1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * fs/eventfd.c
4 *
5 * Copyright (C) 2007 Davide Libenzi <davidel@xmailserver.org>
6 *
7 */
8
9 #include <linux/file.h>
10 #include <linux/poll.h>
11 #include <linux/init.h>
12 #include <linux/fs.h>
13 #include <linux/sched/signal.h>
14 #include <linux/kernel.h>
15 #include <linux/slab.h>
16 #include <linux/list.h>
17 #include <linux/spinlock.h>
18 #include <linux/anon_inodes.h>
19 #include <linux/syscalls.h>
20 #include <linux/export.h>
21 #include <linux/kref.h>
22 #include <linux/eventfd.h>
23 #include <linux/proc_fs.h>
24 #include <linux/seq_file.h>
25 #include <linux/idr.h>
26
27 static DEFINE_IDA(eventfd_ida);
28
29 struct eventfd_ctx {
30 struct kref kref;
31 wait_queue_head_t wqh;
32 /*
33 * Every time that a write(2) is performed on an eventfd, the
34 * value of the __u64 being written is added to "count" and a
35 * wakeup is performed on "wqh". A read(2) will return the "count"
36 * value to userspace, and will reset "count" to zero. The kernel
37 * side eventfd_signal() also, adds to the "count" counter and
38 * issue a wakeup.
39 */
40 __u64 count;
41 unsigned int flags;
42 int id;
43 };
44
45 /**
46 * eventfd_signal - Adds @n to the eventfd counter.
47 * @ctx: [in] Pointer to the eventfd context.
48 * @n: [in] Value of the counter to be added to the eventfd internal counter.
49 * The value cannot be negative.
50 *
51 * This function is supposed to be called by the kernel in paths that do not
52 * allow sleeping. In this function we allow the counter to reach the ULLONG_MAX
53 * value, and we signal this as overflow condition by returning a EPOLLERR
54 * to poll(2).
55 *
56 * Returns the amount by which the counter was incremented. This will be less
57 * than @n if the counter has overflowed.
58 */
eventfd_signal(struct eventfd_ctx * ctx,__u64 n)59 __u64 eventfd_signal(struct eventfd_ctx *ctx, __u64 n)
60 {
61 unsigned long flags;
62
63 spin_lock_irqsave(&ctx->wqh.lock, flags);
64 if (ULLONG_MAX - ctx->count < n)
65 n = ULLONG_MAX - ctx->count;
66 ctx->count += n;
67 if (waitqueue_active(&ctx->wqh))
68 wake_up_locked_poll(&ctx->wqh, EPOLLIN);
69 spin_unlock_irqrestore(&ctx->wqh.lock, flags);
70
71 return n;
72 }
73 EXPORT_SYMBOL_GPL(eventfd_signal);
74
eventfd_free_ctx(struct eventfd_ctx * ctx)75 static void eventfd_free_ctx(struct eventfd_ctx *ctx)
76 {
77 if (ctx->id >= 0)
78 ida_simple_remove(&eventfd_ida, ctx->id);
79 kfree(ctx);
80 }
81
eventfd_free(struct kref * kref)82 static void eventfd_free(struct kref *kref)
83 {
84 struct eventfd_ctx *ctx = container_of(kref, struct eventfd_ctx, kref);
85
86 eventfd_free_ctx(ctx);
87 }
88
89 /**
90 * eventfd_ctx_put - Releases a reference to the internal eventfd context.
91 * @ctx: [in] Pointer to eventfd context.
92 *
93 * The eventfd context reference must have been previously acquired either
94 * with eventfd_ctx_fdget() or eventfd_ctx_fileget().
95 */
eventfd_ctx_put(struct eventfd_ctx * ctx)96 void eventfd_ctx_put(struct eventfd_ctx *ctx)
97 {
98 kref_put(&ctx->kref, eventfd_free);
99 }
100 EXPORT_SYMBOL_GPL(eventfd_ctx_put);
101
eventfd_release(struct inode * inode,struct file * file)102 static int eventfd_release(struct inode *inode, struct file *file)
103 {
104 struct eventfd_ctx *ctx = file->private_data;
105
106 wake_up_poll(&ctx->wqh, EPOLLHUP);
107 eventfd_ctx_put(ctx);
108 return 0;
109 }
110
eventfd_poll(struct file * file,poll_table * wait)111 static __poll_t eventfd_poll(struct file *file, poll_table *wait)
112 {
113 struct eventfd_ctx *ctx = file->private_data;
114 __poll_t events = 0;
115 u64 count;
116
117 poll_wait(file, &ctx->wqh, wait);
118
119 /*
120 * All writes to ctx->count occur within ctx->wqh.lock. This read
121 * can be done outside ctx->wqh.lock because we know that poll_wait
122 * takes that lock (through add_wait_queue) if our caller will sleep.
123 *
124 * The read _can_ therefore seep into add_wait_queue's critical
125 * section, but cannot move above it! add_wait_queue's spin_lock acts
126 * as an acquire barrier and ensures that the read be ordered properly
127 * against the writes. The following CAN happen and is safe:
128 *
129 * poll write
130 * ----------------- ------------
131 * lock ctx->wqh.lock (in poll_wait)
132 * count = ctx->count
133 * __add_wait_queue
134 * unlock ctx->wqh.lock
135 * lock ctx->qwh.lock
136 * ctx->count += n
137 * if (waitqueue_active)
138 * wake_up_locked_poll
139 * unlock ctx->qwh.lock
140 * eventfd_poll returns 0
141 *
142 * but the following, which would miss a wakeup, cannot happen:
143 *
144 * poll write
145 * ----------------- ------------
146 * count = ctx->count (INVALID!)
147 * lock ctx->qwh.lock
148 * ctx->count += n
149 * **waitqueue_active is false**
150 * **no wake_up_locked_poll!**
151 * unlock ctx->qwh.lock
152 * lock ctx->wqh.lock (in poll_wait)
153 * __add_wait_queue
154 * unlock ctx->wqh.lock
155 * eventfd_poll returns 0
156 */
157 count = READ_ONCE(ctx->count);
158
159 if (count > 0)
160 events |= EPOLLIN;
161 if (count == ULLONG_MAX)
162 events |= EPOLLERR;
163 if (ULLONG_MAX - 1 > count)
164 events |= EPOLLOUT;
165
166 return events;
167 }
168
eventfd_ctx_do_read(struct eventfd_ctx * ctx,__u64 * cnt)169 static void eventfd_ctx_do_read(struct eventfd_ctx *ctx, __u64 *cnt)
170 {
171 *cnt = (ctx->flags & EFD_SEMAPHORE) ? 1 : ctx->count;
172 ctx->count -= *cnt;
173 }
174
175 /**
176 * eventfd_ctx_remove_wait_queue - Read the current counter and removes wait queue.
177 * @ctx: [in] Pointer to eventfd context.
178 * @wait: [in] Wait queue to be removed.
179 * @cnt: [out] Pointer to the 64-bit counter value.
180 *
181 * Returns %0 if successful, or the following error codes:
182 *
183 * -EAGAIN : The operation would have blocked.
184 *
185 * This is used to atomically remove a wait queue entry from the eventfd wait
186 * queue head, and read/reset the counter value.
187 */
eventfd_ctx_remove_wait_queue(struct eventfd_ctx * ctx,wait_queue_entry_t * wait,__u64 * cnt)188 int eventfd_ctx_remove_wait_queue(struct eventfd_ctx *ctx, wait_queue_entry_t *wait,
189 __u64 *cnt)
190 {
191 unsigned long flags;
192
193 spin_lock_irqsave(&ctx->wqh.lock, flags);
194 eventfd_ctx_do_read(ctx, cnt);
195 __remove_wait_queue(&ctx->wqh, wait);
196 if (*cnt != 0 && waitqueue_active(&ctx->wqh))
197 wake_up_locked_poll(&ctx->wqh, EPOLLOUT);
198 spin_unlock_irqrestore(&ctx->wqh.lock, flags);
199
200 return *cnt != 0 ? 0 : -EAGAIN;
201 }
202 EXPORT_SYMBOL_GPL(eventfd_ctx_remove_wait_queue);
203
eventfd_read(struct file * file,char __user * buf,size_t count,loff_t * ppos)204 static ssize_t eventfd_read(struct file *file, char __user *buf, size_t count,
205 loff_t *ppos)
206 {
207 struct eventfd_ctx *ctx = file->private_data;
208 ssize_t res;
209 __u64 ucnt = 0;
210 DECLARE_WAITQUEUE(wait, current);
211
212 if (count < sizeof(ucnt))
213 return -EINVAL;
214
215 spin_lock_irq(&ctx->wqh.lock);
216 res = -EAGAIN;
217 if (ctx->count > 0)
218 res = sizeof(ucnt);
219 else if (!(file->f_flags & O_NONBLOCK)) {
220 __add_wait_queue(&ctx->wqh, &wait);
221 for (;;) {
222 set_current_state(TASK_INTERRUPTIBLE);
223 if (ctx->count > 0) {
224 res = sizeof(ucnt);
225 break;
226 }
227 if (signal_pending(current)) {
228 res = -ERESTARTSYS;
229 break;
230 }
231 spin_unlock_irq(&ctx->wqh.lock);
232 schedule();
233 spin_lock_irq(&ctx->wqh.lock);
234 }
235 __remove_wait_queue(&ctx->wqh, &wait);
236 __set_current_state(TASK_RUNNING);
237 }
238 if (likely(res > 0)) {
239 eventfd_ctx_do_read(ctx, &ucnt);
240 if (waitqueue_active(&ctx->wqh))
241 wake_up_locked_poll(&ctx->wqh, EPOLLOUT);
242 }
243 spin_unlock_irq(&ctx->wqh.lock);
244
245 if (res > 0 && put_user(ucnt, (__u64 __user *)buf))
246 return -EFAULT;
247
248 return res;
249 }
250
eventfd_write(struct file * file,const char __user * buf,size_t count,loff_t * ppos)251 static ssize_t eventfd_write(struct file *file, const char __user *buf, size_t count,
252 loff_t *ppos)
253 {
254 struct eventfd_ctx *ctx = file->private_data;
255 ssize_t res;
256 __u64 ucnt;
257 DECLARE_WAITQUEUE(wait, current);
258
259 if (count < sizeof(ucnt))
260 return -EINVAL;
261 if (copy_from_user(&ucnt, buf, sizeof(ucnt)))
262 return -EFAULT;
263 if (ucnt == ULLONG_MAX)
264 return -EINVAL;
265 spin_lock_irq(&ctx->wqh.lock);
266 res = -EAGAIN;
267 if (ULLONG_MAX - ctx->count > ucnt)
268 res = sizeof(ucnt);
269 else if (!(file->f_flags & O_NONBLOCK)) {
270 __add_wait_queue(&ctx->wqh, &wait);
271 for (res = 0;;) {
272 set_current_state(TASK_INTERRUPTIBLE);
273 if (ULLONG_MAX - ctx->count > ucnt) {
274 res = sizeof(ucnt);
275 break;
276 }
277 if (signal_pending(current)) {
278 res = -ERESTARTSYS;
279 break;
280 }
281 spin_unlock_irq(&ctx->wqh.lock);
282 schedule();
283 spin_lock_irq(&ctx->wqh.lock);
284 }
285 __remove_wait_queue(&ctx->wqh, &wait);
286 __set_current_state(TASK_RUNNING);
287 }
288 if (likely(res > 0)) {
289 ctx->count += ucnt;
290 if (waitqueue_active(&ctx->wqh))
291 wake_up_locked_poll(&ctx->wqh, EPOLLIN);
292 }
293 spin_unlock_irq(&ctx->wqh.lock);
294
295 return res;
296 }
297
298 #ifdef CONFIG_PROC_FS
eventfd_show_fdinfo(struct seq_file * m,struct file * f)299 static void eventfd_show_fdinfo(struct seq_file *m, struct file *f)
300 {
301 struct eventfd_ctx *ctx = f->private_data;
302
303 spin_lock_irq(&ctx->wqh.lock);
304 seq_printf(m, "eventfd-count: %16llx\n",
305 (unsigned long long)ctx->count);
306 spin_unlock_irq(&ctx->wqh.lock);
307 seq_printf(m, "eventfd-id: %d\n", ctx->id);
308 }
309 #endif
310
311 static const struct file_operations eventfd_fops = {
312 #ifdef CONFIG_PROC_FS
313 .show_fdinfo = eventfd_show_fdinfo,
314 #endif
315 .release = eventfd_release,
316 .poll = eventfd_poll,
317 .read = eventfd_read,
318 .write = eventfd_write,
319 .llseek = noop_llseek,
320 };
321
322 /**
323 * eventfd_fget - Acquire a reference of an eventfd file descriptor.
324 * @fd: [in] Eventfd file descriptor.
325 *
326 * Returns a pointer to the eventfd file structure in case of success, or the
327 * following error pointer:
328 *
329 * -EBADF : Invalid @fd file descriptor.
330 * -EINVAL : The @fd file descriptor is not an eventfd file.
331 */
eventfd_fget(int fd)332 struct file *eventfd_fget(int fd)
333 {
334 struct file *file;
335
336 file = fget(fd);
337 if (!file)
338 return ERR_PTR(-EBADF);
339 if (file->f_op != &eventfd_fops) {
340 fput(file);
341 return ERR_PTR(-EINVAL);
342 }
343
344 return file;
345 }
346 EXPORT_SYMBOL_GPL(eventfd_fget);
347
348 /**
349 * eventfd_ctx_fdget - Acquires a reference to the internal eventfd context.
350 * @fd: [in] Eventfd file descriptor.
351 *
352 * Returns a pointer to the internal eventfd context, otherwise the error
353 * pointers returned by the following functions:
354 *
355 * eventfd_fget
356 */
eventfd_ctx_fdget(int fd)357 struct eventfd_ctx *eventfd_ctx_fdget(int fd)
358 {
359 struct eventfd_ctx *ctx;
360 struct fd f = fdget(fd);
361 if (!f.file)
362 return ERR_PTR(-EBADF);
363 ctx = eventfd_ctx_fileget(f.file);
364 fdput(f);
365 return ctx;
366 }
367 EXPORT_SYMBOL_GPL(eventfd_ctx_fdget);
368
369 /**
370 * eventfd_ctx_fileget - Acquires a reference to the internal eventfd context.
371 * @file: [in] Eventfd file pointer.
372 *
373 * Returns a pointer to the internal eventfd context, otherwise the error
374 * pointer:
375 *
376 * -EINVAL : The @fd file descriptor is not an eventfd file.
377 */
eventfd_ctx_fileget(struct file * file)378 struct eventfd_ctx *eventfd_ctx_fileget(struct file *file)
379 {
380 struct eventfd_ctx *ctx;
381
382 if (file->f_op != &eventfd_fops)
383 return ERR_PTR(-EINVAL);
384
385 ctx = file->private_data;
386 kref_get(&ctx->kref);
387 return ctx;
388 }
389 EXPORT_SYMBOL_GPL(eventfd_ctx_fileget);
390
do_eventfd(unsigned int count,int flags)391 static int do_eventfd(unsigned int count, int flags)
392 {
393 struct eventfd_ctx *ctx;
394 int fd;
395
396 /* Check the EFD_* constants for consistency. */
397 BUILD_BUG_ON(EFD_CLOEXEC != O_CLOEXEC);
398 BUILD_BUG_ON(EFD_NONBLOCK != O_NONBLOCK);
399
400 if (flags & ~EFD_FLAGS_SET)
401 return -EINVAL;
402
403 ctx = kmalloc(sizeof(*ctx), GFP_KERNEL);
404 if (!ctx)
405 return -ENOMEM;
406
407 kref_init(&ctx->kref);
408 init_waitqueue_head(&ctx->wqh);
409 ctx->count = count;
410 ctx->flags = flags;
411 ctx->id = ida_simple_get(&eventfd_ida, 0, 0, GFP_KERNEL);
412
413 fd = anon_inode_getfd("[eventfd]", &eventfd_fops, ctx,
414 O_RDWR | (flags & EFD_SHARED_FCNTL_FLAGS));
415 if (fd < 0)
416 eventfd_free_ctx(ctx);
417
418 return fd;
419 }
420
SYSCALL_DEFINE2(eventfd2,unsigned int,count,int,flags)421 SYSCALL_DEFINE2(eventfd2, unsigned int, count, int, flags)
422 {
423 return do_eventfd(count, flags);
424 }
425
SYSCALL_DEFINE1(eventfd,unsigned int,count)426 SYSCALL_DEFINE1(eventfd, unsigned int, count)
427 {
428 return do_eventfd(count, 0);
429 }
430
431