struct iov_iter iter;
1495 ssize_t ret;
1496
1497 if (unlikely(!(file->f_mode & FMODE_READ)))
1498 return -EBADF;
1499 if (unlikely(!file->f_op->read_iter))
1500 return -EINVAL;
1501
1502 ret = aio_setup_rw(READ, iocb, &iovec, vectored, compat, &iter);
1503 if (ret)
1504 return ret;
1505 ret = rw_verify_area(READ, file, &req->ki_pos, iov_iter_count(&iter));
1506 if (!ret)
1507 ret = aio_ret(req, call_read_iter(file, req, &iter));
1508 kfree(iovec);
1509 return ret;
1510}
1511
1512static ssize_t aio_write(struct kiocb *req, struct iocb *iocb, bool vectored,
1513 bool compat)
1514{
1515 struct file *file = req->ki_filp;
1516 struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
1517 struct iov_iter iter;
1518 ssize_t ret;
1519
1520 if (unlikely(!(file->f_mode & FMODE_WRITE)))
1521 return -EBADF;
1522 if (unlikely(!file->f_op->write_iter))
1523 return -EINVAL;
1524
1525 ret = aio_setup_rw(WRITE, iocb, &iovec, vectored, compat, &iter);
1526 if (ret)
1527 return ret;
1528 ret = rw_verify_area(WRITE, file, &req->ki_pos, iov_iter_count(&iter));
1529 if (!ret) {
1530 req->ki_flags |= IOCB_WRITE;
1531 file_start_write(file);
1532 ret = aio_ret(req, call_write_iter(file, req, &iter));
1533 /*
1534 * We release freeze protection in aio_complete(). Fool lockdep
1535 * by telling it the lock got released so that it doesn't
1536 * complain about held lock when we return to userspace.
1537 */
1538 if (S_ISREG(file_inode(file)->i_mode))
1539 __sb_writers_release(file_inode(file)->i_sb, SB_FREEZE_WRITE);
1540 }
1541 kfree(iovec);
1542 return ret;
1543}
1544
1545static int io_submit_one(struct kioctx *ctx, struct iocb __user *user_iocb,
1546 struct iocb *iocb, bool compat)
1547{
1548 struct aio_kiocb *req;
1549 struct file *file;
1550 ssize_t ret;
1551
1552 /* enforce forwards compatibility on users */
1553 if (unlikely(iocb->aio_reserved2)) {
1554 pr_debug("EINVAL: reserve field set\n");
1555 return -EINVAL;
1556 }
1557
1558 /* prevent overflows */
1559 if (unlikely(
1560 (iocb->aio_buf != (unsigned long)iocb->aio_buf) ||
1561 (iocb->aio_nbytes != (size_t)iocb->aio_nbytes) ||
1562 ((ssize_t)iocb->aio_nbytes < 0)
1563 )) {
1564 pr_debug("EINVAL: overflow check\n");
1565 return -EINVAL;
1566 }
1567
1568 req = aio_get_req(ctx);
1569 if (unlikely(!req))
1570 return -EAGAIN;
1571
1572 req->common.ki_filp = file = fget(iocb->aio_fildes);
1573 if (unlikely(!req->common.ki_filp)) {
1574 ret = -EBADF;
1575 goto out_put_req;
1576 }
1577 req->common.ki_pos = iocb->aio_offset;
1578 req->common.ki_complete = aio_complete;
1579 req->common.ki_flags = iocb_flags(req->common.ki_filp);
1580 req->common.ki_hint = file_write_hint(file);
1581
1582 if (iocb->aio_flags & IOCB_FLAG_RESFD) {
1583 /*
1584 * If the IOCB_FLAG_RESFD flag of aio_flags is set, get an
1585 * instance of the file* now. The file descriptor must be
1586 * an eventfd() fd, and will be signaled for each completed
1587 * event using the eventfd_signal() function.
1588 */
1589 req->ki_eventfd = eventfd_ctx_fdget((int) iocb->aio_resfd);
1590 if (IS_ERR(req->ki_eventfd)) {
1591 ret = PTR_ERR(req->ki_eventfd);
1592 req->ki_eventfd = NULL;
1593 goto out_put_req;
1594 }
1595
1596 req->common.ki_flags |= IOCB_EVENTFD;
1597 }
1598
1599 ret = kiocb_set_rw_flags(&req->common, iocb->aio_rw_flags);
1600 if (unlikely(ret)) {
1601 pr_debug("EINVAL: aio_rw_flags\n");
1602 goto out_put_req;
1603 }
1604
1605 ret = put_user(KIOCB_KEY, &user_iocb->aio_key);
1606 if (unlikely(ret)) {
1607 pr_debug("EFAULT: aio_key\n");
1608 goto out_put_req;
1609 }
1610
1611 req->ki_user_iocb = user_iocb;
1612 req->ki_user_data = iocb->aio_data;
1613
1614 get_file(file);
1615 switch (iocb->aio_lio_opcode) {
1616 case IOCB_CMD_PREAD:
1617 ret = aio_read(&req->common, iocb, false, compat);
1618 break;
1619 case IOCB_CMD_PWRITE:
1620 ret = aio_write(&req->common, iocb, false, compat);
1621 break;
1622 case IOCB_CMD_PREADV:
1623 ret = aio_read(&req->common, iocb, true, compat);
1624 break;
1625 case IOCB_CMD_PWRITEV:
1626 ret = aio_write(&req->common, iocb, true, compat);
1627 break;
1628 default:
1629 pr_debug("invalid aio operation %d\n", iocb->aio_lio_opcode);
1630 ret = -EINVAL;
1631 break;
1632 }
1633 fput(file);
1634
1635 if (ret && ret != -EIOCBQUEUED)
1636 goto out_put_req;
1637 return 0;
1638out_put_req:
1639 put_reqs_available(ctx, 1);
1640 percpu_ref_put(&ctx->reqs);
1641 kiocb_free(req);
1642 return ret;
1643}
1644
1645static long do_io_submit(aio_context_t ctx_id, long nr,
1646 struct iocb __user *__user *iocbpp, bool compat)
1647{
1648 struct kioctx *ctx;
1649 long ret = 0;
1650 int i = 0;
1651 struct blk_plug plug;
1652
1653 if (unlikely(nr < 0))
1654 return -EINVAL;
1655
1656 if (unlikely(nr > LONG_MAX/sizeof(*iocbpp)))
1657 nr = LONG_MAX/sizeof(*iocbpp);
1658
1659 if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(*iocbpp)))))
1660 return -EFAULT;
1661
1662 ctx = lookup_ioctx(ctx_id);
1663 if (unlikely(!ctx)) {
1664 pr_debug("EINVAL: invalid context id\n");
1665 return -EINVAL;
1666 }
1667
1668 blk_start_plug(&plug);
1669
1670 /*
1671 * AKPM: should this return a partial result if some of the IOs were
1672 * successfully submitted?
1673 */
1674 for (i=0; i<nr; i++) {
1675 struct iocb __user *user_iocb;
1676 struct iocb tmp;
1677
1678 if (unlikely(__get_user(user_iocb, iocbpp + i))) {
1679 ret = -EFAULT;
1680 break;
1681 }
1682
1683 if (unlikely(copy_from_user(&tmp, user_iocb, sizeof(tmp)))) {
1684 ret = -EFAULT;
1685 break;
1686 }
1687
1688 ret = io_submit_one(ctx, user_iocb, &tmp, compat);
1689 if (ret)
1690 break;
1691 }
1692 blk_finish_plug(&plug);
1693
1694 percpu_ref_put(&ctx->users);
1695 return i ? i : ret;
1696}
1697
1698/* sys_io_submit:
1699 * Queue the nr iocbs pointed to by iocbpp for processing. Returns
1700 * the number of iocbs queued. May return -EINVAL if the aio_context
1701 * specified by ctx_id is invalid, if nr is < 0, if the iocb at
1702 * *iocbpp[0] is not properly initialized, if the operation specified
1703 * is invalid for the file descriptor in the iocb. May fail with
1704 * -EFAULT if any of the data structures point to invalid data. May
1705 * fail with -EBADF if the file descriptor specified in the first
1706 * iocb is invalid. May fail with -EAGAIN if insufficient resources
1707 * are available to queue any iocbs. Will return 0 if nr is 0. Will
1708 * fail with -ENOSYS if not implemented.
1709 */
1710SYSCALL_DEFINE3(io_submit, aio_context_t, ctx_id, long, nr,
1711 struct iocb __user * __user *, iocbpp)
1712{
1713 return do_io_submit(ctx_id, nr, iocbpp, 0);
1714}
1715
1716#ifdef CONFIG_COMPAT
1717static inline long
1718copy_iocb(long nr, u32 __user *ptr32, struct iocb __user * __user *ptr64)
1719{
1720 compat_uptr_t uptr;
1721 int i;
1722
1723 for (i = 0; i < nr; ++i) {
1724 if (get_user(uptr, ptr32 + i))
1725 return -EFAULT;
1726 if (put_user(compat_ptr(uptr), ptr64 + i))
1727 return -EFAULT;
1728 }
1729 return 0;
1730}
1731
1732#define MAX_AIO_SUBMITS (PAGE_SIZE/sizeof(struct iocb *))
1733
1734COMPAT_SYSCALL_DEFINE3(io_submit, compat_aio_context_t, ctx_id,
1735 int, nr, u32 __user *, iocb)
1736{
1737 struct iocb __user * __user *iocb64;
1738 long ret;
1739
1740 if (unlikely(nr < 0))
1741 return -EINVAL;
1742
1743 if (nr > MAX_AIO_SUBMITS)
1744 nr = MAX_AIO_SUBMITS;
1745
1746 iocb64 = compat_alloc_user_space(nr * sizeof(*iocb64));
1747 ret = copy_iocb(nr, iocb, iocb64);
1748 if (!ret)
1749 ret = do_io_submit(ctx_id, nr, iocb64, 1);
1750 return ret;
1751}
1752#endif
1753
1754/* lookup_kiocb
1755 * Finds a given iocb for cancellation.
1756 */
1757static struct aio_kiocb *
1758lookup_kiocb(struct kioctx *ctx, struct iocb __user *iocb, u32 key)
1759{
1760 struct aio_kiocb *kiocb;
1761
1762 assert_spin_locked(&ctx->ctx_lock);
1763
1764 if (key != KIOCB_KEY)
1765 return NULL;
1766
1767 /* TODO: use a hash or array, this sucks. */
1768 list_for_each_entry(kiocb, &ctx->active_reqs, ki_list) {
1769 if (kiocb->ki_user_iocb == iocb)
1770 return kiocb;
1771 }
1772 return NULL;
1773}
1774
1775/* sys_io_cancel:
1776 * Attempts to cancel an iocb previously passed to io_submit. If
1777 * the operation is successfully cancelled, the resulting event is
1778 * copied into the memory pointed to by result without being placed
1779 * into the completion queue and 0 is returned. May fail with
1780 * -EFAULT if any of the data structures pointed to are invalid.
1781 * May fail with -EINVAL if aio_context specified by ctx_id is
1782 * invalid. May fail with -EAGAIN if the iocb specified was not
1783 * cancelled. Will fail with -ENOSYS if not implemented.
1784 */
1785SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id, struct iocb __user *, iocb,
1786 struct io_event __user *, result)
1787{
1788 struct kioctx *ctx;
1789 struct aio_kiocb *kiocb;
1790 u32 key;
1791 int ret;
1792
1793 ret = get_user(key, &iocb->aio_key);
1794 if (unlikely(ret))
1795 return -EFAULT;
1796
1797 ctx = lookup_ioctx(ctx_id);
1798 if (unlikely(!ctx))
1799 return -EINVAL;
1800
1801 spin_lock_irq(&ctx->ctx_lock);
1802
1803 kiocb = lookup_kiocb(ctx, iocb, key);
1804 if (kiocb)
1805 ret = kiocb_cancel(kiocb);
1806 else
1807 ret = -EINVAL;
1808
1809 spin_unlock_irq(&ctx->ctx_lock);
1810
1811 if (!ret) {
1812 /*
1813 * The result argument is no longer used - the io_event is
1814 * always delivered via the ring buffer. -EINPROGRESS indicates
1815 * cancellation is progress:
1816 */
1817 ret = -EINPROGRESS;
1818 }
1819
1820 percpu_ref_put(&ctx->users);
1821
1822 return ret;
1823}
1824
1825static long do_io_getevents(aio_context_t ctx_id,
1826 long min_nr,
1827 long nr,
1828 struct io_event __user *events,
1829 struct timespec64 *ts)
1830{
1831 ktime_t until = ts ? timespec64_to_ktime(*ts) : KTIME_MAX;
1832 struct kioctx *ioctx = lookup_ioctx(ctx_id);
1833 long ret = -EINVAL;
1834
1835 if (likely(ioctx)) {
1836 if (likely(min_nr <= nr && min_nr >= 0))
1837 ret = read_events(ioctx, min_nr, nr, events, until);
1838 percpu_ref_put(&ioctx->users);
1839 }
1840
1841 return ret;
1842}
1843
1844/* io_getevents:
1845 * Attempts to read at least min_nr events and up to nr events from
1846 * the completion queue for the aio_context specified by ctx_id. If
1847 * it succeeds, the number of read events is returned. May fail with
1848 * -EINVAL if ctx_id is invalid, if min_nr is out of range, if nr is
1849 * out of range, if timeout is out of range. May fail with -EFAULT
1850 * if any of the memory specified is invalid. May return 0 or
1851 * < min_nr if the timeout specified by timeout has elapsed
1852 * before sufficient events are available, where timeout == NULL
1853 * specifies an infinite timeout. Note that the timeout pointed to by
1854 * timeout is relative. Will fail with -ENOSYS if not implemented.
1855 */
1856SYSCALL_DEFINE5(io_getevents, aio_context_t, ctx_id,
1857 long, min_nr,
1858 long, nr,
1859 struct io_event __user *, events,
1860 struct timespec __user *, timeout)
1861{
1862 struct timespec64 ts;
1863
1864 if (timeout) {
1865 if (unlikely(get_timespec64(&ts, timeout)))
1866 return -EFAULT;
1867 }
1868
1869 return do_io_getevents(ctx_id, min_nr, nr, events, timeout ? &ts : NULL);
1870}
1871
1872#ifdef CONFIG_COMPAT
1873COMPAT_SYSCALL_DEFINE5(io_getevents, compat_aio_context_t, ctx_id,
1874 compat_long_t, min_nr,
1875 compat_long_t, nr,
1876 struct io_event __user *, events,
1877 struct compat_timespec __user *, timeout)
1878{
1879 struct timespec64 t;
1880
1881 if (timeout) {
1882 if (compat_get_timespec64(&t, timeout))
1883 return -EFAULT;
1884
1885 }
1886
1887 return do_io_getevents(ctx_id, min_nr, nr, events, timeout ? &t : NULL);
1888}
1889#endif
1/*
2 * An async IO implementation for Linux
3 * Written by Benjamin LaHaise <bcrl@kvack.org>
4 *
5 * Implements an efficient asynchronous io interface.
6 *
7 * Copyright 2000, 2001, 2002 Red Hat, Inc. All Rights Reserved.
8 *
9 * See ../COPYING for licensing terms.
10 */
11#include <linux/kernel.h>
12#include <linux/init.h>
13#include <linux/errno.h>
14#include <linux/time.h>
15#include <linux/aio_abi.h>
16#include <linux/module.h>
17#include <linux/syscalls.h>
18#include <linux/backing-dev.h>
19#include <linux/uio.h>
20
21#define DEBUG 0
22
23#include <linux/sched.h>
24#include <linux/fs.h>
25#include <linux/file.h>
26#include <linux/mm.h>
27#include <linux/mman.h>
28#include <linux/mmu_context.h>
29#include <linux/slab.h>
30#include <linux/timer.h>
31#include <linux/aio.h>
32#include <linux/highmem.h>
33#include <linux/workqueue.h>
34#include <linux/security.h>
35#include <linux/eventfd.h>
36#include <linux/blkdev.h>
37#include <linux/compat.h>
38
39#include <asm/kmap_types.h>
40#include <asm/uaccess.h>
41
42#if DEBUG > 1
43#define dprintk printk
44#else
45#define dprintk(x...) do { ; } while (0)
46#endif
47
48/*------ sysctl variables----*/
49static DEFINE_SPINLOCK(aio_nr_lock);
50unsigned long aio_nr; /* current system wide number of aio requests */
51unsigned long aio_max_nr = 0x10000; /* system wide maximum number of aio requests */
52/*----end sysctl variables---*/
53
54static struct kmem_cache *kiocb_cachep;
55static struct kmem_cache *kioctx_cachep;
56
57static struct workqueue_struct *aio_wq;
58
59/* Used for rare fput completion. */
60static void aio_fput_routine(struct work_struct *);
61static DECLARE_WORK(fput_work, aio_fput_routine);
62
63static DEFINE_SPINLOCK(fput_lock);
64static LIST_HEAD(fput_head);
65
66static void aio_kick_handler(struct work_struct *);
67static void aio_queue_work(struct kioctx *);
68
69/* aio_setup
70 * Creates the slab caches used by the aio routines, panic on
71 * failure as this is done early during the boot sequence.
72 */
73static int __init aio_setup(void)
74{
75 kiocb_cachep = KMEM_CACHE(kiocb, SLAB_HWCACHE_ALIGN|SLAB_PANIC);
76 kioctx_cachep = KMEM_CACHE(kioctx,SLAB_HWCACHE_ALIGN|SLAB_PANIC);
77
78 aio_wq = alloc_workqueue("aio", 0, 1); /* used to limit concurrency */
79 BUG_ON(!aio_wq);
80
81 pr_debug("aio_setup: sizeof(struct page) = %d\n", (int)sizeof(struct page));
82
83 return 0;
84}
85__initcall(aio_setup);
86
87static void aio_free_ring(struct kioctx *ctx)
88{
89 struct aio_ring_info *info = &ctx->ring_info;
90 long i;
91
92 for (i=0; i<info->nr_pages; i++)
93 put_page(info->ring_pages[i]);
94
95 if (info->mmap_size) {
96 down_write(&ctx->mm->mmap_sem);
97 do_munmap(ctx->mm, info->mmap_base, info->mmap_size);
98 up_write(&ctx->mm->mmap_sem);
99 }
100
101 if (info->ring_pages && info->ring_pages != info->internal_pages)
102 kfree(info->ring_pages);
103 info->ring_pages = NULL;
104 info->nr = 0;
105}
106
107static int aio_setup_ring(struct kioctx *ctx)
108{
109 struct aio_ring *ring;
110 struct aio_ring_info *info = &ctx->ring_info;
111 unsigned nr_events = ctx->max_reqs;
112 unsigned long size;
113 int nr_pages;
114
115 /* Compensate for the ring buffer's head/tail overlap entry */
116 nr_events += 2; /* 1 is required, 2 for good luck */
117
118 size = sizeof(struct aio_ring);
119 size += sizeof(struct io_event) * nr_events;
120 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
121
122 if (nr_pages < 0)
123 return -EINVAL;
124
125 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
126
127 info->nr = 0;
128 info->ring_pages = info->internal_pages;
129 if (nr_pages > AIO_RING_PAGES) {
130 info->ring_pages = kcalloc(nr_pages, sizeof(struct page *), GFP_KERNEL);
131 if (!info->ring_pages)
132 return -ENOMEM;
133 }
134
135 info->mmap_size = nr_pages * PAGE_SIZE;
136 dprintk("attempting mmap of %lu bytes\n", info->mmap_size);
137 down_write(&ctx->mm->mmap_sem);
138 info->mmap_base = do_mmap(NULL, 0, info->mmap_size,
139 PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE,
140 0);
141 if (IS_ERR((void *)info->mmap_base)) {
142 up_write(&ctx->mm->mmap_sem);
143 info->mmap_size = 0;
144 aio_free_ring(ctx);
145 return -EAGAIN;
146 }
147
148 dprintk("mmap address: 0x%08lx\n", info->mmap_base);
149 info->nr_pages = get_user_pages(current, ctx->mm,
150 info->mmap_base, nr_pages,
151 1, 0, info->ring_pages, NULL);
152 up_write(&ctx->mm->mmap_sem);
153
154 if (unlikely(info->nr_pages != nr_pages)) {
155 aio_free_ring(ctx);
156 return -EAGAIN;
157 }
158
159 ctx->user_id = info->mmap_base;
160
161 info->nr = nr_events; /* trusted copy */
162
163 ring = kmap_atomic(info->ring_pages[0], KM_USER0);
164 ring->nr = nr_events; /* user copy */
165 ring->id = ctx->user_id;
166 ring->head = ring->tail = 0;
167 ring->magic = AIO_RING_MAGIC;
168 ring->compat_features = AIO_RING_COMPAT_FEATURES;
169 ring->incompat_features = AIO_RING_INCOMPAT_FEATURES;
170 ring->header_length = sizeof(struct aio_ring);
171 kunmap_atomic(ring, KM_USER0);
172
173 return 0;
174}
175
176
177/* aio_ring_event: returns a pointer to the event at the given index from
178 * kmap_atomic(, km). Release the pointer with put_aio_ring_event();
179 */
180#define AIO_EVENTS_PER_PAGE (PAGE_SIZE / sizeof(struct io_event))
181#define AIO_EVENTS_FIRST_PAGE ((PAGE_SIZE - sizeof(struct aio_ring)) / sizeof(struct io_event))
182#define AIO_EVENTS_OFFSET (AIO_EVENTS_PER_PAGE - AIO_EVENTS_FIRST_PAGE)
183
184#define aio_ring_event(info, nr, km) ({ \
185 unsigned pos = (nr) + AIO_EVENTS_OFFSET; \
186 struct io_event *__event; \
187 __event = kmap_atomic( \
188 (info)->ring_pages[pos / AIO_EVENTS_PER_PAGE], km); \
189 __event += pos % AIO_EVENTS_PER_PAGE; \
190 __event; \
191})
192
193#define put_aio_ring_event(event, km) do { \
194 struct io_event *__event = (event); \
195 (void)__event; \
196 kunmap_atomic((void *)((unsigned long)__event & PAGE_MASK), km); \
197} while(0)
198
199static void ctx_rcu_free(struct rcu_head *head)
200{
201 struct kioctx *ctx = container_of(head, struct kioctx, rcu_head);
202 unsigned nr_events = ctx->max_reqs;
203
204 kmem_cache_free(kioctx_cachep, ctx);
205
206 if (nr_events) {
207 spin_lock(&aio_nr_lock);
208 BUG_ON(aio_nr - nr_events > aio_nr);
209 aio_nr -= nr_events;
210 spin_unlock(&aio_nr_lock);
211 }
212}
213
214/* __put_ioctx
215 * Called when the last user of an aio context has gone away,
216 * and the struct needs to be freed.
217 */
218static void __put_ioctx(struct kioctx *ctx)
219{
220 BUG_ON(ctx->reqs_active);
221
222 cancel_delayed_work(&ctx->wq);
223 cancel_work_sync(&ctx->wq.work);
224 aio_free_ring(ctx);
225 mmdrop(ctx->mm);
226 ctx->mm = NULL;
227 pr_debug("__put_ioctx: freeing %p\n", ctx);
228 call_rcu(&ctx->rcu_head, ctx_rcu_free);
229}
230
231static inline void get_ioctx(struct kioctx *kioctx)
232{
233 BUG_ON(atomic_read(&kioctx->users) <= 0);
234 atomic_inc(&kioctx->users);
235}
236
237static inline int try_get_ioctx(struct kioctx *kioctx)
238{
239 return atomic_inc_not_zero(&kioctx->users);
240}
241
242static inline void put_ioctx(struct kioctx *kioctx)
243{
244 BUG_ON(atomic_read(&kioctx->users) <= 0);
245 if (unlikely(atomic_dec_and_test(&kioctx->users)))
246 __put_ioctx(kioctx);
247}
248
249/* ioctx_alloc
250 * Allocates and initializes an ioctx. Returns an ERR_PTR if it failed.
251 */
252static struct kioctx *ioctx_alloc(unsigned nr_events)
253{
254 struct mm_struct *mm;
255 struct kioctx *ctx;
256 int did_sync = 0;
257
258 /* Prevent overflows */
259 if ((nr_events > (0x10000000U / sizeof(struct io_event))) ||
260 (nr_events > (0x10000000U / sizeof(struct kiocb)))) {
261 pr_debug("ENOMEM: nr_events too high\n");
262 return ERR_PTR(-EINVAL);
263 }
264
265 if ((unsigned long)nr_events > aio_max_nr)
266 return ERR_PTR(-EAGAIN);
267
268 ctx = kmem_cache_zalloc(kioctx_cachep, GFP_KERNEL);
269 if (!ctx)
270 return ERR_PTR(-ENOMEM);
271
272 ctx->max_reqs = nr_events;
273 mm = ctx->mm = current->mm;
274 atomic_inc(&mm->mm_count);
275
276 atomic_set(&ctx->users, 1);
277 spin_lock_init(&ctx->ctx_lock);
278 spin_lock_init(&ctx->ring_info.ring_lock);
279 init_waitqueue_head(&ctx->wait);
280
281 INIT_LIST_HEAD(&ctx->active_reqs);
282 INIT_LIST_HEAD(&ctx->run_list);
283 INIT_DELAYED_WORK(&ctx->wq, aio_kick_handler);
284
285 if (aio_setup_ring(ctx) < 0)
286 goto out_freectx;
287
288 /* limit the number of system wide aios */
289 do {
290 spin_lock_bh(&aio_nr_lock);
291 if (aio_nr + nr_events > aio_max_nr ||
292 aio_nr + nr_events < aio_nr)
293 ctx->max_reqs = 0;
294 else
295 aio_nr += ctx->max_reqs;
296 spin_unlock_bh(&aio_nr_lock);
297 if (ctx->max_reqs || did_sync)
298 break;
299
300 /* wait for rcu callbacks to have completed before giving up */
301 synchronize_rcu();
302 did_sync = 1;
303 ctx->max_reqs = nr_events;
304 } while (1);
305
306 if (ctx->max_reqs == 0)
307 goto out_cleanup;
308
309 /* now link into global list. */
310 spin_lock(&mm->ioctx_lock);
311 hlist_add_head_rcu(&ctx->list, &mm->ioctx_list);
312 spin_unlock(&mm->ioctx_lock);
313
314 dprintk("aio: allocated ioctx %p[%ld]: mm=%p mask=0x%x\n",
315 ctx, ctx->user_id, current->mm, ctx->ring_info.nr);
316 return ctx;
317
318out_cleanup:
319 __put_ioctx(ctx);
320 return ERR_PTR(-EAGAIN);
321
322out_freectx:
323 mmdrop(mm);
324 kmem_cache_free(kioctx_cachep, ctx);
325 ctx = ERR_PTR(-ENOMEM);
326
327 dprintk("aio: error allocating ioctx %p\n", ctx);
328 return ctx;
329}
330
331/* aio_cancel_all
332 * Cancels all outstanding aio requests on an aio context. Used
333 * when the processes owning a context have all exited to encourage
334 * the rapid destruction of the kioctx.
335 */
336static void aio_cancel_all(struct kioctx *ctx)
337{
338 int (*cancel)(struct kiocb *, struct io_event *);
339 struct io_event res;
340 spin_lock_irq(&ctx->ctx_lock);
341 ctx->dead = 1;
342 while (!list_empty(&ctx->active_reqs)) {
343 struct list_head *pos = ctx->active_reqs.next;
344 struct kiocb *iocb = list_kiocb(pos);
345 list_del_init(&iocb->ki_list);
346 cancel = iocb->ki_cancel;
347 kiocbSetCancelled(iocb);
348 if (cancel) {
349 iocb->ki_users++;
350 spin_unlock_irq(&ctx->ctx_lock);
351 cancel(iocb, &res);
352 spin_lock_irq(&ctx->ctx_lock);
353 }
354 }
355 spin_unlock_irq(&ctx->ctx_lock);
356}
357
358static void wait_for_all_aios(struct kioctx *ctx)
359{
360 struct task_struct *tsk = current;
361 DECLARE_WAITQUEUE(wait, tsk);
362
363 spin_lock_irq(&ctx->ctx_lock);
364 if (!ctx->reqs_active)
365 goto out;
366
367 add_wait_queue(&ctx->wait, &wait);
368 set_task_state(tsk, TASK_UNINTERRUPTIBLE);
369 while (ctx->reqs_active) {
370 spin_unlock_irq(&ctx->ctx_lock);
371 io_schedule();
372 set_task_state(tsk, TASK_UNINTERRUPTIBLE);
373 spin_lock_irq(&ctx->ctx_lock);
374 }
375 __set_task_state(tsk, TASK_RUNNING);
376 remove_wait_queue(&ctx->wait, &wait);
377
378out:
379 spin_unlock_irq(&ctx->ctx_lock);
380}
381
382/* wait_on_sync_kiocb:
383 * Waits on the given sync kiocb to complete.
384 */
385ssize_t wait_on_sync_kiocb(struct kiocb *iocb)
386{
387 while (iocb->ki_users) {
388 set_current_state(TASK_UNINTERRUPTIBLE);
389 if (!iocb->ki_users)
390 break;
391 io_schedule();
392 }
393 __set_current_state(TASK_RUNNING);
394 return iocb->ki_user_data;
395}
396EXPORT_SYMBOL(wait_on_sync_kiocb);
397
398/* exit_aio: called when the last user of mm goes away. At this point,
399 * there is no way for any new requests to be submited or any of the
400 * io_* syscalls to be called on the context. However, there may be
401 * outstanding requests which hold references to the context; as they
402 * go away, they will call put_ioctx and release any pinned memory
403 * associated with the request (held via struct page * references).
404 */
405void exit_aio(struct mm_struct *mm)
406{
407 struct kioctx *ctx;
408
409 while (!hlist_empty(&mm->ioctx_list)) {
410 ctx = hlist_entry(mm->ioctx_list.first, struct kioctx, list);
411 hlist_del_rcu(&ctx->list);
412
413 aio_cancel_all(ctx);
414
415 wait_for_all_aios(ctx);
416 /*
417 * Ensure we don't leave the ctx on the aio_wq
418 */
419 cancel_work_sync(&ctx->wq.work);
420
421 if (1 != atomic_read(&ctx->users))
422 printk(KERN_DEBUG
423 "exit_aio:ioctx still alive: %d %d %d\n",
424 atomic_read(&ctx->users), ctx->dead,
425 ctx->reqs_active);
426 put_ioctx(ctx);
427 }
428}
429
430/* aio_get_req
431 * Allocate a slot for an aio request. Increments the users count
432 * of the kioctx so that the kioctx stays around until all requests are
433 * complete. Returns NULL if no requests are free.
434 *
435 * Returns with kiocb->users set to 2. The io submit code path holds
436 * an extra reference while submitting the i/o.
437 * This prevents races between the aio code path referencing the
438 * req (after submitting it) and aio_complete() freeing the req.
439 */
440static struct kiocb *__aio_get_req(struct kioctx *ctx)
441{
442 struct kiocb *req = NULL;
443 struct aio_ring *ring;
444 int okay = 0;
445
446 req = kmem_cache_alloc(kiocb_cachep, GFP_KERNEL);
447 if (unlikely(!req))
448 return NULL;
449
450 req->ki_flags = 0;
451 req->ki_users = 2;
452 req->ki_key = 0;
453 req->ki_ctx = ctx;
454 req->ki_cancel = NULL;
455 req->ki_retry = NULL;
456 req->ki_dtor = NULL;
457 req->private = NULL;
458 req->ki_iovec = NULL;
459 INIT_LIST_HEAD(&req->ki_run_list);
460 req->ki_eventfd = NULL;
461
462 /* Check if the completion queue has enough free space to
463 * accept an event from this io.
464 */
465 spin_lock_irq(&ctx->ctx_lock);
466 ring = kmap_atomic(ctx->ring_info.ring_pages[0], KM_USER0);
467 if (ctx->reqs_active < aio_ring_avail(&ctx->ring_info, ring)) {
468 list_add(&req->ki_list, &ctx->active_reqs);
469 ctx->reqs_active++;
470 okay = 1;
471 }
472 kunmap_atomic(ring, KM_USER0);
473 spin_unlock_irq(&ctx->ctx_lock);
474
475 if (!okay) {
476 kmem_cache_free(kiocb_cachep, req);
477 req = NULL;
478 }
479
480 return req;
481}
482
483static inline struct kiocb *aio_get_req(struct kioctx *ctx)
484{
485 struct kiocb *req;
486 /* Handle a potential starvation case -- should be exceedingly rare as
487 * requests will be stuck on fput_head only if the aio_fput_routine is
488 * delayed and the requests were the last user of the struct file.
489 */
490 req = __aio_get_req(ctx);
491 if (unlikely(NULL == req)) {
492 aio_fput_routine(NULL);
493 req = __aio_get_req(ctx);
494 }
495 return req;
496}
497
498static inline void really_put_req(struct kioctx *ctx, struct kiocb *req)
499{
500 assert_spin_locked(&ctx->ctx_lock);
501
502 if (req->ki_eventfd != NULL)
503 eventfd_ctx_put(req->ki_eventfd);
504 if (req->ki_dtor)
505 req->ki_dtor(req);
506 if (req->ki_iovec != &req->ki_inline_vec)
507 kfree(req->ki_iovec);
508 kmem_cache_free(kiocb_cachep, req);
509 ctx->reqs_active--;
510
511 if (unlikely(!ctx->reqs_active && ctx->dead))
512 wake_up_all(&ctx->wait);
513}
514
515static void aio_fput_routine(struct work_struct *data)
516{
517 spin_lock_irq(&fput_lock);
518 while (likely(!list_empty(&fput_head))) {
519 struct kiocb *req = list_kiocb(fput_head.next);
520 struct kioctx *ctx = req->ki_ctx;
521
522 list_del(&req->ki_list);
523 spin_unlock_irq(&fput_lock);
524
525 /* Complete the fput(s) */
526 if (req->ki_filp != NULL)
527 fput(req->ki_filp);
528
529 /* Link the iocb into the context's free list */
530 spin_lock_irq(&ctx->ctx_lock);
531 really_put_req(ctx, req);
532 spin_unlock_irq(&ctx->ctx_lock);
533
534 put_ioctx(ctx);
535 spin_lock_irq(&fput_lock);
536 }
537 spin_unlock_irq(&fput_lock);
538}
539
540/* __aio_put_req
541 * Returns true if this put was the last user of the request.
542 */
543static int __aio_put_req(struct kioctx *ctx, struct kiocb *req)
544{
545 dprintk(KERN_DEBUG "aio_put(%p): f_count=%ld\n",
546 req, atomic_long_read(&req->ki_filp->f_count));
547
548 assert_spin_locked(&ctx->ctx_lock);
549
550 req->ki_users--;
551 BUG_ON(req->ki_users < 0);
552 if (likely(req->ki_users))
553 return 0;
554 list_del(&req->ki_list); /* remove from active_reqs */
555 req->ki_cancel = NULL;
556 req->ki_retry = NULL;
557
558 /*
559 * Try to optimize the aio and eventfd file* puts, by avoiding to
560 * schedule work in case it is not final fput() time. In normal cases,
561 * we would not be holding the last reference to the file*, so
562 * this function will be executed w/out any aio kthread wakeup.
563 */
564 if (unlikely(!fput_atomic(req->ki_filp))) {
565 get_ioctx(ctx);
566 spin_lock(&fput_lock);
567 list_add(&req->ki_list, &fput_head);
568 spin_unlock(&fput_lock);
569 schedule_work(&fput_work);
570 } else {
571 req->ki_filp = NULL;
572 really_put_req(ctx, req);
573 }
574 return 1;
575}
576
577/* aio_put_req
578 * Returns true if this put was the last user of the kiocb,
579 * false if the request is still in use.
580 */
581int aio_put_req(struct kiocb *req)
582{
583 struct kioctx *ctx = req->ki_ctx;
584 int ret;
585 spin_lock_irq(&ctx->ctx_lock);
586 ret = __aio_put_req(ctx, req);
587 spin_unlock_irq(&ctx->ctx_lock);
588 return ret;
589}
590EXPORT_SYMBOL(aio_put_req);
591
592static struct kioctx *lookup_ioctx(unsigned long ctx_id)
593{
594 struct mm_struct *mm = current->mm;
595 struct kioctx *ctx, *ret = NULL;
596 struct hlist_node *n;
597
598 rcu_read_lock();
599
600 hlist_for_each_entry_rcu(ctx, n, &mm->ioctx_list, list) {
601 /*
602 * RCU protects us against accessing freed memory but
603 * we have to be careful not to get a reference when the
604 * reference count already dropped to 0 (ctx->dead test
605 * is unreliable because of races).
606 */
607 if (ctx->user_id == ctx_id && !ctx->dead && try_get_ioctx(ctx)){
608 ret = ctx;
609 break;
610 }
611 }
612
613 rcu_read_unlock();
614 return ret;
615}
616
617/*
618 * Queue up a kiocb to be retried. Assumes that the kiocb
619 * has already been marked as kicked, and places it on
620 * the retry run list for the corresponding ioctx, if it
621 * isn't already queued. Returns 1 if it actually queued
622 * the kiocb (to tell the caller to activate the work
623 * queue to process it), or 0, if it found that it was
624 * already queued.
625 */
626static inline int __queue_kicked_iocb(struct kiocb *iocb)
627{
628 struct kioctx *ctx = iocb->ki_ctx;
629
630 assert_spin_locked(&ctx->ctx_lock);
631
632 if (list_empty(&iocb->ki_run_list)) {
633 list_add_tail(&iocb->ki_run_list,
634 &ctx->run_list);
635 return 1;
636 }
637 return 0;
638}
639
640/* aio_run_iocb
641 * This is the core aio execution routine. It is
642 * invoked both for initial i/o submission and
643 * subsequent retries via the aio_kick_handler.
644 * Expects to be invoked with iocb->ki_ctx->lock
645 * already held. The lock is released and reacquired
646 * as needed during processing.
647 *
648 * Calls the iocb retry method (already setup for the
649 * iocb on initial submission) for operation specific
650 * handling, but takes care of most of common retry
651 * execution details for a given iocb. The retry method
652 * needs to be non-blocking as far as possible, to avoid
653 * holding up other iocbs waiting to be serviced by the
654 * retry kernel thread.
655 *
656 * The trickier parts in this code have to do with
657 * ensuring that only one retry instance is in progress
658 * for a given iocb at any time. Providing that guarantee
659 * simplifies the coding of individual aio operations as
660 * it avoids various potential races.
661 */
662static ssize_t aio_run_iocb(struct kiocb *iocb)
663{
664 struct kioctx *ctx = iocb->ki_ctx;
665 ssize_t (*retry)(struct kiocb *);
666 ssize_t ret;
667
668 if (!(retry = iocb->ki_retry)) {
669 printk("aio_run_iocb: iocb->ki_retry = NULL\n");
670 return 0;
671 }
672
673 /*
674 * We don't want the next retry iteration for this
675 * operation to start until this one has returned and
676 * updated the iocb state. However, wait_queue functions
677 * can trigger a kick_iocb from interrupt context in the
678 * meantime, indicating that data is available for the next
679 * iteration. We want to remember that and enable the
680 * next retry iteration _after_ we are through with
681 * this one.
682 *
683 * So, in order to be able to register a "kick", but
684 * prevent it from being queued now, we clear the kick
685 * flag, but make the kick code *think* that the iocb is
686 * still on the run list until we are actually done.
687 * When we are done with this iteration, we check if
688 * the iocb was kicked in the meantime and if so, queue
689 * it up afresh.
690 */
691
692 kiocbClearKicked(iocb);
693
694 /*
695 * This is so that aio_complete knows it doesn't need to
696 * pull the iocb off the run list (We can't just call
697 * INIT_LIST_HEAD because we don't want a kick_iocb to
698 * queue this on the run list yet)
699 */
700 iocb->ki_run_list.next = iocb->ki_run_list.prev = NULL;
701 spin_unlock_irq(&ctx->ctx_lock);
702
703 /* Quit retrying if the i/o has been cancelled */
704 if (kiocbIsCancelled(iocb)) {
705 ret = -EINTR;
706 aio_complete(iocb, ret, 0);
707 /* must not access the iocb after this */
708 goto out;
709 }
710
711 /*
712 * Now we are all set to call the retry method in async
713 * context.
714 */
715 ret = retry(iocb);
716
717 if (ret != -EIOCBRETRY && ret != -EIOCBQUEUED) {
718 /*
719 * There's no easy way to restart the syscall since other AIO's
720 * may be already running. Just fail this IO with EINTR.
721 */
722 if (unlikely(ret == -ERESTARTSYS || ret == -ERESTARTNOINTR ||
723 ret == -ERESTARTNOHAND || ret == -ERESTART_RESTARTBLOCK))
724 ret = -EINTR;
725 aio_complete(iocb, ret, 0);
726 }
727out:
728 spin_lock_irq(&ctx->ctx_lock);
729
730 if (-EIOCBRETRY == ret) {
731 /*
732 * OK, now that we are done with this iteration
733 * and know that there is more left to go,
734 * this is where we let go so that a subsequent
735 * "kick" can start the next iteration
736 */
737
738 /* will make __queue_kicked_iocb succeed from here on */
739 INIT_LIST_HEAD(&iocb->ki_run_list);
740 /* we must queue the next iteration ourselves, if it
741 * has already been kicked */
742 if (kiocbIsKicked(iocb)) {
743 __queue_kicked_iocb(iocb);
744
745 /*
746 * __queue_kicked_iocb will always return 1 here, because
747 * iocb->ki_run_list is empty at this point so it should
748 * be safe to unconditionally queue the context into the
749 * work queue.
750 */
751 aio_queue_work(ctx);
752 }
753 }
754 return ret;
755}
756
757/*
758 * __aio_run_iocbs:
759 * Process all pending retries queued on the ioctx
760 * run list.
761 * Assumes it is operating within the aio issuer's mm
762 * context.
763 */
764static int __aio_run_iocbs(struct kioctx *ctx)
765{
766 struct kiocb *iocb;
767 struct list_head run_list;
768
769 assert_spin_locked(&ctx->ctx_lock);
770
771 list_replace_init(&ctx->run_list, &run_list);
772 while (!list_empty(&run_list)) {
773 iocb = list_entry(run_list.next, struct kiocb,
774 ki_run_list);
775 list_del(&iocb->ki_run_list);
776 /*
777 * Hold an extra reference while retrying i/o.
778 */
779 iocb->ki_users++; /* grab extra reference */
780 aio_run_iocb(iocb);
781 __aio_put_req(ctx, iocb);
782 }
783 if (!list_empty(&ctx->run_list))
784 return 1;
785 return 0;
786}
787
788static void aio_queue_work(struct kioctx * ctx)
789{
790 unsigned long timeout;
791 /*
792 * if someone is waiting, get the work started right
793 * away, otherwise, use a longer delay
794 */
795 smp_mb();
796 if (waitqueue_active(&ctx->wait))
797 timeout = 1;
798 else
799 timeout = HZ/10;
800 queue_delayed_work(aio_wq, &ctx->wq, timeout);
801}
802
803/*
804 * aio_run_all_iocbs:
805 * Process all pending retries queued on the ioctx
806 * run list, and keep running them until the list
807 * stays empty.
808 * Assumes it is operating within the aio issuer's mm context.
809 */
810static inline void aio_run_all_iocbs(struct kioctx *ctx)
811{
812 spin_lock_irq(&ctx->ctx_lock);
813 while (__aio_run_iocbs(ctx))
814 ;
815 spin_unlock_irq(&ctx->ctx_lock);
816}
817
818/*
819 * aio_kick_handler:
820 * Work queue handler triggered to process pending
821 * retries on an ioctx. Takes on the aio issuer's
822 * mm context before running the iocbs, so that
823 * copy_xxx_user operates on the issuer's address
824 * space.
825 * Run on aiod's context.
826 */
827static void aio_kick_handler(struct work_struct *work)
828{
829 struct kioctx *ctx = container_of(work, struct kioctx, wq.work);
830 mm_segment_t oldfs = get_fs();
831 struct mm_struct *mm;
832 int requeue;
833
834 set_fs(USER_DS);
835 use_mm(ctx->mm);
836 spin_lock_irq(&ctx->ctx_lock);
837 requeue =__aio_run_iocbs(ctx);
838 mm = ctx->mm;
839 spin_unlock_irq(&ctx->ctx_lock);
840 unuse_mm(mm);
841 set_fs(oldfs);
842 /*
843 * we're in a worker thread already, don't use queue_delayed_work,
844 */
845 if (requeue)
846 queue_delayed_work(aio_wq, &ctx->wq, 0);
847}
848
849
850/*
851 * Called by kick_iocb to queue the kiocb for retry
852 * and if required activate the aio work queue to process
853 * it
854 */
855static void try_queue_kicked_iocb(struct kiocb *iocb)
856{
857 struct kioctx *ctx = iocb->ki_ctx;
858 unsigned long flags;
859 int run = 0;
860
861 spin_lock_irqsave(&ctx->ctx_lock, flags);
862 /* set this inside the lock so that we can't race with aio_run_iocb()
863 * testing it and putting the iocb on the run list under the lock */
864 if (!kiocbTryKick(iocb))
865 run = __queue_kicked_iocb(iocb);
866 spin_unlock_irqrestore(&ctx->ctx_lock, flags);
867 if (run)
868 aio_queue_work(ctx);
869}
870
871/*
872 * kick_iocb:
873 * Called typically from a wait queue callback context
874 * to trigger a retry of the iocb.
875 * The retry is usually executed by aio workqueue
876 * threads (See aio_kick_handler).
877 */
878void kick_iocb(struct kiocb *iocb)
879{
880 /* sync iocbs are easy: they can only ever be executing from a
881 * single context. */
882 if (is_sync_kiocb(iocb)) {
883 kiocbSetKicked(iocb);
884 wake_up_process(iocb->ki_obj.tsk);
885 return;
886 }
887
888 try_queue_kicked_iocb(iocb);
889}
890EXPORT_SYMBOL(kick_iocb);
891
892/* aio_complete
893 * Called when the io request on the given iocb is complete.
894 * Returns true if this is the last user of the request. The
895 * only other user of the request can be the cancellation code.
896 */
897int aio_complete(struct kiocb *iocb, long res, long res2)
898{
899 struct kioctx *ctx = iocb->ki_ctx;
900 struct aio_ring_info *info;
901 struct aio_ring *ring;
902 struct io_event *event;
903 unsigned long flags;
904 unsigned long tail;
905 int ret;
906
907 /*
908 * Special case handling for sync iocbs:
909 * - events go directly into the iocb for fast handling
910 * - the sync task with the iocb in its stack holds the single iocb
911 * ref, no other paths have a way to get another ref
912 * - the sync task helpfully left a reference to itself in the iocb
913 */
914 if (is_sync_kiocb(iocb)) {
915 BUG_ON(iocb->ki_users != 1);
916 iocb->ki_user_data = res;
917 iocb->ki_users = 0;
918 wake_up_process(iocb->ki_obj.tsk);
919 return 1;
920 }
921
922 info = &ctx->ring_info;
923
924 /* add a completion event to the ring buffer.
925 * must be done holding ctx->ctx_lock to prevent
926 * other code from messing with the tail
927 * pointer since we might be called from irq
928 * context.
929 */
930 spin_lock_irqsave(&ctx->ctx_lock, flags);
931
932 if (iocb->ki_run_list.prev && !list_empty(&iocb->ki_run_list))
933 list_del_init(&iocb->ki_run_list);
934
935 /*
936 * cancelled requests don't get events, userland was given one
937 * when the event got cancelled.
938 */
939 if (kiocbIsCancelled(iocb))
940 goto put_rq;
941
942 ring = kmap_atomic(info->ring_pages[0], KM_IRQ1);
943
944 tail = info->tail;
945 event = aio_ring_event(info, tail, KM_IRQ0);
946 if (++tail >= info->nr)
947 tail = 0;
948
949 event->obj = (u64)(unsigned long)iocb->ki_obj.user;
950 event->data = iocb->ki_user_data;
951 event->res = res;
952 event->res2 = res2;
953
954 dprintk("aio_complete: %p[%lu]: %p: %p %Lx %lx %lx\n",
955 ctx, tail, iocb, iocb->ki_obj.user, iocb->ki_user_data,
956 res, res2);
957
958 /* after flagging the request as done, we
959 * must never even look at it again
960 */
961 smp_wmb(); /* make event visible before updating tail */
962
963 info->tail = tail;
964 ring->tail = tail;
965
966 put_aio_ring_event(event, KM_IRQ0);
967 kunmap_atomic(ring, KM_IRQ1);
968
969 pr_debug("added to ring %p at [%lu]\n", iocb, tail);
970
971 /*
972 * Check if the user asked us to deliver the result through an
973 * eventfd. The eventfd_signal() function is safe to be called
974 * from IRQ context.
975 */
976 if (iocb->ki_eventfd != NULL)
977 eventfd_signal(iocb->ki_eventfd, 1);
978
979put_rq:
980 /* everything turned out well, dispose of the aiocb. */
981 ret = __aio_put_req(ctx, iocb);
982
983 /*
984 * We have to order our ring_info tail store above and test
985 * of the wait list below outside the wait lock. This is
986 * like in wake_up_bit() where clearing a bit has to be
987 * ordered with the unlocked test.
988 */
989 smp_mb();
990
991 if (waitqueue_active(&ctx->wait))
992 wake_up(&ctx->wait);
993
994 spin_unlock_irqrestore(&ctx->ctx_lock, flags);
995 return ret;
996}
997EXPORT_SYMBOL(aio_complete);
998
999/* aio_read_evt
1000 * Pull an event off of the ioctx's event ring. Returns the number of
1001 * events fetched (0 or 1 ;-)
1002 * FIXME: make this use cmpxchg.
1003 * TODO: make the ringbuffer user mmap()able (requires FIXME).
1004 */
1005static int aio_read_evt(struct kioctx *ioctx, struct io_event *ent)
1006{
1007 struct aio_ring_info *info = &ioctx->ring_info;
1008 struct aio_ring *ring;
1009 unsigned long head;
1010 int ret = 0;
1011
1012 ring = kmap_atomic(info->ring_pages[0], KM_USER0);
1013 dprintk("in aio_read_evt h%lu t%lu m%lu\n",
1014 (unsigned long)ring->head, (unsigned long)ring->tail,
1015 (unsigned long)ring->nr);
1016
1017 if (ring->head == ring->tail)
1018 goto out;
1019
1020 spin_lock(&info->ring_lock);
1021
1022 head = ring->head % info->nr;
1023 if (head != ring->tail) {
1024 struct io_event *evp = aio_ring_event(info, head, KM_USER1);
1025 *ent = *evp;
1026 head = (head + 1) % info->nr;
1027 smp_mb(); /* finish reading the event before updatng the head */
1028 ring->head = head;
1029 ret = 1;
1030 put_aio_ring_event(evp, KM_USER1);
1031 }
1032 spin_unlock(&info->ring_lock);
1033
1034out:
1035 kunmap_atomic(ring, KM_USER0);
1036 dprintk("leaving aio_read_evt: %d h%lu t%lu\n", ret,
1037 (unsigned long)ring->head, (unsigned long)ring->tail);
1038 return ret;
1039}
1040
1041struct aio_timeout {
1042 struct timer_list timer;
1043 int timed_out;
1044 struct task_struct *p;
1045};
1046
1047static void timeout_func(unsigned long data)
1048{
1049 struct aio_timeout *to = (struct aio_timeout *)data;
1050
1051 to->timed_out = 1;
1052 wake_up_process(to->p);
1053}
1054
1055static inline void init_timeout(struct aio_timeout *to)
1056{
1057 setup_timer_on_stack(&to->timer, timeout_func, (unsigned long) to);
1058 to->timed_out = 0;
1059 to->p = current;
1060}
1061
1062static inline void set_timeout(long start_jiffies, struct aio_timeout *to,
1063 const struct timespec *ts)
1064{
1065 to->timer.expires = start_jiffies + timespec_to_jiffies(ts);
1066 if (time_after(to->timer.expires, jiffies))
1067 add_timer(&to->timer);
1068 else
1069 to->timed_out = 1;
1070}
1071
1072static inline void clear_timeout(struct aio_timeout *to)
1073{
1074 del_singleshot_timer_sync(&to->timer);
1075}
1076
1077static int read_events(struct kioctx *ctx,
1078 long min_nr, long nr,
1079 struct io_event __user *event,
1080 struct timespec __user *timeout)
1081{
1082 long start_jiffies = jiffies;
1083 struct task_struct *tsk = current;
1084 DECLARE_WAITQUEUE(wait, tsk);
1085 int ret;
1086 int i = 0;
1087 struct io_event ent;
1088 struct aio_timeout to;
1089 int retry = 0;
1090
1091 /* needed to zero any padding within an entry (there shouldn't be
1092 * any, but C is fun!
1093 */
1094 memset(&ent, 0, sizeof(ent));
1095retry:
1096 ret = 0;
1097 while (likely(i < nr)) {
1098 ret = aio_read_evt(ctx, &ent);
1099 if (unlikely(ret <= 0))
1100 break;
1101
1102 dprintk("read event: %Lx %Lx %Lx %Lx\n",
1103 ent.data, ent.obj, ent.res, ent.res2);
1104
1105 /* Could we split the check in two? */
1106 ret = -EFAULT;
1107 if (unlikely(copy_to_user(event, &ent, sizeof(ent)))) {
1108 dprintk("aio: lost an event due to EFAULT.\n");
1109 break;
1110 }
1111 ret = 0;
1112
1113 /* Good, event copied to userland, update counts. */
1114 event ++;
1115 i ++;
1116 }
1117
1118 if (min_nr <= i)
1119 return i;
1120 if (ret)
1121 return ret;
1122
1123 /* End fast path */
1124
1125 /* racey check, but it gets redone */
1126 if (!retry && unlikely(!list_empty(&ctx->run_list))) {
1127 retry = 1;
1128 aio_run_all_iocbs(ctx);
1129 goto retry;
1130 }
1131
1132 init_timeout(&to);
1133 if (timeout) {
1134 struct timespec ts;
1135 ret = -EFAULT;
1136 if (unlikely(copy_from_user(&ts, timeout, sizeof(ts))))
1137 goto out;
1138
1139 set_timeout(start_jiffies, &to, &ts);
1140 }
1141
1142 while (likely(i < nr)) {
1143 add_wait_queue_exclusive(&ctx->wait, &wait);
1144 do {
1145 set_task_state(tsk, TASK_INTERRUPTIBLE);
1146 ret = aio_read_evt(ctx, &ent);
1147 if (ret)
1148 break;
1149 if (min_nr <= i)
1150 break;
1151 if (unlikely(ctx->dead)) {
1152 ret = -EINVAL;
1153 break;
1154 }
1155 if (to.timed_out) /* Only check after read evt */
1156 break;
1157 /* Try to only show up in io wait if there are ops
1158 * in flight */
1159 if (ctx->reqs_active)
1160 io_schedule();
1161 else
1162 schedule();
1163 if (signal_pending(tsk)) {
1164 ret = -EINTR;
1165 break;
1166 }
1167 /*ret = aio_read_evt(ctx, &ent);*/
1168 } while (1) ;
1169
1170 set_task_state(tsk, TASK_RUNNING);
1171 remove_wait_queue(&ctx->wait, &wait);
1172
1173 if (unlikely(ret <= 0))
1174 break;
1175
1176 ret = -EFAULT;
1177 if (unlikely(copy_to_user(event, &ent, sizeof(ent)))) {
1178 dprintk("aio: lost an event due to EFAULT.\n");
1179 break;
1180 }
1181
1182 /* Good, event copied to userland, update counts. */
1183 event ++;
1184 i ++;
1185 }
1186
1187 if (timeout)
1188 clear_timeout(&to);
1189out:
1190 destroy_timer_on_stack(&to.timer);
1191 return i ? i : ret;
1192}
1193
1194/* Take an ioctx and remove it from the list of ioctx's. Protects
1195 * against races with itself via ->dead.
1196 */
1197static void io_destroy(struct kioctx *ioctx)
1198{
1199 struct mm_struct *mm = current->mm;
1200 int was_dead;
1201
1202 /* delete the entry from the list is someone else hasn't already */
1203 spin_lock(&mm->ioctx_lock);
1204 was_dead = ioctx->dead;
1205 ioctx->dead = 1;
1206 hlist_del_rcu(&ioctx->list);
1207 spin_unlock(&mm->ioctx_lock);
1208
1209 dprintk("aio_release(%p)\n", ioctx);
1210 if (likely(!was_dead))
1211 put_ioctx(ioctx); /* twice for the list */
1212
1213 aio_cancel_all(ioctx);
1214 wait_for_all_aios(ioctx);
1215
1216 /*
1217 * Wake up any waiters. The setting of ctx->dead must be seen
1218 * by other CPUs at this point. Right now, we rely on the
1219 * locking done by the above calls to ensure this consistency.
1220 */
1221 wake_up_all(&ioctx->wait);
1222 put_ioctx(ioctx); /* once for the lookup */
1223}
1224
1225/* sys_io_setup:
1226 * Create an aio_context capable of receiving at least nr_events.
1227 * ctxp must not point to an aio_context that already exists, and
1228 * must be initialized to 0 prior to the call. On successful
1229 * creation of the aio_context, *ctxp is filled in with the resulting
1230 * handle. May fail with -EINVAL if *ctxp is not initialized,
1231 * if the specified nr_events exceeds internal limits. May fail
1232 * with -EAGAIN if the specified nr_events exceeds the user's limit
1233 * of available events. May fail with -ENOMEM if insufficient kernel
1234 * resources are available. May fail with -EFAULT if an invalid
1235 * pointer is passed for ctxp. Will fail with -ENOSYS if not
1236 * implemented.
1237 */
1238SYSCALL_DEFINE2(io_setup, unsigned, nr_events, aio_context_t __user *, ctxp)
1239{
1240 struct kioctx *ioctx = NULL;
1241 unsigned long ctx;
1242 long ret;
1243
1244 ret = get_user(ctx, ctxp);
1245 if (unlikely(ret))
1246 goto out;
1247
1248 ret = -EINVAL;
1249 if (unlikely(ctx || nr_events == 0)) {
1250 pr_debug("EINVAL: io_setup: ctx %lu nr_events %u\n",
1251 ctx, nr_events);
1252 goto out;
1253 }
1254
1255 ioctx = ioctx_alloc(nr_events);
1256 ret = PTR_ERR(ioctx);
1257 if (!IS_ERR(ioctx)) {
1258 ret = put_user(ioctx->user_id, ctxp);
1259 if (!ret)
1260 return 0;
1261
1262 get_ioctx(ioctx); /* io_destroy() expects us to hold a ref */
1263 io_destroy(ioctx);
1264 }
1265
1266out:
1267 return ret;
1268}
1269
1270/* sys_io_destroy:
1271 * Destroy the aio_context specified. May cancel any outstanding
1272 * AIOs and block on completion. Will fail with -ENOSYS if not
1273 * implemented. May fail with -EINVAL if the context pointed to
1274 * is invalid.
1275 */
1276SYSCALL_DEFINE1(io_destroy, aio_context_t, ctx)
1277{
1278 struct kioctx *ioctx = lookup_ioctx(ctx);
1279 if (likely(NULL != ioctx)) {
1280 io_destroy(ioctx);
1281 return 0;
1282 }
1283 pr_debug("EINVAL: io_destroy: invalid context id\n");
1284 return -EINVAL;
1285}
1286
1287static void aio_advance_iovec(struct kiocb *iocb, ssize_t ret)
1288{
1289 struct iovec *iov = &iocb->ki_iovec[iocb->ki_cur_seg];
1290
1291 BUG_ON(ret <= 0);
1292
1293 while (iocb->ki_cur_seg < iocb->ki_nr_segs && ret > 0) {
1294 ssize_t this = min((ssize_t)iov->iov_len, ret);
1295 iov->iov_base += this;
1296 iov->iov_len -= this;
1297 iocb->ki_left -= this;
1298 ret -= this;
1299 if (iov->iov_len == 0) {
1300 iocb->ki_cur_seg++;
1301 iov++;
1302 }
1303 }
1304
1305 /* the caller should not have done more io than what fit in
1306 * the remaining iovecs */
1307 BUG_ON(ret > 0 && iocb->ki_left == 0);
1308}
1309
1310static ssize_t aio_rw_vect_retry(struct kiocb *iocb)
1311{
1312 struct file *file = iocb->ki_filp;
1313 struct address_space *mapping = file->f_mapping;
1314 struct inode *inode = mapping->host;
1315 ssize_t (*rw_op)(struct kiocb *, const struct iovec *,
1316 unsigned long, loff_t);
1317 ssize_t ret = 0;
1318 unsigned short opcode;
1319
1320 if ((iocb->ki_opcode == IOCB_CMD_PREADV) ||
1321 (iocb->ki_opcode == IOCB_CMD_PREAD)) {
1322 rw_op = file->f_op->aio_read;
1323 opcode = IOCB_CMD_PREADV;
1324 } else {
1325 rw_op = file->f_op->aio_write;
1326 opcode = IOCB_CMD_PWRITEV;
1327 }
1328
1329 /* This matches the pread()/pwrite() logic */
1330 if (iocb->ki_pos < 0)
1331 return -EINVAL;
1332
1333 do {
1334 ret = rw_op(iocb, &iocb->ki_iovec[iocb->ki_cur_seg],
1335 iocb->ki_nr_segs - iocb->ki_cur_seg,
1336 iocb->ki_pos);
1337 if (ret > 0)
1338 aio_advance_iovec(iocb, ret);
1339
1340 /* retry all partial writes. retry partial reads as long as its a
1341 * regular file. */
1342 } while (ret > 0 && iocb->ki_left > 0 &&
1343 (opcode == IOCB_CMD_PWRITEV ||
1344 (!S_ISFIFO(inode->i_mode) && !S_ISSOCK(inode->i_mode))));
1345
1346 /* This means we must have transferred all that we could */
1347 /* No need to retry anymore */
1348 if ((ret == 0) || (iocb->ki_left == 0))
1349 ret = iocb->ki_nbytes - iocb->ki_left;
1350
1351 /* If we managed to write some out we return that, rather than
1352 * the eventual error. */
1353 if (opcode == IOCB_CMD_PWRITEV
1354 && ret < 0 && ret != -EIOCBQUEUED && ret != -EIOCBRETRY
1355 && iocb->ki_nbytes - iocb->ki_left)
1356 ret = iocb->ki_nbytes - iocb->ki_left;
1357
1358 return ret;
1359}
1360
1361static ssize_t aio_fdsync(struct kiocb *iocb)
1362{
1363 struct file *file = iocb->ki_filp;
1364 ssize_t ret = -EINVAL;
1365
1366 if (file->f_op->aio_fsync)
1367 ret = file->f_op->aio_fsync(iocb, 1);
1368 return ret;
1369}
1370
1371static ssize_t aio_fsync(struct kiocb *iocb)
1372{
1373 struct file *file = iocb->ki_filp;
1374 ssize_t ret = -EINVAL;
1375
1376 if (file->f_op->aio_fsync)
1377 ret = file->f_op->aio_fsync(iocb, 0);
1378 return ret;
1379}
1380
1381static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb, bool compat)
1382{
1383 ssize_t ret;
1384
1385#ifdef CONFIG_COMPAT
1386 if (compat)
1387 ret = compat_rw_copy_check_uvector(type,
1388 (struct compat_iovec __user *)kiocb->ki_buf,
1389 kiocb->ki_nbytes, 1, &kiocb->ki_inline_vec,
1390 &kiocb->ki_iovec);
1391 else
1392#endif
1393 ret = rw_copy_check_uvector(type,
1394 (struct iovec __user *)kiocb->ki_buf,
1395 kiocb->ki_nbytes, 1, &kiocb->ki_inline_vec,
1396 &kiocb->ki_iovec);
1397 if (ret < 0)
1398 goto out;
1399
1400 kiocb->ki_nr_segs = kiocb->ki_nbytes;
1401 kiocb->ki_cur_seg = 0;
1402 /* ki_nbytes/left now reflect bytes instead of segs */
1403 kiocb->ki_nbytes = ret;
1404 kiocb->ki_left = ret;
1405
1406 ret = 0;
1407out:
1408 return ret;
1409}
1410
1411static ssize_t aio_setup_single_vector(struct kiocb *kiocb)
1412{
1413 kiocb->ki_iovec = &kiocb->ki_inline_vec;
1414 kiocb->ki_iovec->iov_base = kiocb->ki_buf;
1415 kiocb->ki_iovec->iov_len = kiocb->ki_left;
1416 kiocb->ki_nr_segs = 1;
1417 kiocb->ki_cur_seg = 0;
1418 return 0;
1419}
1420
1421/*
1422 * aio_setup_iocb:
1423 * Performs the initial checks and aio retry method
1424 * setup for the kiocb at the time of io submission.
1425 */
1426static ssize_t aio_setup_iocb(struct kiocb *kiocb, bool compat)
1427{
1428 struct file *file = kiocb->ki_filp;
1429 ssize_t ret = 0;
1430
1431 switch (kiocb->ki_opcode) {
1432 case IOCB_CMD_PREAD:
1433 ret = -EBADF;
1434 if (unlikely(!(file->f_mode & FMODE_READ)))
1435 break;
1436 ret = -EFAULT;
1437 if (unlikely(!access_ok(VERIFY_WRITE, kiocb->ki_buf,
1438 kiocb->ki_left)))
1439 break;
1440 ret = security_file_permission(file, MAY_READ);
1441 if (unlikely(ret))
1442 break;
1443 ret = aio_setup_single_vector(kiocb);
1444 if (ret)
1445 break;
1446 ret = -EINVAL;
1447 if (file->f_op->aio_read)
1448 kiocb->ki_retry = aio_rw_vect_retry;
1449 break;
1450 case IOCB_CMD_PWRITE:
1451 ret = -EBADF;
1452 if (unlikely(!(file->f_mode & FMODE_WRITE)))
1453 break;
1454 ret = -EFAULT;
1455 if (unlikely(!access_ok(VERIFY_READ, kiocb->ki_buf,
1456 kiocb->ki_left)))
1457 break;
1458 ret = security_file_permission(file, MAY_WRITE);
1459 if (unlikely(ret))
1460 break;
1461 ret = aio_setup_single_vector(kiocb);
1462 if (ret)
1463 break;
1464 ret = -EINVAL;
1465 if (file->f_op->aio_write)
1466 kiocb->ki_retry = aio_rw_vect_retry;
1467 break;
1468 case IOCB_CMD_PREADV:
1469 ret = -EBADF;
1470 if (unlikely(!(file->f_mode & FMODE_READ)))
1471 break;
1472 ret = security_file_permission(file, MAY_READ);
1473 if (unlikely(ret))
1474 break;
1475 ret = aio_setup_vectored_rw(READ, kiocb, compat);
1476 if (ret)
1477 break;
1478 ret = -EINVAL;
1479 if (file->f_op->aio_read)
1480 kiocb->ki_retry = aio_rw_vect_retry;
1481 break;
1482 case IOCB_CMD_PWRITEV:
1483 ret = -EBADF;
1484 if (unlikely(!(file->f_mode & FMODE_WRITE)))
1485 break;
1486 ret = security_file_permission(file, MAY_WRITE);
1487 if (unlikely(ret))
1488 break;
1489 ret = aio_setup_vectored_rw(WRITE, kiocb, compat);
1490 if (ret)
1491 break;
1492 ret = -EINVAL;
1493 if (file->f_op->aio_write)
1494 kiocb->ki_retry = aio_rw_vect_retry;
1495 break;
1496 case IOCB_CMD_FDSYNC:
1497 ret = -EINVAL;
1498 if (file->f_op->aio_fsync)
1499 kiocb->ki_retry = aio_fdsync;
1500 break;
1501 case IOCB_CMD_FSYNC:
1502 ret = -EINVAL;
1503 if (file->f_op->aio_fsync)
1504 kiocb->ki_retry = aio_fsync;
1505 break;
1506 default:
1507 dprintk("EINVAL: io_submit: no operation provided\n");
1508 ret = -EINVAL;
1509 }
1510
1511 if (!kiocb->ki_retry)
1512 return ret;
1513
1514 return 0;
1515}
1516
1517static int io_submit_one(struct kioctx *ctx, struct iocb __user *user_iocb,
1518 struct iocb *iocb, bool compat)
1519{
1520 struct kiocb *req;
1521 struct file *file;
1522 ssize_t ret;
1523
1524 /* enforce forwards compatibility on users */
1525 if (unlikely(iocb->aio_reserved1 || iocb->aio_reserved2)) {
1526 pr_debug("EINVAL: io_submit: reserve field set\n");
1527 return -EINVAL;
1528 }
1529
1530 /* prevent overflows */
1531 if (unlikely(
1532 (iocb->aio_buf != (unsigned long)iocb->aio_buf) ||
1533 (iocb->aio_nbytes != (size_t)iocb->aio_nbytes) ||
1534 ((ssize_t)iocb->aio_nbytes < 0)
1535 )) {
1536 pr_debug("EINVAL: io_submit: overflow check\n");
1537 return -EINVAL;
1538 }
1539
1540 file = fget(iocb->aio_fildes);
1541 if (unlikely(!file))
1542 return -EBADF;
1543
1544 req = aio_get_req(ctx); /* returns with 2 references to req */
1545 if (unlikely(!req)) {
1546 fput(file);
1547 return -EAGAIN;
1548 }
1549 req->ki_filp = file;
1550 if (iocb->aio_flags & IOCB_FLAG_RESFD) {
1551 /*
1552 * If the IOCB_FLAG_RESFD flag of aio_flags is set, get an
1553 * instance of the file* now. The file descriptor must be
1554 * an eventfd() fd, and will be signaled for each completed
1555 * event using the eventfd_signal() function.
1556 */
1557 req->ki_eventfd = eventfd_ctx_fdget((int) iocb->aio_resfd);
1558 if (IS_ERR(req->ki_eventfd)) {
1559 ret = PTR_ERR(req->ki_eventfd);
1560 req->ki_eventfd = NULL;
1561 goto out_put_req;
1562 }
1563 }
1564
1565 ret = put_user(req->ki_key, &user_iocb->aio_key);
1566 if (unlikely(ret)) {
1567 dprintk("EFAULT: aio_key\n");
1568 goto out_put_req;
1569 }
1570
1571 req->ki_obj.user = user_iocb;
1572 req->ki_user_data = iocb->aio_data;
1573 req->ki_pos = iocb->aio_offset;
1574
1575 req->ki_buf = (char __user *)(unsigned long)iocb->aio_buf;
1576 req->ki_left = req->ki_nbytes = iocb->aio_nbytes;
1577 req->ki_opcode = iocb->aio_lio_opcode;
1578
1579 ret = aio_setup_iocb(req, compat);
1580
1581 if (ret)
1582 goto out_put_req;
1583
1584 spin_lock_irq(&ctx->ctx_lock);
1585 /*
1586 * We could have raced with io_destroy() and are currently holding a
1587 * reference to ctx which should be destroyed. We cannot submit IO
1588 * since ctx gets freed as soon as io_submit() puts its reference. The
1589 * check here is reliable: io_destroy() sets ctx->dead before waiting
1590 * for outstanding IO and the barrier between these two is realized by
1591 * unlock of mm->ioctx_lock and lock of ctx->ctx_lock. Analogously we
1592 * increment ctx->reqs_active before checking for ctx->dead and the
1593 * barrier is realized by unlock and lock of ctx->ctx_lock. Thus if we
1594 * don't see ctx->dead set here, io_destroy() waits for our IO to
1595 * finish.
1596 */
1597 if (ctx->dead) {
1598 spin_unlock_irq(&ctx->ctx_lock);
1599 ret = -EINVAL;
1600 goto out_put_req;
1601 }
1602 aio_run_iocb(req);
1603 if (!list_empty(&ctx->run_list)) {
1604 /* drain the run list */
1605 while (__aio_run_iocbs(ctx))
1606 ;
1607 }
1608 spin_unlock_irq(&ctx->ctx_lock);
1609
1610 aio_put_req(req); /* drop extra ref to req */
1611 return 0;
1612
1613out_put_req:
1614 aio_put_req(req); /* drop extra ref to req */
1615 aio_put_req(req); /* drop i/o ref to req */
1616 return ret;
1617}
1618
1619long do_io_submit(aio_context_t ctx_id, long nr,
1620 struct iocb __user *__user *iocbpp, bool compat)
1621{
1622 struct kioctx *ctx;
1623 long ret = 0;
1624 int i;
1625 struct blk_plug plug;
1626
1627 if (unlikely(nr < 0))
1628 return -EINVAL;
1629
1630 if (unlikely(nr > LONG_MAX/sizeof(*iocbpp)))
1631 nr = LONG_MAX/sizeof(*iocbpp);
1632
1633 if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(*iocbpp)))))
1634 return -EFAULT;
1635
1636 ctx = lookup_ioctx(ctx_id);
1637 if (unlikely(!ctx)) {
1638 pr_debug("EINVAL: io_submit: invalid context id\n");
1639 return -EINVAL;
1640 }
1641
1642 blk_start_plug(&plug);
1643
1644 /*
1645 * AKPM: should this return a partial result if some of the IOs were
1646 * successfully submitted?
1647 */
1648 for (i=0; i<nr; i++) {
1649 struct iocb __user *user_iocb;
1650 struct iocb tmp;
1651
1652 if (unlikely(__get_user(user_iocb, iocbpp + i))) {
1653 ret = -EFAULT;
1654 break;
1655 }
1656
1657 if (unlikely(copy_from_user(&tmp, user_iocb, sizeof(tmp)))) {
1658 ret = -EFAULT;
1659 break;
1660 }
1661
1662 ret = io_submit_one(ctx, user_iocb, &tmp, compat);
1663 if (ret)
1664 break;
1665 }
1666 blk_finish_plug(&plug);
1667
1668 put_ioctx(ctx);
1669 return i ? i : ret;
1670}
1671
1672/* sys_io_submit:
1673 * Queue the nr iocbs pointed to by iocbpp for processing. Returns
1674 * the number of iocbs queued. May return -EINVAL if the aio_context
1675 * specified by ctx_id is invalid, if nr is < 0, if the iocb at
1676 * *iocbpp[0] is not properly initialized, if the operation specified
1677 * is invalid for the file descriptor in the iocb. May fail with
1678 * -EFAULT if any of the data structures point to invalid data. May
1679 * fail with -EBADF if the file descriptor specified in the first
1680 * iocb is invalid. May fail with -EAGAIN if insufficient resources
1681 * are available to queue any iocbs. Will return 0 if nr is 0. Will
1682 * fail with -ENOSYS if not implemented.
1683 */
1684SYSCALL_DEFINE3(io_submit, aio_context_t, ctx_id, long, nr,
1685 struct iocb __user * __user *, iocbpp)
1686{
1687 return do_io_submit(ctx_id, nr, iocbpp, 0);
1688}
1689
1690/* lookup_kiocb
1691 * Finds a given iocb for cancellation.
1692 */
1693static struct kiocb *lookup_kiocb(struct kioctx *ctx, struct iocb __user *iocb,
1694 u32 key)
1695{
1696 struct list_head *pos;
1697
1698 assert_spin_locked(&ctx->ctx_lock);
1699
1700 /* TODO: use a hash or array, this sucks. */
1701 list_for_each(pos, &ctx->active_reqs) {
1702 struct kiocb *kiocb = list_kiocb(pos);
1703 if (kiocb->ki_obj.user == iocb && kiocb->ki_key == key)
1704 return kiocb;
1705 }
1706 return NULL;
1707}
1708
1709/* sys_io_cancel:
1710 * Attempts to cancel an iocb previously passed to io_submit. If
1711 * the operation is successfully cancelled, the resulting event is
1712 * copied into the memory pointed to by result without being placed
1713 * into the completion queue and 0 is returned. May fail with
1714 * -EFAULT if any of the data structures pointed to are invalid.
1715 * May fail with -EINVAL if aio_context specified by ctx_id is
1716 * invalid. May fail with -EAGAIN if the iocb specified was not
1717 * cancelled. Will fail with -ENOSYS if not implemented.
1718 */
1719SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id, struct iocb __user *, iocb,
1720 struct io_event __user *, result)
1721{
1722 int (*cancel)(struct kiocb *iocb, struct io_event *res);
1723 struct kioctx *ctx;
1724 struct kiocb *kiocb;
1725 u32 key;
1726 int ret;
1727
1728 ret = get_user(key, &iocb->aio_key);
1729 if (unlikely(ret))
1730 return -EFAULT;
1731
1732 ctx = lookup_ioctx(ctx_id);
1733 if (unlikely(!ctx))
1734 return -EINVAL;
1735
1736 spin_lock_irq(&ctx->ctx_lock);
1737 ret = -EAGAIN;
1738 kiocb = lookup_kiocb(ctx, iocb, key);
1739 if (kiocb && kiocb->ki_cancel) {
1740 cancel = kiocb->ki_cancel;
1741 kiocb->ki_users ++;
1742 kiocbSetCancelled(kiocb);
1743 } else
1744 cancel = NULL;
1745 spin_unlock_irq(&ctx->ctx_lock);
1746
1747 if (NULL != cancel) {
1748 struct io_event tmp;
1749 pr_debug("calling cancel\n");
1750 memset(&tmp, 0, sizeof(tmp));
1751 tmp.obj = (u64)(unsigned long)kiocb->ki_obj.user;
1752 tmp.data = kiocb->ki_user_data;
1753 ret = cancel(kiocb, &tmp);
1754 if (!ret) {
1755 /* Cancellation succeeded -- copy the result
1756 * into the user's buffer.
1757 */
1758 if (copy_to_user(result, &tmp, sizeof(tmp)))
1759 ret = -EFAULT;
1760 }
1761 } else
1762 ret = -EINVAL;
1763
1764 put_ioctx(ctx);
1765
1766 return ret;
1767}
1768
1769/* io_getevents:
1770 * Attempts to read at least min_nr events and up to nr events from
1771 * the completion queue for the aio_context specified by ctx_id. If
1772 * it succeeds, the number of read events is returned. May fail with
1773 * -EINVAL if ctx_id is invalid, if min_nr is out of range, if nr is
1774 * out of range, if timeout is out of range. May fail with -EFAULT
1775 * if any of the memory specified is invalid. May return 0 or
1776 * < min_nr if the timeout specified by timeout has elapsed
1777 * before sufficient events are available, where timeout == NULL
1778 * specifies an infinite timeout. Note that the timeout pointed to by
1779 * timeout is relative and will be updated if not NULL and the
1780 * operation blocks. Will fail with -ENOSYS if not implemented.
1781 */
1782SYSCALL_DEFINE5(io_getevents, aio_context_t, ctx_id,
1783 long, min_nr,
1784 long, nr,
1785 struct io_event __user *, events,
1786 struct timespec __user *, timeout)
1787{
1788 struct kioctx *ioctx = lookup_ioctx(ctx_id);
1789 long ret = -EINVAL;
1790
1791 if (likely(ioctx)) {
1792 if (likely(min_nr <= nr && min_nr >= 0))
1793 ret = read_events(ioctx, min_nr, nr, events, timeout);
1794 put_ioctx(ioctx);
1795 }
1796
1797 asmlinkage_protect(5, ret, ctx_id, min_nr, nr, events, timeout);
1798 return ret;
1799}