1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  *  fs/eventfd.c
4  *
5  *  Copyright (C) 2007  Davide Libenzi <davidel@xmailserver.org>
6  *
7  */
8 
9 #include <linux/file.h>
10 #include <linux/poll.h>
11 #include <linux/init.h>
12 #include <linux/fs.h>
13 #include <linux/sched/signal.h>
14 #include <linux/kernel.h>
15 #include <linux/slab.h>
16 #include <linux/list.h>
17 #include <linux/spinlock.h>
18 #include <linux/anon_inodes.h>
19 #include <linux/syscalls.h>
20 #include <linux/export.h>
21 #include <linux/kref.h>
22 #include <linux/eventfd.h>
23 #include <linux/proc_fs.h>
24 #include <linux/seq_file.h>
25 #include <linux/idr.h>
26 
27 static DEFINE_IDA(eventfd_ida);
28 
29 struct eventfd_ctx {
30 	struct kref kref;
31 	wait_queue_head_t wqh;
32 	/*
33 	 * Every time that a write(2) is performed on an eventfd, the
34 	 * value of the __u64 being written is added to "count" and a
35 	 * wakeup is performed on "wqh". A read(2) will return the "count"
36 	 * value to userspace, and will reset "count" to zero. The kernel
37 	 * side eventfd_signal() also, adds to the "count" counter and
38 	 * issue a wakeup.
39 	 */
40 	__u64 count;
41 	unsigned int flags;
42 	int id;
43 };
44 
45 /**
46  * eventfd_signal - Adds @n to the eventfd counter.
47  * @ctx: [in] Pointer to the eventfd context.
48  * @n: [in] Value of the counter to be added to the eventfd internal counter.
49  *          The value cannot be negative.
50  *
51  * This function is supposed to be called by the kernel in paths that do not
52  * allow sleeping. In this function we allow the counter to reach the ULLONG_MAX
53  * value, and we signal this as overflow condition by returning a EPOLLERR
54  * to poll(2).
55  *
56  * Returns the amount by which the counter was incremented.  This will be less
57  * than @n if the counter has overflowed.
58  */
eventfd_signal(struct eventfd_ctx * ctx,__u64 n)59 __u64 eventfd_signal(struct eventfd_ctx *ctx, __u64 n)
60 {
61 	unsigned long flags;
62 
63 	spin_lock_irqsave(&ctx->wqh.lock, flags);
64 	if (ULLONG_MAX - ctx->count < n)
65 		n = ULLONG_MAX - ctx->count;
66 	ctx->count += n;
67 	if (waitqueue_active(&ctx->wqh))
68 		wake_up_locked_poll(&ctx->wqh, EPOLLIN);
69 	spin_unlock_irqrestore(&ctx->wqh.lock, flags);
70 
71 	return n;
72 }
73 EXPORT_SYMBOL_GPL(eventfd_signal);
74 
eventfd_free_ctx(struct eventfd_ctx * ctx)75 static void eventfd_free_ctx(struct eventfd_ctx *ctx)
76 {
77 	if (ctx->id >= 0)
78 		ida_simple_remove(&eventfd_ida, ctx->id);
79 	kfree(ctx);
80 }
81 
eventfd_free(struct kref * kref)82 static void eventfd_free(struct kref *kref)
83 {
84 	struct eventfd_ctx *ctx = container_of(kref, struct eventfd_ctx, kref);
85 
86 	eventfd_free_ctx(ctx);
87 }
88 
89 /**
90  * eventfd_ctx_put - Releases a reference to the internal eventfd context.
91  * @ctx: [in] Pointer to eventfd context.
92  *
93  * The eventfd context reference must have been previously acquired either
94  * with eventfd_ctx_fdget() or eventfd_ctx_fileget().
95  */
eventfd_ctx_put(struct eventfd_ctx * ctx)96 void eventfd_ctx_put(struct eventfd_ctx *ctx)
97 {
98 	kref_put(&ctx->kref, eventfd_free);
99 }
100 EXPORT_SYMBOL_GPL(eventfd_ctx_put);
101 
eventfd_release(struct inode * inode,struct file * file)102 static int eventfd_release(struct inode *inode, struct file *file)
103 {
104 	struct eventfd_ctx *ctx = file->private_data;
105 
106 	wake_up_poll(&ctx->wqh, EPOLLHUP);
107 	eventfd_ctx_put(ctx);
108 	return 0;
109 }
110 
eventfd_poll(struct file * file,poll_table * wait)111 static __poll_t eventfd_poll(struct file *file, poll_table *wait)
112 {
113 	struct eventfd_ctx *ctx = file->private_data;
114 	__poll_t events = 0;
115 	u64 count;
116 
117 	poll_wait(file, &ctx->wqh, wait);
118 
119 	/*
120 	 * All writes to ctx->count occur within ctx->wqh.lock.  This read
121 	 * can be done outside ctx->wqh.lock because we know that poll_wait
122 	 * takes that lock (through add_wait_queue) if our caller will sleep.
123 	 *
124 	 * The read _can_ therefore seep into add_wait_queue's critical
125 	 * section, but cannot move above it!  add_wait_queue's spin_lock acts
126 	 * as an acquire barrier and ensures that the read be ordered properly
127 	 * against the writes.  The following CAN happen and is safe:
128 	 *
129 	 *     poll                               write
130 	 *     -----------------                  ------------
131 	 *     lock ctx->wqh.lock (in poll_wait)
132 	 *     count = ctx->count
133 	 *     __add_wait_queue
134 	 *     unlock ctx->wqh.lock
135 	 *                                        lock ctx->qwh.lock
136 	 *                                        ctx->count += n
137 	 *                                        if (waitqueue_active)
138 	 *                                          wake_up_locked_poll
139 	 *                                        unlock ctx->qwh.lock
140 	 *     eventfd_poll returns 0
141 	 *
142 	 * but the following, which would miss a wakeup, cannot happen:
143 	 *
144 	 *     poll                               write
145 	 *     -----------------                  ------------
146 	 *     count = ctx->count (INVALID!)
147 	 *                                        lock ctx->qwh.lock
148 	 *                                        ctx->count += n
149 	 *                                        **waitqueue_active is false**
150 	 *                                        **no wake_up_locked_poll!**
151 	 *                                        unlock ctx->qwh.lock
152 	 *     lock ctx->wqh.lock (in poll_wait)
153 	 *     __add_wait_queue
154 	 *     unlock ctx->wqh.lock
155 	 *     eventfd_poll returns 0
156 	 */
157 	count = READ_ONCE(ctx->count);
158 
159 	if (count > 0)
160 		events |= EPOLLIN;
161 	if (count == ULLONG_MAX)
162 		events |= EPOLLERR;
163 	if (ULLONG_MAX - 1 > count)
164 		events |= EPOLLOUT;
165 
166 	return events;
167 }
168 
eventfd_ctx_do_read(struct eventfd_ctx * ctx,__u64 * cnt)169 static void eventfd_ctx_do_read(struct eventfd_ctx *ctx, __u64 *cnt)
170 {
171 	*cnt = (ctx->flags & EFD_SEMAPHORE) ? 1 : ctx->count;
172 	ctx->count -= *cnt;
173 }
174 
175 /**
176  * eventfd_ctx_remove_wait_queue - Read the current counter and removes wait queue.
177  * @ctx: [in] Pointer to eventfd context.
178  * @wait: [in] Wait queue to be removed.
179  * @cnt: [out] Pointer to the 64-bit counter value.
180  *
181  * Returns %0 if successful, or the following error codes:
182  *
183  * -EAGAIN      : The operation would have blocked.
184  *
185  * This is used to atomically remove a wait queue entry from the eventfd wait
186  * queue head, and read/reset the counter value.
187  */
eventfd_ctx_remove_wait_queue(struct eventfd_ctx * ctx,wait_queue_entry_t * wait,__u64 * cnt)188 int eventfd_ctx_remove_wait_queue(struct eventfd_ctx *ctx, wait_queue_entry_t *wait,
189 				  __u64 *cnt)
190 {
191 	unsigned long flags;
192 
193 	spin_lock_irqsave(&ctx->wqh.lock, flags);
194 	eventfd_ctx_do_read(ctx, cnt);
195 	__remove_wait_queue(&ctx->wqh, wait);
196 	if (*cnt != 0 && waitqueue_active(&ctx->wqh))
197 		wake_up_locked_poll(&ctx->wqh, EPOLLOUT);
198 	spin_unlock_irqrestore(&ctx->wqh.lock, flags);
199 
200 	return *cnt != 0 ? 0 : -EAGAIN;
201 }
202 EXPORT_SYMBOL_GPL(eventfd_ctx_remove_wait_queue);
203 
eventfd_read(struct file * file,char __user * buf,size_t count,loff_t * ppos)204 static ssize_t eventfd_read(struct file *file, char __user *buf, size_t count,
205 			    loff_t *ppos)
206 {
207 	struct eventfd_ctx *ctx = file->private_data;
208 	ssize_t res;
209 	__u64 ucnt = 0;
210 	DECLARE_WAITQUEUE(wait, current);
211 
212 	if (count < sizeof(ucnt))
213 		return -EINVAL;
214 
215 	spin_lock_irq(&ctx->wqh.lock);
216 	res = -EAGAIN;
217 	if (ctx->count > 0)
218 		res = sizeof(ucnt);
219 	else if (!(file->f_flags & O_NONBLOCK)) {
220 		__add_wait_queue(&ctx->wqh, &wait);
221 		for (;;) {
222 			set_current_state(TASK_INTERRUPTIBLE);
223 			if (ctx->count > 0) {
224 				res = sizeof(ucnt);
225 				break;
226 			}
227 			if (signal_pending(current)) {
228 				res = -ERESTARTSYS;
229 				break;
230 			}
231 			spin_unlock_irq(&ctx->wqh.lock);
232 			schedule();
233 			spin_lock_irq(&ctx->wqh.lock);
234 		}
235 		__remove_wait_queue(&ctx->wqh, &wait);
236 		__set_current_state(TASK_RUNNING);
237 	}
238 	if (likely(res > 0)) {
239 		eventfd_ctx_do_read(ctx, &ucnt);
240 		if (waitqueue_active(&ctx->wqh))
241 			wake_up_locked_poll(&ctx->wqh, EPOLLOUT);
242 	}
243 	spin_unlock_irq(&ctx->wqh.lock);
244 
245 	if (res > 0 && put_user(ucnt, (__u64 __user *)buf))
246 		return -EFAULT;
247 
248 	return res;
249 }
250 
eventfd_write(struct file * file,const char __user * buf,size_t count,loff_t * ppos)251 static ssize_t eventfd_write(struct file *file, const char __user *buf, size_t count,
252 			     loff_t *ppos)
253 {
254 	struct eventfd_ctx *ctx = file->private_data;
255 	ssize_t res;
256 	__u64 ucnt;
257 	DECLARE_WAITQUEUE(wait, current);
258 
259 	if (count < sizeof(ucnt))
260 		return -EINVAL;
261 	if (copy_from_user(&ucnt, buf, sizeof(ucnt)))
262 		return -EFAULT;
263 	if (ucnt == ULLONG_MAX)
264 		return -EINVAL;
265 	spin_lock_irq(&ctx->wqh.lock);
266 	res = -EAGAIN;
267 	if (ULLONG_MAX - ctx->count > ucnt)
268 		res = sizeof(ucnt);
269 	else if (!(file->f_flags & O_NONBLOCK)) {
270 		__add_wait_queue(&ctx->wqh, &wait);
271 		for (res = 0;;) {
272 			set_current_state(TASK_INTERRUPTIBLE);
273 			if (ULLONG_MAX - ctx->count > ucnt) {
274 				res = sizeof(ucnt);
275 				break;
276 			}
277 			if (signal_pending(current)) {
278 				res = -ERESTARTSYS;
279 				break;
280 			}
281 			spin_unlock_irq(&ctx->wqh.lock);
282 			schedule();
283 			spin_lock_irq(&ctx->wqh.lock);
284 		}
285 		__remove_wait_queue(&ctx->wqh, &wait);
286 		__set_current_state(TASK_RUNNING);
287 	}
288 	if (likely(res > 0)) {
289 		ctx->count += ucnt;
290 		if (waitqueue_active(&ctx->wqh))
291 			wake_up_locked_poll(&ctx->wqh, EPOLLIN);
292 	}
293 	spin_unlock_irq(&ctx->wqh.lock);
294 
295 	return res;
296 }
297 
298 #ifdef CONFIG_PROC_FS
eventfd_show_fdinfo(struct seq_file * m,struct file * f)299 static void eventfd_show_fdinfo(struct seq_file *m, struct file *f)
300 {
301 	struct eventfd_ctx *ctx = f->private_data;
302 
303 	spin_lock_irq(&ctx->wqh.lock);
304 	seq_printf(m, "eventfd-count: %16llx\n",
305 		   (unsigned long long)ctx->count);
306 	spin_unlock_irq(&ctx->wqh.lock);
307 	seq_printf(m, "eventfd-id: %d\n", ctx->id);
308 }
309 #endif
310 
311 static const struct file_operations eventfd_fops = {
312 #ifdef CONFIG_PROC_FS
313 	.show_fdinfo	= eventfd_show_fdinfo,
314 #endif
315 	.release	= eventfd_release,
316 	.poll		= eventfd_poll,
317 	.read		= eventfd_read,
318 	.write		= eventfd_write,
319 	.llseek		= noop_llseek,
320 };
321 
322 /**
323  * eventfd_fget - Acquire a reference of an eventfd file descriptor.
324  * @fd: [in] Eventfd file descriptor.
325  *
326  * Returns a pointer to the eventfd file structure in case of success, or the
327  * following error pointer:
328  *
329  * -EBADF    : Invalid @fd file descriptor.
330  * -EINVAL   : The @fd file descriptor is not an eventfd file.
331  */
eventfd_fget(int fd)332 struct file *eventfd_fget(int fd)
333 {
334 	struct file *file;
335 
336 	file = fget(fd);
337 	if (!file)
338 		return ERR_PTR(-EBADF);
339 	if (file->f_op != &eventfd_fops) {
340 		fput(file);
341 		return ERR_PTR(-EINVAL);
342 	}
343 
344 	return file;
345 }
346 EXPORT_SYMBOL_GPL(eventfd_fget);
347 
348 /**
349  * eventfd_ctx_fdget - Acquires a reference to the internal eventfd context.
350  * @fd: [in] Eventfd file descriptor.
351  *
352  * Returns a pointer to the internal eventfd context, otherwise the error
353  * pointers returned by the following functions:
354  *
355  * eventfd_fget
356  */
eventfd_ctx_fdget(int fd)357 struct eventfd_ctx *eventfd_ctx_fdget(int fd)
358 {
359 	struct eventfd_ctx *ctx;
360 	struct fd f = fdget(fd);
361 	if (!f.file)
362 		return ERR_PTR(-EBADF);
363 	ctx = eventfd_ctx_fileget(f.file);
364 	fdput(f);
365 	return ctx;
366 }
367 EXPORT_SYMBOL_GPL(eventfd_ctx_fdget);
368 
369 /**
370  * eventfd_ctx_fileget - Acquires a reference to the internal eventfd context.
371  * @file: [in] Eventfd file pointer.
372  *
373  * Returns a pointer to the internal eventfd context, otherwise the error
374  * pointer:
375  *
376  * -EINVAL   : The @fd file descriptor is not an eventfd file.
377  */
eventfd_ctx_fileget(struct file * file)378 struct eventfd_ctx *eventfd_ctx_fileget(struct file *file)
379 {
380 	struct eventfd_ctx *ctx;
381 
382 	if (file->f_op != &eventfd_fops)
383 		return ERR_PTR(-EINVAL);
384 
385 	ctx = file->private_data;
386 	kref_get(&ctx->kref);
387 	return ctx;
388 }
389 EXPORT_SYMBOL_GPL(eventfd_ctx_fileget);
390 
do_eventfd(unsigned int count,int flags)391 static int do_eventfd(unsigned int count, int flags)
392 {
393 	struct eventfd_ctx *ctx;
394 	int fd;
395 
396 	/* Check the EFD_* constants for consistency.  */
397 	BUILD_BUG_ON(EFD_CLOEXEC != O_CLOEXEC);
398 	BUILD_BUG_ON(EFD_NONBLOCK != O_NONBLOCK);
399 
400 	if (flags & ~EFD_FLAGS_SET)
401 		return -EINVAL;
402 
403 	ctx = kmalloc(sizeof(*ctx), GFP_KERNEL);
404 	if (!ctx)
405 		return -ENOMEM;
406 
407 	kref_init(&ctx->kref);
408 	init_waitqueue_head(&ctx->wqh);
409 	ctx->count = count;
410 	ctx->flags = flags;
411 	ctx->id = ida_simple_get(&eventfd_ida, 0, 0, GFP_KERNEL);
412 
413 	fd = anon_inode_getfd("[eventfd]", &eventfd_fops, ctx,
414 			      O_RDWR | (flags & EFD_SHARED_FCNTL_FLAGS));
415 	if (fd < 0)
416 		eventfd_free_ctx(ctx);
417 
418 	return fd;
419 }
420 
SYSCALL_DEFINE2(eventfd2,unsigned int,count,int,flags)421 SYSCALL_DEFINE2(eventfd2, unsigned int, count, int, flags)
422 {
423 	return do_eventfd(count, flags);
424 }
425 
SYSCALL_DEFINE1(eventfd,unsigned int,count)426 SYSCALL_DEFINE1(eventfd, unsigned int, count)
427 {
428 	return do_eventfd(count, 0);
429 }
430 
431