1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * FUSE: Filesystem in Userspace
4 * Copyright (c) 2023-2024 DataDirect Networks.
5 */
6
7 #include "fuse_i.h"
8 #include "dev_uring_i.h"
9 #include "fuse_dev_i.h"
10
11 #include <linux/fs.h>
12 #include <linux/io_uring/cmd.h>
13
14 static bool __read_mostly enable_uring;
15 module_param(enable_uring, bool, 0644);
16 MODULE_PARM_DESC(enable_uring,
17 "Enable userspace communication through io-uring");
18
19 #define FUSE_URING_IOV_SEGS 2 /* header and payload */
20
21
fuse_uring_enabled(void)22 bool fuse_uring_enabled(void)
23 {
24 return enable_uring;
25 }
26
27 struct fuse_uring_pdu {
28 struct fuse_ring_ent *ent;
29 };
30
31 static const struct fuse_iqueue_ops fuse_io_uring_ops;
32
uring_cmd_set_ring_ent(struct io_uring_cmd * cmd,struct fuse_ring_ent * ring_ent)33 static void uring_cmd_set_ring_ent(struct io_uring_cmd *cmd,
34 struct fuse_ring_ent *ring_ent)
35 {
36 struct fuse_uring_pdu *pdu =
37 io_uring_cmd_to_pdu(cmd, struct fuse_uring_pdu);
38
39 pdu->ent = ring_ent;
40 }
41
uring_cmd_to_ring_ent(struct io_uring_cmd * cmd)42 static struct fuse_ring_ent *uring_cmd_to_ring_ent(struct io_uring_cmd *cmd)
43 {
44 struct fuse_uring_pdu *pdu =
45 io_uring_cmd_to_pdu(cmd, struct fuse_uring_pdu);
46
47 return pdu->ent;
48 }
49
fuse_uring_flush_bg(struct fuse_ring_queue * queue)50 static void fuse_uring_flush_bg(struct fuse_ring_queue *queue)
51 {
52 struct fuse_ring *ring = queue->ring;
53 struct fuse_conn *fc = ring->fc;
54
55 lockdep_assert_held(&queue->lock);
56 lockdep_assert_held(&fc->bg_lock);
57
58 /*
59 * Allow one bg request per queue, ignoring global fc limits.
60 * This prevents a single queue from consuming all resources and
61 * eliminates the need for remote queue wake-ups when global
62 * limits are met but this queue has no more waiting requests.
63 */
64 while ((fc->active_background < fc->max_background ||
65 !queue->active_background) &&
66 (!list_empty(&queue->fuse_req_bg_queue))) {
67 struct fuse_req *req;
68
69 req = list_first_entry(&queue->fuse_req_bg_queue,
70 struct fuse_req, list);
71 fc->active_background++;
72 queue->active_background++;
73
74 list_move_tail(&req->list, &queue->fuse_req_queue);
75 }
76 }
77
fuse_uring_req_end(struct fuse_ring_ent * ent,struct fuse_req * req,int error)78 static void fuse_uring_req_end(struct fuse_ring_ent *ent, struct fuse_req *req,
79 int error)
80 {
81 struct fuse_ring_queue *queue = ent->queue;
82 struct fuse_ring *ring = queue->ring;
83 struct fuse_conn *fc = ring->fc;
84
85 lockdep_assert_not_held(&queue->lock);
86 spin_lock(&queue->lock);
87 ent->fuse_req = NULL;
88 if (test_bit(FR_BACKGROUND, &req->flags)) {
89 queue->active_background--;
90 spin_lock(&fc->bg_lock);
91 fuse_uring_flush_bg(queue);
92 spin_unlock(&fc->bg_lock);
93 }
94
95 spin_unlock(&queue->lock);
96
97 if (error)
98 req->out.h.error = error;
99
100 clear_bit(FR_SENT, &req->flags);
101 fuse_request_end(req);
102 }
103
104 /* Abort all list queued request on the given ring queue */
fuse_uring_abort_end_queue_requests(struct fuse_ring_queue * queue)105 static void fuse_uring_abort_end_queue_requests(struct fuse_ring_queue *queue)
106 {
107 struct fuse_req *req;
108 LIST_HEAD(req_list);
109
110 spin_lock(&queue->lock);
111 list_for_each_entry(req, &queue->fuse_req_queue, list)
112 clear_bit(FR_PENDING, &req->flags);
113 list_splice_init(&queue->fuse_req_queue, &req_list);
114 spin_unlock(&queue->lock);
115
116 /* must not hold queue lock to avoid order issues with fi->lock */
117 fuse_dev_end_requests(&req_list);
118 }
119
fuse_uring_abort_end_requests(struct fuse_ring * ring)120 void fuse_uring_abort_end_requests(struct fuse_ring *ring)
121 {
122 int qid;
123 struct fuse_ring_queue *queue;
124 struct fuse_conn *fc = ring->fc;
125
126 for (qid = 0; qid < ring->nr_queues; qid++) {
127 queue = READ_ONCE(ring->queues[qid]);
128 if (!queue)
129 continue;
130
131 queue->stopped = true;
132
133 WARN_ON_ONCE(ring->fc->max_background != UINT_MAX);
134 spin_lock(&queue->lock);
135 spin_lock(&fc->bg_lock);
136 fuse_uring_flush_bg(queue);
137 spin_unlock(&fc->bg_lock);
138 spin_unlock(&queue->lock);
139 fuse_uring_abort_end_queue_requests(queue);
140 }
141 }
142
fuse_uring_destruct(struct fuse_conn * fc)143 void fuse_uring_destruct(struct fuse_conn *fc)
144 {
145 struct fuse_ring *ring = fc->ring;
146 int qid;
147
148 if (!ring)
149 return;
150
151 for (qid = 0; qid < ring->nr_queues; qid++) {
152 struct fuse_ring_queue *queue = ring->queues[qid];
153 struct fuse_ring_ent *ent, *next;
154
155 if (!queue)
156 continue;
157
158 WARN_ON(!list_empty(&queue->ent_avail_queue));
159 WARN_ON(!list_empty(&queue->ent_w_req_queue));
160 WARN_ON(!list_empty(&queue->ent_commit_queue));
161 WARN_ON(!list_empty(&queue->ent_in_userspace));
162
163 list_for_each_entry_safe(ent, next, &queue->ent_released,
164 list) {
165 list_del_init(&ent->list);
166 kfree(ent);
167 }
168
169 kfree(queue->fpq.processing);
170 kfree(queue);
171 ring->queues[qid] = NULL;
172 }
173
174 kfree(ring->queues);
175 kfree(ring);
176 fc->ring = NULL;
177 }
178
179 /*
180 * Basic ring setup for this connection based on the provided configuration
181 */
fuse_uring_create(struct fuse_conn * fc)182 static struct fuse_ring *fuse_uring_create(struct fuse_conn *fc)
183 {
184 struct fuse_ring *ring;
185 size_t nr_queues = num_possible_cpus();
186 struct fuse_ring *res = NULL;
187 size_t max_payload_size;
188
189 ring = kzalloc(sizeof(*fc->ring), GFP_KERNEL_ACCOUNT);
190 if (!ring)
191 return NULL;
192
193 ring->queues = kcalloc(nr_queues, sizeof(struct fuse_ring_queue *),
194 GFP_KERNEL_ACCOUNT);
195 if (!ring->queues)
196 goto out_err;
197
198 max_payload_size = max(FUSE_MIN_READ_BUFFER, fc->max_write);
199 max_payload_size = max(max_payload_size, fc->max_pages * PAGE_SIZE);
200
201 spin_lock(&fc->lock);
202 if (fc->ring) {
203 /* race, another thread created the ring in the meantime */
204 spin_unlock(&fc->lock);
205 res = fc->ring;
206 goto out_err;
207 }
208
209 init_waitqueue_head(&ring->stop_waitq);
210
211 ring->nr_queues = nr_queues;
212 ring->fc = fc;
213 ring->max_payload_sz = max_payload_size;
214 atomic_set(&ring->queue_refs, 0);
215 smp_store_release(&fc->ring, ring);
216
217 spin_unlock(&fc->lock);
218 return ring;
219
220 out_err:
221 kfree(ring->queues);
222 kfree(ring);
223 return res;
224 }
225
fuse_uring_create_queue(struct fuse_ring * ring,int qid)226 static struct fuse_ring_queue *fuse_uring_create_queue(struct fuse_ring *ring,
227 int qid)
228 {
229 struct fuse_conn *fc = ring->fc;
230 struct fuse_ring_queue *queue;
231 struct list_head *pq;
232
233 queue = kzalloc(sizeof(*queue), GFP_KERNEL_ACCOUNT);
234 if (!queue)
235 return NULL;
236 pq = kcalloc(FUSE_PQ_HASH_SIZE, sizeof(struct list_head), GFP_KERNEL);
237 if (!pq) {
238 kfree(queue);
239 return NULL;
240 }
241
242 queue->qid = qid;
243 queue->ring = ring;
244 spin_lock_init(&queue->lock);
245
246 INIT_LIST_HEAD(&queue->ent_avail_queue);
247 INIT_LIST_HEAD(&queue->ent_commit_queue);
248 INIT_LIST_HEAD(&queue->ent_w_req_queue);
249 INIT_LIST_HEAD(&queue->ent_in_userspace);
250 INIT_LIST_HEAD(&queue->fuse_req_queue);
251 INIT_LIST_HEAD(&queue->fuse_req_bg_queue);
252 INIT_LIST_HEAD(&queue->ent_released);
253
254 queue->fpq.processing = pq;
255 fuse_pqueue_init(&queue->fpq);
256
257 spin_lock(&fc->lock);
258 if (ring->queues[qid]) {
259 spin_unlock(&fc->lock);
260 kfree(queue->fpq.processing);
261 kfree(queue);
262 return ring->queues[qid];
263 }
264
265 /*
266 * write_once and lock as the caller mostly doesn't take the lock at all
267 */
268 WRITE_ONCE(ring->queues[qid], queue);
269 spin_unlock(&fc->lock);
270
271 return queue;
272 }
273
fuse_uring_stop_fuse_req_end(struct fuse_req * req)274 static void fuse_uring_stop_fuse_req_end(struct fuse_req *req)
275 {
276 clear_bit(FR_SENT, &req->flags);
277 req->out.h.error = -ECONNABORTED;
278 fuse_request_end(req);
279 }
280
281 /*
282 * Release a request/entry on connection tear down
283 */
fuse_uring_entry_teardown(struct fuse_ring_ent * ent)284 static void fuse_uring_entry_teardown(struct fuse_ring_ent *ent)
285 {
286 struct fuse_req *req;
287 struct io_uring_cmd *cmd;
288
289 struct fuse_ring_queue *queue = ent->queue;
290
291 spin_lock(&queue->lock);
292 cmd = ent->cmd;
293 ent->cmd = NULL;
294 req = ent->fuse_req;
295 ent->fuse_req = NULL;
296 if (req) {
297 /* remove entry from queue->fpq->processing */
298 list_del_init(&req->list);
299 }
300
301 /*
302 * The entry must not be freed immediately, due to access of direct
303 * pointer access of entries through IO_URING_F_CANCEL - there is a risk
304 * of race between daemon termination (which triggers IO_URING_F_CANCEL
305 * and accesses entries without checking the list state first
306 */
307 list_move(&ent->list, &queue->ent_released);
308 ent->state = FRRS_RELEASED;
309 spin_unlock(&queue->lock);
310
311 if (cmd)
312 io_uring_cmd_done(cmd, -ENOTCONN, 0, IO_URING_F_UNLOCKED);
313
314 if (req)
315 fuse_uring_stop_fuse_req_end(req);
316 }
317
fuse_uring_stop_list_entries(struct list_head * head,struct fuse_ring_queue * queue,enum fuse_ring_req_state exp_state)318 static void fuse_uring_stop_list_entries(struct list_head *head,
319 struct fuse_ring_queue *queue,
320 enum fuse_ring_req_state exp_state)
321 {
322 struct fuse_ring *ring = queue->ring;
323 struct fuse_ring_ent *ent, *next;
324 ssize_t queue_refs = SSIZE_MAX;
325 LIST_HEAD(to_teardown);
326
327 spin_lock(&queue->lock);
328 list_for_each_entry_safe(ent, next, head, list) {
329 if (ent->state != exp_state) {
330 pr_warn("entry teardown qid=%d state=%d expected=%d",
331 queue->qid, ent->state, exp_state);
332 continue;
333 }
334
335 ent->state = FRRS_TEARDOWN;
336 list_move(&ent->list, &to_teardown);
337 }
338 spin_unlock(&queue->lock);
339
340 /* no queue lock to avoid lock order issues */
341 list_for_each_entry_safe(ent, next, &to_teardown, list) {
342 fuse_uring_entry_teardown(ent);
343 queue_refs = atomic_dec_return(&ring->queue_refs);
344 WARN_ON_ONCE(queue_refs < 0);
345 }
346 }
347
fuse_uring_teardown_entries(struct fuse_ring_queue * queue)348 static void fuse_uring_teardown_entries(struct fuse_ring_queue *queue)
349 {
350 fuse_uring_stop_list_entries(&queue->ent_in_userspace, queue,
351 FRRS_USERSPACE);
352 fuse_uring_stop_list_entries(&queue->ent_avail_queue, queue,
353 FRRS_AVAILABLE);
354 }
355
356 /*
357 * Log state debug info
358 */
fuse_uring_log_ent_state(struct fuse_ring * ring)359 static void fuse_uring_log_ent_state(struct fuse_ring *ring)
360 {
361 int qid;
362 struct fuse_ring_ent *ent;
363
364 for (qid = 0; qid < ring->nr_queues; qid++) {
365 struct fuse_ring_queue *queue = ring->queues[qid];
366
367 if (!queue)
368 continue;
369
370 spin_lock(&queue->lock);
371 /*
372 * Log entries from the intermediate queue, the other queues
373 * should be empty
374 */
375 list_for_each_entry(ent, &queue->ent_w_req_queue, list) {
376 pr_info(" ent-req-queue ring=%p qid=%d ent=%p state=%d\n",
377 ring, qid, ent, ent->state);
378 }
379 list_for_each_entry(ent, &queue->ent_commit_queue, list) {
380 pr_info(" ent-commit-queue ring=%p qid=%d ent=%p state=%d\n",
381 ring, qid, ent, ent->state);
382 }
383 spin_unlock(&queue->lock);
384 }
385 ring->stop_debug_log = 1;
386 }
387
fuse_uring_async_stop_queues(struct work_struct * work)388 static void fuse_uring_async_stop_queues(struct work_struct *work)
389 {
390 int qid;
391 struct fuse_ring *ring =
392 container_of(work, struct fuse_ring, async_teardown_work.work);
393
394 /* XXX code dup */
395 for (qid = 0; qid < ring->nr_queues; qid++) {
396 struct fuse_ring_queue *queue = READ_ONCE(ring->queues[qid]);
397
398 if (!queue)
399 continue;
400
401 fuse_uring_teardown_entries(queue);
402 }
403
404 /*
405 * Some ring entries might be in the middle of IO operations,
406 * i.e. in process to get handled by file_operations::uring_cmd
407 * or on the way to userspace - we could handle that with conditions in
408 * run time code, but easier/cleaner to have an async tear down handler
409 * If there are still queue references left
410 */
411 if (atomic_read(&ring->queue_refs) > 0) {
412 if (time_after(jiffies,
413 ring->teardown_time + FUSE_URING_TEARDOWN_TIMEOUT))
414 fuse_uring_log_ent_state(ring);
415
416 schedule_delayed_work(&ring->async_teardown_work,
417 FUSE_URING_TEARDOWN_INTERVAL);
418 } else {
419 wake_up_all(&ring->stop_waitq);
420 }
421 }
422
423 /*
424 * Stop the ring queues
425 */
fuse_uring_stop_queues(struct fuse_ring * ring)426 void fuse_uring_stop_queues(struct fuse_ring *ring)
427 {
428 int qid;
429
430 for (qid = 0; qid < ring->nr_queues; qid++) {
431 struct fuse_ring_queue *queue = READ_ONCE(ring->queues[qid]);
432
433 if (!queue)
434 continue;
435
436 fuse_uring_teardown_entries(queue);
437 }
438
439 if (atomic_read(&ring->queue_refs) > 0) {
440 ring->teardown_time = jiffies;
441 INIT_DELAYED_WORK(&ring->async_teardown_work,
442 fuse_uring_async_stop_queues);
443 schedule_delayed_work(&ring->async_teardown_work,
444 FUSE_URING_TEARDOWN_INTERVAL);
445 } else {
446 wake_up_all(&ring->stop_waitq);
447 }
448 }
449
450 /*
451 * Handle IO_URING_F_CANCEL, typically should come on daemon termination.
452 *
453 * Releasing the last entry should trigger fuse_dev_release() if
454 * the daemon was terminated
455 */
fuse_uring_cancel(struct io_uring_cmd * cmd,unsigned int issue_flags)456 static void fuse_uring_cancel(struct io_uring_cmd *cmd,
457 unsigned int issue_flags)
458 {
459 struct fuse_ring_ent *ent = uring_cmd_to_ring_ent(cmd);
460 struct fuse_ring_queue *queue;
461 bool need_cmd_done = false;
462
463 /*
464 * direct access on ent - it must not be destructed as long as
465 * IO_URING_F_CANCEL might come up
466 */
467 queue = ent->queue;
468 spin_lock(&queue->lock);
469 if (ent->state == FRRS_AVAILABLE) {
470 ent->state = FRRS_USERSPACE;
471 list_move(&ent->list, &queue->ent_in_userspace);
472 need_cmd_done = true;
473 ent->cmd = NULL;
474 }
475 spin_unlock(&queue->lock);
476
477 if (need_cmd_done) {
478 /* no queue lock to avoid lock order issues */
479 io_uring_cmd_done(cmd, -ENOTCONN, 0, issue_flags);
480 }
481 }
482
fuse_uring_prepare_cancel(struct io_uring_cmd * cmd,int issue_flags,struct fuse_ring_ent * ring_ent)483 static void fuse_uring_prepare_cancel(struct io_uring_cmd *cmd, int issue_flags,
484 struct fuse_ring_ent *ring_ent)
485 {
486 uring_cmd_set_ring_ent(cmd, ring_ent);
487 io_uring_cmd_mark_cancelable(cmd, issue_flags);
488 }
489
490 /*
491 * Checks for errors and stores it into the request
492 */
fuse_uring_out_header_has_err(struct fuse_out_header * oh,struct fuse_req * req,struct fuse_conn * fc)493 static int fuse_uring_out_header_has_err(struct fuse_out_header *oh,
494 struct fuse_req *req,
495 struct fuse_conn *fc)
496 {
497 int err;
498
499 err = -EINVAL;
500 if (oh->unique == 0) {
501 /* Not supported through io-uring yet */
502 pr_warn_once("notify through fuse-io-uring not supported\n");
503 goto err;
504 }
505
506 if (oh->error <= -ERESTARTSYS || oh->error > 0)
507 goto err;
508
509 if (oh->error) {
510 err = oh->error;
511 goto err;
512 }
513
514 err = -ENOENT;
515 if ((oh->unique & ~FUSE_INT_REQ_BIT) != req->in.h.unique) {
516 pr_warn_ratelimited("unique mismatch, expected: %llu got %llu\n",
517 req->in.h.unique,
518 oh->unique & ~FUSE_INT_REQ_BIT);
519 goto err;
520 }
521
522 /*
523 * Is it an interrupt reply ID?
524 * XXX: Not supported through fuse-io-uring yet, it should not even
525 * find the request - should not happen.
526 */
527 WARN_ON_ONCE(oh->unique & FUSE_INT_REQ_BIT);
528
529 err = 0;
530 err:
531 return err;
532 }
533
fuse_uring_copy_from_ring(struct fuse_ring * ring,struct fuse_req * req,struct fuse_ring_ent * ent)534 static int fuse_uring_copy_from_ring(struct fuse_ring *ring,
535 struct fuse_req *req,
536 struct fuse_ring_ent *ent)
537 {
538 struct fuse_copy_state cs;
539 struct fuse_args *args = req->args;
540 struct iov_iter iter;
541 int err;
542 struct fuse_uring_ent_in_out ring_in_out;
543
544 err = copy_from_user(&ring_in_out, &ent->headers->ring_ent_in_out,
545 sizeof(ring_in_out));
546 if (err)
547 return -EFAULT;
548
549 err = import_ubuf(ITER_SOURCE, ent->payload, ring->max_payload_sz,
550 &iter);
551 if (err)
552 return err;
553
554 fuse_copy_init(&cs, 0, &iter);
555 cs.is_uring = 1;
556 cs.req = req;
557
558 return fuse_copy_out_args(&cs, args, ring_in_out.payload_sz);
559 }
560
561 /*
562 * Copy data from the req to the ring buffer
563 */
fuse_uring_args_to_ring(struct fuse_ring * ring,struct fuse_req * req,struct fuse_ring_ent * ent)564 static int fuse_uring_args_to_ring(struct fuse_ring *ring, struct fuse_req *req,
565 struct fuse_ring_ent *ent)
566 {
567 struct fuse_copy_state cs;
568 struct fuse_args *args = req->args;
569 struct fuse_in_arg *in_args = args->in_args;
570 int num_args = args->in_numargs;
571 int err;
572 struct iov_iter iter;
573 struct fuse_uring_ent_in_out ent_in_out = {
574 .flags = 0,
575 .commit_id = req->in.h.unique,
576 };
577
578 err = import_ubuf(ITER_DEST, ent->payload, ring->max_payload_sz, &iter);
579 if (err) {
580 pr_info_ratelimited("fuse: Import of user buffer failed\n");
581 return err;
582 }
583
584 fuse_copy_init(&cs, 1, &iter);
585 cs.is_uring = 1;
586 cs.req = req;
587
588 if (num_args > 0) {
589 /*
590 * Expectation is that the first argument is the per op header.
591 * Some op code have that as zero size.
592 */
593 if (args->in_args[0].size > 0) {
594 err = copy_to_user(&ent->headers->op_in, in_args->value,
595 in_args->size);
596 if (err) {
597 pr_info_ratelimited(
598 "Copying the header failed.\n");
599 return -EFAULT;
600 }
601 }
602 in_args++;
603 num_args--;
604 }
605
606 /* copy the payload */
607 err = fuse_copy_args(&cs, num_args, args->in_pages,
608 (struct fuse_arg *)in_args, 0);
609 if (err) {
610 pr_info_ratelimited("%s fuse_copy_args failed\n", __func__);
611 return err;
612 }
613
614 ent_in_out.payload_sz = cs.ring.copied_sz;
615 err = copy_to_user(&ent->headers->ring_ent_in_out, &ent_in_out,
616 sizeof(ent_in_out));
617 return err ? -EFAULT : 0;
618 }
619
fuse_uring_copy_to_ring(struct fuse_ring_ent * ent,struct fuse_req * req)620 static int fuse_uring_copy_to_ring(struct fuse_ring_ent *ent,
621 struct fuse_req *req)
622 {
623 struct fuse_ring_queue *queue = ent->queue;
624 struct fuse_ring *ring = queue->ring;
625 int err;
626
627 err = -EIO;
628 if (WARN_ON(ent->state != FRRS_FUSE_REQ)) {
629 pr_err("qid=%d ring-req=%p invalid state %d on send\n",
630 queue->qid, ent, ent->state);
631 return err;
632 }
633
634 err = -EINVAL;
635 if (WARN_ON(req->in.h.unique == 0))
636 return err;
637
638 /* copy the request */
639 err = fuse_uring_args_to_ring(ring, req, ent);
640 if (unlikely(err)) {
641 pr_info_ratelimited("Copy to ring failed: %d\n", err);
642 return err;
643 }
644
645 /* copy fuse_in_header */
646 err = copy_to_user(&ent->headers->in_out, &req->in.h,
647 sizeof(req->in.h));
648 if (err) {
649 err = -EFAULT;
650 return err;
651 }
652
653 return 0;
654 }
655
fuse_uring_prepare_send(struct fuse_ring_ent * ent,struct fuse_req * req)656 static int fuse_uring_prepare_send(struct fuse_ring_ent *ent,
657 struct fuse_req *req)
658 {
659 int err;
660
661 err = fuse_uring_copy_to_ring(ent, req);
662 if (!err)
663 set_bit(FR_SENT, &req->flags);
664 else
665 fuse_uring_req_end(ent, req, err);
666
667 return err;
668 }
669
670 /*
671 * Write data to the ring buffer and send the request to userspace,
672 * userspace will read it
673 * This is comparable with classical read(/dev/fuse)
674 */
fuse_uring_send_next_to_ring(struct fuse_ring_ent * ent,struct fuse_req * req,unsigned int issue_flags)675 static int fuse_uring_send_next_to_ring(struct fuse_ring_ent *ent,
676 struct fuse_req *req,
677 unsigned int issue_flags)
678 {
679 struct fuse_ring_queue *queue = ent->queue;
680 int err;
681 struct io_uring_cmd *cmd;
682
683 err = fuse_uring_prepare_send(ent, req);
684 if (err)
685 return err;
686
687 spin_lock(&queue->lock);
688 cmd = ent->cmd;
689 ent->cmd = NULL;
690 ent->state = FRRS_USERSPACE;
691 list_move(&ent->list, &queue->ent_in_userspace);
692 spin_unlock(&queue->lock);
693
694 io_uring_cmd_done(cmd, 0, 0, issue_flags);
695 return 0;
696 }
697
698 /*
699 * Make a ring entry available for fuse_req assignment
700 */
fuse_uring_ent_avail(struct fuse_ring_ent * ent,struct fuse_ring_queue * queue)701 static void fuse_uring_ent_avail(struct fuse_ring_ent *ent,
702 struct fuse_ring_queue *queue)
703 {
704 WARN_ON_ONCE(!ent->cmd);
705 list_move(&ent->list, &queue->ent_avail_queue);
706 ent->state = FRRS_AVAILABLE;
707 }
708
709 /* Used to find the request on SQE commit */
fuse_uring_add_to_pq(struct fuse_ring_ent * ent,struct fuse_req * req)710 static void fuse_uring_add_to_pq(struct fuse_ring_ent *ent,
711 struct fuse_req *req)
712 {
713 struct fuse_ring_queue *queue = ent->queue;
714 struct fuse_pqueue *fpq = &queue->fpq;
715 unsigned int hash;
716
717 req->ring_entry = ent;
718 hash = fuse_req_hash(req->in.h.unique);
719 list_move_tail(&req->list, &fpq->processing[hash]);
720 }
721
722 /*
723 * Assign a fuse queue entry to the given entry
724 */
fuse_uring_add_req_to_ring_ent(struct fuse_ring_ent * ent,struct fuse_req * req)725 static void fuse_uring_add_req_to_ring_ent(struct fuse_ring_ent *ent,
726 struct fuse_req *req)
727 {
728 struct fuse_ring_queue *queue = ent->queue;
729
730 lockdep_assert_held(&queue->lock);
731
732 if (WARN_ON_ONCE(ent->state != FRRS_AVAILABLE &&
733 ent->state != FRRS_COMMIT)) {
734 pr_warn("%s qid=%d state=%d\n", __func__, ent->queue->qid,
735 ent->state);
736 }
737
738 clear_bit(FR_PENDING, &req->flags);
739 ent->fuse_req = req;
740 ent->state = FRRS_FUSE_REQ;
741 list_move(&ent->list, &queue->ent_w_req_queue);
742 fuse_uring_add_to_pq(ent, req);
743 }
744
745 /* Fetch the next fuse request if available */
fuse_uring_ent_assign_req(struct fuse_ring_ent * ent)746 static struct fuse_req *fuse_uring_ent_assign_req(struct fuse_ring_ent *ent)
747 __must_hold(&queue->lock)
748 {
749 struct fuse_req *req;
750 struct fuse_ring_queue *queue = ent->queue;
751 struct list_head *req_queue = &queue->fuse_req_queue;
752
753 lockdep_assert_held(&queue->lock);
754
755 /* get and assign the next entry while it is still holding the lock */
756 req = list_first_entry_or_null(req_queue, struct fuse_req, list);
757 if (req)
758 fuse_uring_add_req_to_ring_ent(ent, req);
759
760 return req;
761 }
762
763 /*
764 * Read data from the ring buffer, which user space has written to
765 * This is comparible with handling of classical write(/dev/fuse).
766 * Also make the ring request available again for new fuse requests.
767 */
fuse_uring_commit(struct fuse_ring_ent * ent,struct fuse_req * req,unsigned int issue_flags)768 static void fuse_uring_commit(struct fuse_ring_ent *ent, struct fuse_req *req,
769 unsigned int issue_flags)
770 {
771 struct fuse_ring *ring = ent->queue->ring;
772 struct fuse_conn *fc = ring->fc;
773 ssize_t err = 0;
774
775 err = copy_from_user(&req->out.h, &ent->headers->in_out,
776 sizeof(req->out.h));
777 if (err) {
778 req->out.h.error = -EFAULT;
779 goto out;
780 }
781
782 err = fuse_uring_out_header_has_err(&req->out.h, req, fc);
783 if (err) {
784 /* req->out.h.error already set */
785 goto out;
786 }
787
788 err = fuse_uring_copy_from_ring(ring, req, ent);
789 out:
790 fuse_uring_req_end(ent, req, err);
791 }
792
793 /*
794 * Get the next fuse req and send it
795 */
fuse_uring_next_fuse_req(struct fuse_ring_ent * ent,struct fuse_ring_queue * queue,unsigned int issue_flags)796 static void fuse_uring_next_fuse_req(struct fuse_ring_ent *ent,
797 struct fuse_ring_queue *queue,
798 unsigned int issue_flags)
799 {
800 int err;
801 struct fuse_req *req;
802
803 retry:
804 spin_lock(&queue->lock);
805 fuse_uring_ent_avail(ent, queue);
806 req = fuse_uring_ent_assign_req(ent);
807 spin_unlock(&queue->lock);
808
809 if (req) {
810 err = fuse_uring_send_next_to_ring(ent, req, issue_flags);
811 if (err)
812 goto retry;
813 }
814 }
815
fuse_ring_ent_set_commit(struct fuse_ring_ent * ent)816 static int fuse_ring_ent_set_commit(struct fuse_ring_ent *ent)
817 {
818 struct fuse_ring_queue *queue = ent->queue;
819
820 lockdep_assert_held(&queue->lock);
821
822 if (WARN_ON_ONCE(ent->state != FRRS_USERSPACE))
823 return -EIO;
824
825 ent->state = FRRS_COMMIT;
826 list_move(&ent->list, &queue->ent_commit_queue);
827
828 return 0;
829 }
830
831 /* FUSE_URING_CMD_COMMIT_AND_FETCH handler */
fuse_uring_commit_fetch(struct io_uring_cmd * cmd,int issue_flags,struct fuse_conn * fc)832 static int fuse_uring_commit_fetch(struct io_uring_cmd *cmd, int issue_flags,
833 struct fuse_conn *fc)
834 {
835 const struct fuse_uring_cmd_req *cmd_req = io_uring_sqe_cmd(cmd->sqe);
836 struct fuse_ring_ent *ent;
837 int err;
838 struct fuse_ring *ring = fc->ring;
839 struct fuse_ring_queue *queue;
840 uint64_t commit_id = READ_ONCE(cmd_req->commit_id);
841 unsigned int qid = READ_ONCE(cmd_req->qid);
842 struct fuse_pqueue *fpq;
843 struct fuse_req *req;
844
845 err = -ENOTCONN;
846 if (!ring)
847 return err;
848
849 if (qid >= ring->nr_queues)
850 return -EINVAL;
851
852 queue = ring->queues[qid];
853 if (!queue)
854 return err;
855 fpq = &queue->fpq;
856
857 if (!READ_ONCE(fc->connected) || READ_ONCE(queue->stopped))
858 return err;
859
860 spin_lock(&queue->lock);
861 /* Find a request based on the unique ID of the fuse request
862 * This should get revised, as it needs a hash calculation and list
863 * search. And full struct fuse_pqueue is needed (memory overhead).
864 * As well as the link from req to ring_ent.
865 */
866 req = fuse_request_find(fpq, commit_id);
867 err = -ENOENT;
868 if (!req) {
869 pr_info("qid=%d commit_id %llu not found\n", queue->qid,
870 commit_id);
871 spin_unlock(&queue->lock);
872 return err;
873 }
874 list_del_init(&req->list);
875 ent = req->ring_entry;
876 req->ring_entry = NULL;
877
878 err = fuse_ring_ent_set_commit(ent);
879 if (err != 0) {
880 pr_info_ratelimited("qid=%d commit_id %llu state %d",
881 queue->qid, commit_id, ent->state);
882 spin_unlock(&queue->lock);
883 req->out.h.error = err;
884 clear_bit(FR_SENT, &req->flags);
885 fuse_request_end(req);
886 return err;
887 }
888
889 ent->cmd = cmd;
890 spin_unlock(&queue->lock);
891
892 /* without the queue lock, as other locks are taken */
893 fuse_uring_prepare_cancel(cmd, issue_flags, ent);
894 fuse_uring_commit(ent, req, issue_flags);
895
896 /*
897 * Fetching the next request is absolutely required as queued
898 * fuse requests would otherwise not get processed - committing
899 * and fetching is done in one step vs legacy fuse, which has separated
900 * read (fetch request) and write (commit result).
901 */
902 fuse_uring_next_fuse_req(ent, queue, issue_flags);
903 return 0;
904 }
905
is_ring_ready(struct fuse_ring * ring,int current_qid)906 static bool is_ring_ready(struct fuse_ring *ring, int current_qid)
907 {
908 int qid;
909 struct fuse_ring_queue *queue;
910 bool ready = true;
911
912 for (qid = 0; qid < ring->nr_queues && ready; qid++) {
913 if (current_qid == qid)
914 continue;
915
916 queue = ring->queues[qid];
917 if (!queue) {
918 ready = false;
919 break;
920 }
921
922 spin_lock(&queue->lock);
923 if (list_empty(&queue->ent_avail_queue))
924 ready = false;
925 spin_unlock(&queue->lock);
926 }
927
928 return ready;
929 }
930
931 /*
932 * fuse_uring_req_fetch command handling
933 */
fuse_uring_do_register(struct fuse_ring_ent * ent,struct io_uring_cmd * cmd,unsigned int issue_flags)934 static void fuse_uring_do_register(struct fuse_ring_ent *ent,
935 struct io_uring_cmd *cmd,
936 unsigned int issue_flags)
937 {
938 struct fuse_ring_queue *queue = ent->queue;
939 struct fuse_ring *ring = queue->ring;
940 struct fuse_conn *fc = ring->fc;
941 struct fuse_iqueue *fiq = &fc->iq;
942
943 fuse_uring_prepare_cancel(cmd, issue_flags, ent);
944
945 spin_lock(&queue->lock);
946 ent->cmd = cmd;
947 fuse_uring_ent_avail(ent, queue);
948 spin_unlock(&queue->lock);
949
950 if (!ring->ready) {
951 bool ready = is_ring_ready(ring, queue->qid);
952
953 if (ready) {
954 WRITE_ONCE(fiq->ops, &fuse_io_uring_ops);
955 WRITE_ONCE(ring->ready, true);
956 wake_up_all(&fc->blocked_waitq);
957 }
958 }
959 }
960
961 /*
962 * sqe->addr is a ptr to an iovec array, iov[0] has the headers, iov[1]
963 * the payload
964 */
fuse_uring_get_iovec_from_sqe(const struct io_uring_sqe * sqe,struct iovec iov[FUSE_URING_IOV_SEGS])965 static int fuse_uring_get_iovec_from_sqe(const struct io_uring_sqe *sqe,
966 struct iovec iov[FUSE_URING_IOV_SEGS])
967 {
968 struct iovec __user *uiov = u64_to_user_ptr(READ_ONCE(sqe->addr));
969 struct iov_iter iter;
970 ssize_t ret;
971
972 if (sqe->len != FUSE_URING_IOV_SEGS)
973 return -EINVAL;
974
975 /*
976 * Direction for buffer access will actually be READ and WRITE,
977 * using write for the import should include READ access as well.
978 */
979 ret = import_iovec(WRITE, uiov, FUSE_URING_IOV_SEGS,
980 FUSE_URING_IOV_SEGS, &iov, &iter);
981 if (ret < 0)
982 return ret;
983
984 return 0;
985 }
986
987 static struct fuse_ring_ent *
fuse_uring_create_ring_ent(struct io_uring_cmd * cmd,struct fuse_ring_queue * queue)988 fuse_uring_create_ring_ent(struct io_uring_cmd *cmd,
989 struct fuse_ring_queue *queue)
990 {
991 struct fuse_ring *ring = queue->ring;
992 struct fuse_ring_ent *ent;
993 size_t payload_size;
994 struct iovec iov[FUSE_URING_IOV_SEGS];
995 int err;
996
997 err = fuse_uring_get_iovec_from_sqe(cmd->sqe, iov);
998 if (err) {
999 pr_info_ratelimited("Failed to get iovec from sqe, err=%d\n",
1000 err);
1001 return ERR_PTR(err);
1002 }
1003
1004 err = -EINVAL;
1005 if (iov[0].iov_len < sizeof(struct fuse_uring_req_header)) {
1006 pr_info_ratelimited("Invalid header len %zu\n", iov[0].iov_len);
1007 return ERR_PTR(err);
1008 }
1009
1010 payload_size = iov[1].iov_len;
1011 if (payload_size < ring->max_payload_sz) {
1012 pr_info_ratelimited("Invalid req payload len %zu\n",
1013 payload_size);
1014 return ERR_PTR(err);
1015 }
1016
1017 err = -ENOMEM;
1018 ent = kzalloc(sizeof(*ent), GFP_KERNEL_ACCOUNT);
1019 if (!ent)
1020 return ERR_PTR(err);
1021
1022 INIT_LIST_HEAD(&ent->list);
1023
1024 ent->queue = queue;
1025 ent->headers = iov[0].iov_base;
1026 ent->payload = iov[1].iov_base;
1027
1028 atomic_inc(&ring->queue_refs);
1029 return ent;
1030 }
1031
1032 /*
1033 * Register header and payload buffer with the kernel and puts the
1034 * entry as "ready to get fuse requests" on the queue
1035 */
fuse_uring_register(struct io_uring_cmd * cmd,unsigned int issue_flags,struct fuse_conn * fc)1036 static int fuse_uring_register(struct io_uring_cmd *cmd,
1037 unsigned int issue_flags, struct fuse_conn *fc)
1038 {
1039 const struct fuse_uring_cmd_req *cmd_req = io_uring_sqe_cmd(cmd->sqe);
1040 struct fuse_ring *ring = smp_load_acquire(&fc->ring);
1041 struct fuse_ring_queue *queue;
1042 struct fuse_ring_ent *ent;
1043 int err;
1044 unsigned int qid = READ_ONCE(cmd_req->qid);
1045
1046 err = -ENOMEM;
1047 if (!ring) {
1048 ring = fuse_uring_create(fc);
1049 if (!ring)
1050 return err;
1051 }
1052
1053 if (qid >= ring->nr_queues) {
1054 pr_info_ratelimited("fuse: Invalid ring qid %u\n", qid);
1055 return -EINVAL;
1056 }
1057
1058 queue = ring->queues[qid];
1059 if (!queue) {
1060 queue = fuse_uring_create_queue(ring, qid);
1061 if (!queue)
1062 return err;
1063 }
1064
1065 /*
1066 * The created queue above does not need to be destructed in
1067 * case of entry errors below, will be done at ring destruction time.
1068 */
1069
1070 ent = fuse_uring_create_ring_ent(cmd, queue);
1071 if (IS_ERR(ent))
1072 return PTR_ERR(ent);
1073
1074 fuse_uring_do_register(ent, cmd, issue_flags);
1075
1076 return 0;
1077 }
1078
1079 /*
1080 * Entry function from io_uring to handle the given passthrough command
1081 * (op code IORING_OP_URING_CMD)
1082 */
fuse_uring_cmd(struct io_uring_cmd * cmd,unsigned int issue_flags)1083 int fuse_uring_cmd(struct io_uring_cmd *cmd, unsigned int issue_flags)
1084 {
1085 struct fuse_dev *fud;
1086 struct fuse_conn *fc;
1087 u32 cmd_op = cmd->cmd_op;
1088 int err;
1089
1090 if ((unlikely(issue_flags & IO_URING_F_CANCEL))) {
1091 fuse_uring_cancel(cmd, issue_flags);
1092 return 0;
1093 }
1094
1095 /* This extra SQE size holds struct fuse_uring_cmd_req */
1096 if (!(issue_flags & IO_URING_F_SQE128))
1097 return -EINVAL;
1098
1099 fud = fuse_get_dev(cmd->file);
1100 if (!fud) {
1101 pr_info_ratelimited("No fuse device found\n");
1102 return -ENOTCONN;
1103 }
1104 fc = fud->fc;
1105
1106 /* Once a connection has io-uring enabled on it, it can't be disabled */
1107 if (!enable_uring && !fc->io_uring) {
1108 pr_info_ratelimited("fuse-io-uring is disabled\n");
1109 return -EOPNOTSUPP;
1110 }
1111
1112 if (fc->aborted)
1113 return -ECONNABORTED;
1114 if (!fc->connected)
1115 return -ENOTCONN;
1116
1117 /*
1118 * fuse_uring_register() needs the ring to be initialized,
1119 * we need to know the max payload size
1120 */
1121 if (!fc->initialized)
1122 return -EAGAIN;
1123
1124 switch (cmd_op) {
1125 case FUSE_IO_URING_CMD_REGISTER:
1126 err = fuse_uring_register(cmd, issue_flags, fc);
1127 if (err) {
1128 pr_info_once("FUSE_IO_URING_CMD_REGISTER failed err=%d\n",
1129 err);
1130 fc->io_uring = 0;
1131 wake_up_all(&fc->blocked_waitq);
1132 return err;
1133 }
1134 break;
1135 case FUSE_IO_URING_CMD_COMMIT_AND_FETCH:
1136 err = fuse_uring_commit_fetch(cmd, issue_flags, fc);
1137 if (err) {
1138 pr_info_once("FUSE_IO_URING_COMMIT_AND_FETCH failed err=%d\n",
1139 err);
1140 return err;
1141 }
1142 break;
1143 default:
1144 return -EINVAL;
1145 }
1146
1147 return -EIOCBQUEUED;
1148 }
1149
fuse_uring_send(struct fuse_ring_ent * ent,struct io_uring_cmd * cmd,ssize_t ret,unsigned int issue_flags)1150 static void fuse_uring_send(struct fuse_ring_ent *ent, struct io_uring_cmd *cmd,
1151 ssize_t ret, unsigned int issue_flags)
1152 {
1153 struct fuse_ring_queue *queue = ent->queue;
1154
1155 spin_lock(&queue->lock);
1156 ent->state = FRRS_USERSPACE;
1157 list_move(&ent->list, &queue->ent_in_userspace);
1158 ent->cmd = NULL;
1159 spin_unlock(&queue->lock);
1160
1161 io_uring_cmd_done(cmd, ret, 0, issue_flags);
1162 }
1163
1164 /*
1165 * This prepares and sends the ring request in fuse-uring task context.
1166 * User buffers are not mapped yet - the application does not have permission
1167 * to write to it - this has to be executed in ring task context.
1168 */
fuse_uring_send_in_task(struct io_uring_cmd * cmd,unsigned int issue_flags)1169 static void fuse_uring_send_in_task(struct io_uring_cmd *cmd,
1170 unsigned int issue_flags)
1171 {
1172 struct fuse_ring_ent *ent = uring_cmd_to_ring_ent(cmd);
1173 struct fuse_ring_queue *queue = ent->queue;
1174 int err;
1175
1176 if (!(issue_flags & IO_URING_F_TASK_DEAD)) {
1177 err = fuse_uring_prepare_send(ent, ent->fuse_req);
1178 if (err) {
1179 fuse_uring_next_fuse_req(ent, queue, issue_flags);
1180 return;
1181 }
1182 } else {
1183 err = -ECANCELED;
1184 }
1185
1186 fuse_uring_send(ent, cmd, err, issue_flags);
1187 }
1188
fuse_uring_task_to_queue(struct fuse_ring * ring)1189 static struct fuse_ring_queue *fuse_uring_task_to_queue(struct fuse_ring *ring)
1190 {
1191 unsigned int qid;
1192 struct fuse_ring_queue *queue;
1193
1194 qid = task_cpu(current);
1195
1196 if (WARN_ONCE(qid >= ring->nr_queues,
1197 "Core number (%u) exceeds nr queues (%zu)\n", qid,
1198 ring->nr_queues))
1199 qid = 0;
1200
1201 queue = ring->queues[qid];
1202 WARN_ONCE(!queue, "Missing queue for qid %d\n", qid);
1203
1204 return queue;
1205 }
1206
fuse_uring_dispatch_ent(struct fuse_ring_ent * ent)1207 static void fuse_uring_dispatch_ent(struct fuse_ring_ent *ent)
1208 {
1209 struct io_uring_cmd *cmd = ent->cmd;
1210
1211 uring_cmd_set_ring_ent(cmd, ent);
1212 io_uring_cmd_complete_in_task(cmd, fuse_uring_send_in_task);
1213 }
1214
1215 /* queue a fuse request and send it if a ring entry is available */
fuse_uring_queue_fuse_req(struct fuse_iqueue * fiq,struct fuse_req * req)1216 void fuse_uring_queue_fuse_req(struct fuse_iqueue *fiq, struct fuse_req *req)
1217 {
1218 struct fuse_conn *fc = req->fm->fc;
1219 struct fuse_ring *ring = fc->ring;
1220 struct fuse_ring_queue *queue;
1221 struct fuse_ring_ent *ent = NULL;
1222 int err;
1223
1224 err = -EINVAL;
1225 queue = fuse_uring_task_to_queue(ring);
1226 if (!queue)
1227 goto err;
1228
1229 if (req->in.h.opcode != FUSE_NOTIFY_REPLY)
1230 req->in.h.unique = fuse_get_unique(fiq);
1231
1232 spin_lock(&queue->lock);
1233 err = -ENOTCONN;
1234 if (unlikely(queue->stopped))
1235 goto err_unlock;
1236
1237 set_bit(FR_URING, &req->flags);
1238 req->ring_queue = queue;
1239 ent = list_first_entry_or_null(&queue->ent_avail_queue,
1240 struct fuse_ring_ent, list);
1241 if (ent)
1242 fuse_uring_add_req_to_ring_ent(ent, req);
1243 else
1244 list_add_tail(&req->list, &queue->fuse_req_queue);
1245 spin_unlock(&queue->lock);
1246
1247 if (ent)
1248 fuse_uring_dispatch_ent(ent);
1249
1250 return;
1251
1252 err_unlock:
1253 spin_unlock(&queue->lock);
1254 err:
1255 req->out.h.error = err;
1256 clear_bit(FR_PENDING, &req->flags);
1257 fuse_request_end(req);
1258 }
1259
fuse_uring_queue_bq_req(struct fuse_req * req)1260 bool fuse_uring_queue_bq_req(struct fuse_req *req)
1261 {
1262 struct fuse_conn *fc = req->fm->fc;
1263 struct fuse_ring *ring = fc->ring;
1264 struct fuse_ring_queue *queue;
1265 struct fuse_ring_ent *ent = NULL;
1266
1267 queue = fuse_uring_task_to_queue(ring);
1268 if (!queue)
1269 return false;
1270
1271 spin_lock(&queue->lock);
1272 if (unlikely(queue->stopped)) {
1273 spin_unlock(&queue->lock);
1274 return false;
1275 }
1276
1277 set_bit(FR_URING, &req->flags);
1278 req->ring_queue = queue;
1279 list_add_tail(&req->list, &queue->fuse_req_bg_queue);
1280
1281 ent = list_first_entry_or_null(&queue->ent_avail_queue,
1282 struct fuse_ring_ent, list);
1283 spin_lock(&fc->bg_lock);
1284 fc->num_background++;
1285 if (fc->num_background == fc->max_background)
1286 fc->blocked = 1;
1287 fuse_uring_flush_bg(queue);
1288 spin_unlock(&fc->bg_lock);
1289
1290 /*
1291 * Due to bg_queue flush limits there might be other bg requests
1292 * in the queue that need to be handled first. Or no further req
1293 * might be available.
1294 */
1295 req = list_first_entry_or_null(&queue->fuse_req_queue, struct fuse_req,
1296 list);
1297 if (ent && req) {
1298 fuse_uring_add_req_to_ring_ent(ent, req);
1299 spin_unlock(&queue->lock);
1300
1301 fuse_uring_dispatch_ent(ent);
1302 } else {
1303 spin_unlock(&queue->lock);
1304 }
1305
1306 return true;
1307 }
1308
fuse_uring_remove_pending_req(struct fuse_req * req)1309 bool fuse_uring_remove_pending_req(struct fuse_req *req)
1310 {
1311 struct fuse_ring_queue *queue = req->ring_queue;
1312
1313 return fuse_remove_pending_req(req, &queue->lock);
1314 }
1315
1316 static const struct fuse_iqueue_ops fuse_io_uring_ops = {
1317 /* should be send over io-uring as enhancement */
1318 .send_forget = fuse_dev_queue_forget,
1319
1320 /*
1321 * could be send over io-uring, but interrupts should be rare,
1322 * no need to make the code complex
1323 */
1324 .send_interrupt = fuse_dev_queue_interrupt,
1325 .send_req = fuse_uring_queue_fuse_req,
1326 };
1327