1
/*
2
 *  fs/eventpoll.c (Efficient event retrieval implementation)
3
 *  Copyright (C) 2001,...,2009	 Davide Libenzi
4
 *
5
 *  This program is free software; you can redistribute it and/or modify
6
 *  it under the terms of the GNU General Public License as published by
7
 *  the Free Software Foundation; either version 2 of the License, or
8
 *  (at your option) any later version.
9
 *
10
 *  Davide Libenzi <[email protected]>
11
 *
12
 */
13

14
#include <linux/init.h>
15
#include <linux/kernel.h>
16
#include <linux/sched.h>
17
#include <linux/fs.h>
18
#include <linux/file.h>
19
#include <linux/signal.h>
20
#include <linux/errno.h>
21
#include <linux/mm.h>
22
#include <linux/slab.h>
23
#include <linux/poll.h>
24
#include <linux/string.h>
25
#include <linux/list.h>
26
#include <linux/hash.h>
27
#include <linux/spinlock.h>
28
#include <linux/syscalls.h>
29
#include <linux/rbtree.h>
30
#include <linux/wait.h>
31
#include <linux/eventpoll.h>
32
#include <linux/mount.h>
33
#include <linux/bitops.h>
34
#include <linux/mutex.h>
35
#include <linux/anon_inodes.h>
36
#include <asm/uaccess.h>
37
#include <asm/system.h>
38
#include <asm/io.h>
39
#include <asm/mman.h>
40
#include <asm/atomic.h>
41

42
/*
43
 * LOCKING:
44
 * There are three level of locking required by epoll :
45
 *
46
 * 1) epmutex (mutex)
47
 * 2) ep->mtx (mutex)
48
 * 3) ep->lock (spinlock)
49
 *
50
 * The acquire order is the one listed above, from 1 to 3.
51
 * We need a spinlock (ep->lock) because we manipulate objects
52
 * from inside the poll callback, that might be triggered from
53
 * a wake_up() that in turn might be called from IRQ context.
54
 * So we can't sleep inside the poll callback and hence we need
55
 * a spinlock. During the event transfer loop (from kernel to
56
 * user space) we could end up sleeping due a copy_to_user(), so
57
 * we need a lock that will allow us to sleep. This lock is a
58
 * mutex (ep->mtx). It is acquired during the event transfer loop,
59
 * during epoll_ctl(EPOLL_CTL_DEL) and during eventpoll_release_file().
60
 * Then we also need a global mutex to serialize eventpoll_release_file()
61
 * and ep_free().
62
 * This mutex is acquired by ep_free() during the epoll file
63
 * cleanup path and it is also acquired by eventpoll_release_file()
64
 * if a file has been pushed inside an epoll set and it is then
65
 * close()d without a previous call to epoll_ctl(EPOLL_CTL_DEL).
66
 * It is also acquired when inserting an epoll fd onto another epoll
67
 * fd. We do this so that we walk the epoll tree and ensure that this
68
 * insertion does not create a cycle of epoll file descriptors, which
69
 * could lead to deadlock. We need a global mutex to prevent two
70
 * simultaneous inserts (A into B and B into A) from racing and
71
 * constructing a cycle without either insert observing that it is
72
 * going to.
73
 * It is possible to drop the "ep->mtx" and to use the global
74
 * mutex "epmutex" (together with "ep->lock") to have it working,
75
 * but having "ep->mtx" will make the interface more scalable.
76
 * Events that require holding "epmutex" are very rare, while for
77
 * normal operations the epoll private "ep->mtx" will guarantee
78
 * a better scalability.
79
 */
80

81
/* Epoll private bits inside the event mask */
82
#define EP_PRIVATE_BITS (EPOLLONESHOT | EPOLLET)
83

84
/* Maximum number of nesting allowed inside epoll sets */
85
#define EP_MAX_NESTS 4
86

87
#define EP_MAX_EVENTS (INT_MAX / sizeof(struct epoll_event))
88

89
#define EP_UNACTIVE_PTR ((void *) -1L)
90

91
#define EP_ITEM_COST (sizeof(struct epitem) + sizeof(struct eppoll_entry))
92

93
struct epoll_filefd {
94
	struct file *file;
95
	int fd;
96
};
97

98
/*
99
 * Structure used to track possible nested calls, for too deep recursions
100
 * and loop cycles.
101
 */
102
struct nested_call_node {
103
	struct list_head llink;
104
	void *cookie;
105
	void *ctx;
106
};
107

108
/*
109
 * This structure is used as collector for nested calls, to check for
110
 * maximum recursion dept and loop cycles.
111
 */
112
struct nested_calls {
113
	struct list_head tasks_call_list;
114
	spinlock_t lock;
115
};
116

117
/*
118
 * Each file descriptor added to the eventpoll interface will
119
 * have an entry of this type linked to the "rbr" RB tree.
120
 */
121
struct epitem {
122
	/* RB tree node used to link this structure to the eventpoll RB tree */
123
	struct rb_node rbn;
124

125
	/* List header used to link this structure to the eventpoll ready list */
126
	struct list_head rdllink;
127

128
	/*
129
	 * Works together "struct eventpoll"->ovflist in keeping the
130
	 * single linked chain of items.
131
	 */
132
	struct epitem *next;
133

134
	/* The file descriptor information this item refers to */
135
	struct epoll_filefd ffd;
136

137
	/* Number of active wait queue attached to poll operations */
138
	int nwait;
139

140
	/* List containing poll wait queues */
141
	struct list_head pwqlist;
142

143
	/* The "container" of this item */
144
	struct eventpoll *ep;
145

146
	/* List header used to link this item to the "struct file" items list */
147
	struct list_head fllink;
148

149
	/* The structure that describe the interested events and the source fd */
150
	struct epoll_event event;
151
};
152

153
/*
154
 * This structure is stored inside the "private_data" member of the file
155
 * structure and represents the main data structure for the eventpoll
156
 * interface.
157
 */
158
struct eventpoll {
159
	/* Protect the access to this structure */
160
	spinlock_t lock;
161

162
	/*
163
	 * This mutex is used to ensure that files are not removed
164
	 * while epoll is using them. This is held during the event
165
	 * collection loop, the file cleanup path, the epoll file exit
166
	 * code and the ctl operations.
167
	 */
168
	struct mutex mtx;
169

170
	/* Wait queue used by sys_epoll_wait() */
171
	wait_queue_head_t wq;
172

173
	/* Wait queue used by file->poll() */
174
	wait_queue_head_t poll_wait;
175

176
	/* List of ready file descriptors */
177
	struct list_head rdllist;
178

179
	/* RB tree root used to store monitored fd structs */
180
	struct rb_root rbr;
181

182
	/*
183
	 * This is a single linked list that chains all the "struct epitem" that
184
	 * happened while transferring ready events to userspace w/out
185
	 * holding ->lock.
186
	 */
187
	struct epitem *ovflist;
188

189
	/* The user that created the eventpoll descriptor */
190
	struct user_struct *user;
191
};
192

193
/* Wait structure used by the poll hooks */
194
struct eppoll_entry {
195
	/* List header used to link this structure to the "struct epitem" */
196
	struct list_head llink;
197

198
	/* The "base" pointer is set to the container "struct epitem" */
199
	struct epitem *base;
200

201
	/*
202
	 * Wait queue item that will be linked to the target file wait
203
	 * queue head.
204
	 */
205
	wait_queue_t wait;
206

207
	/* The wait queue head that linked the "wait" wait queue item */
208
	wait_queue_head_t *whead;
209
};
210

211
/* Wrapper struct used by poll queueing */
212
struct ep_pqueue {
213
	poll_table pt;
214
	struct epitem *epi;
215
};
216

217
/* Used by the ep_send_events() function as callback private data */
218
struct ep_send_events_data {
219
	int maxevents;
220
	struct epoll_event __user *events;
221
};
222

223
/*
224
 * Configuration options available inside /proc/sys/fs/epoll/
225
 */
226
/* Maximum number of epoll watched descriptors, per user */
227
static long max_user_watches __read_mostly;
228

229
/*
230
 * This mutex is used to serialize ep_free() and eventpoll_release_file().
231
 */
232
static DEFINE_MUTEX(epmutex);
233

234
/* Used to check for epoll file descriptor inclusion loops */
235
static struct nested_calls poll_loop_ncalls;
236

237
/* Used for safe wake up implementation */
238
static struct nested_calls poll_safewake_ncalls;
239

240
/* Used to call file's f_op->poll() under the nested calls boundaries */
241
static struct nested_calls poll_readywalk_ncalls;
242

243
/* Slab cache used to allocate "struct epitem" */
244
static struct kmem_cache *epi_cache __read_mostly;
245

246
/* Slab cache used to allocate "struct eppoll_entry" */
247
static struct kmem_cache *pwq_cache __read_mostly;
248

249
#ifdef CONFIG_SYSCTL
250

251
#include <linux/sysctl.h>
252

253
static long zero;
254
static long long_max = LONG_MAX;
255

256
ctl_table epoll_table[] = {
257
	{
258
		.procname	= "max_user_watches",
259
		.data		= &max_user_watches,
260
		.maxlen		= sizeof(max_user_watches),
261
		.mode		= 0644,
262
		.proc_handler	= proc_doulongvec_minmax,
263
		.extra1		= &zero,
264
		.extra2		= &long_max,
265
	},
266
	{ }
267
};
268
#endif /* CONFIG_SYSCTL */
269

270

271
/* Setup the structure that is used as key for the RB tree */
272
static inline void ep_set_ffd(struct epoll_filefd *ffd,
273
			      struct file *file, int fd)
274
{
275
	ffd->file = file;
276
	ffd->fd = fd;
277
}
278

279
/* Compare RB tree keys */
280
static inline int ep_cmp_ffd(struct epoll_filefd *p1,
281
			     struct epoll_filefd *p2)
282
{
283
	return (p1->file > p2->file ? +1:
284
	        (p1->file < p2->file ? -1 : p1->fd - p2->fd));
285
}
286

287
/* Tells us if the item is currently linked */
288
static inline int ep_is_linked(struct list_head *p)
289
{
290
	return !list_empty(p);
291
}
292

293
/* Get the "struct epitem" from a wait queue pointer */
294
static inline struct epitem *ep_item_from_wait(wait_queue_t *p)
295
{
296
	return container_of(p, struct eppoll_entry, wait)->base;
297
}
298

299
/* Get the "struct epitem" from an epoll queue wrapper */
300
static inline struct epitem *ep_item_from_epqueue(poll_table *p)
301
{
302
	return container_of(p, struct ep_pqueue, pt)->epi;
303
}
304

305
/* Tells if the epoll_ctl(2) operation needs an event copy from userspace */
306
static inline int ep_op_has_event(int op)
307
{
308
	return op != EPOLL_CTL_DEL;
309
}
310

311
/* Initialize the poll safe wake up structure */
312
static void ep_nested_calls_init(struct nested_calls *ncalls)
313
{
314
	INIT_LIST_HEAD(&ncalls->tasks_call_list);
315
	spin_lock_init(&ncalls->lock);
316
}
317

318
/**
319
 * ep_events_available - Checks if ready events might be available.
320
 *
321
 * @ep: Pointer to the eventpoll context.
322
 *
323
 * Returns: Returns a value different than zero if ready events are available,
324
 *          or zero otherwise.
325
 */
326
static inline int ep_events_available(struct eventpoll *ep)
327
{
328
	return !list_empty(&ep->rdllist) || ep->ovflist != EP_UNACTIVE_PTR;
329
}
330

331
/**
332
 * ep_call_nested - Perform a bound (possibly) nested call, by checking
333
 *                  that the recursion limit is not exceeded, and that
334
 *                  the same nested call (by the meaning of same cookie) is
335
 *                  no re-entered.
336
 *
337
 * @ncalls: Pointer to the nested_calls structure to be used for this call.
338
 * @max_nests: Maximum number of allowed nesting calls.
339
 * @nproc: Nested call core function pointer.
340
 * @priv: Opaque data to be passed to the @nproc callback.
341
 * @cookie: Cookie to be used to identify this nested call.
342
 * @ctx: This instance context.
343
 *
344
 * Returns: Returns the code returned by the @nproc callback, or -1 if
345
 *          the maximum recursion limit has been exceeded.
346
 */
347
static int ep_call_nested(struct nested_calls *ncalls, int max_nests,
348
			  int (*nproc)(void *, void *, int), void *priv,
349
			  void *cookie, void *ctx)
350
{
351
	int error, call_nests = 0;
352
	unsigned long flags;
353
	struct list_head *lsthead = &ncalls->tasks_call_list;
354
	struct nested_call_node *tncur;
355
	struct nested_call_node tnode;
356

357
	spin_lock_irqsave(&ncalls->lock, flags);
358

359
	/*
360
	 * Try to see if the current task is already inside this wakeup call.
361
	 * We use a list here, since the population inside this set is always
362
	 * very much limited.
363
	 */
364
	list_for_each_entry(tncur, lsthead, llink) {
365
		if (tncur->ctx == ctx &&
366
		    (tncur->cookie == cookie || ++call_nests > max_nests)) {
367
			/*
368
			 * Ops ... loop detected or maximum nest level reached.
369
			 * We abort this wake by breaking the cycle itself.
370
			 */
371
			error = -1;
372
			goto out_unlock;
373
		}
374
	}
375

376
	/* Add the current task and cookie to the list */
377
	tnode.ctx = ctx;
378
	tnode.cookie = cookie;
379
	list_add(&tnode.llink, lsthead);
380

381
	spin_unlock_irqrestore(&ncalls->lock, flags);
382

383
	/* Call the nested function */
384
	error = (*nproc)(priv, cookie, call_nests);
385

386
	/* Remove the current task from the list */
387
	spin_lock_irqsave(&ncalls->lock, flags);
388
	list_del(&tnode.llink);
389
out_unlock:
390
	spin_unlock_irqrestore(&ncalls->lock, flags);
391

392
	return error;
393
}
394

395
#ifdef CONFIG_DEBUG_LOCK_ALLOC
396
static inline void ep_wake_up_nested(wait_queue_head_t *wqueue,
397
				     unsigned long events, int subclass)
398
{
399
	unsigned long flags;
400

401
	spin_lock_irqsave_nested(&wqueue->lock, flags, subclass);
402
	wake_up_locked_poll(wqueue, events);
403
	spin_unlock_irqrestore(&wqueue->lock, flags);
404
}
405
#else
406
static inline void ep_wake_up_nested(wait_queue_head_t *wqueue,
407
				     unsigned long events, int subclass)
408
{
409
	wake_up_poll(wqueue, events);
410
}
411
#endif
412

413
static int ep_poll_wakeup_proc(void *priv, void *cookie, int call_nests)
414
{
415
	ep_wake_up_nested((wait_queue_head_t *) cookie, POLLIN,
416
			  1 + call_nests);
417
	return 0;
418
}
419

420
/*
421
 * Perform a safe wake up of the poll wait list. The problem is that
422
 * with the new callback'd wake up system, it is possible that the
423
 * poll callback is reentered from inside the call to wake_up() done
424
 * on the poll wait queue head. The rule is that we cannot reenter the
425
 * wake up code from the same task more than EP_MAX_NESTS times,
426
 * and we cannot reenter the same wait queue head at all. This will
427
 * enable to have a hierarchy of epoll file descriptor of no more than
428
 * EP_MAX_NESTS deep.
429
 */
430
static void ep_poll_safewake(wait_queue_head_t *wq)
431
{
432
	int this_cpu = get_cpu();
433

434
	ep_call_nested(&poll_safewake_ncalls, EP_MAX_NESTS,
435
		       ep_poll_wakeup_proc, NULL, wq, (void *) (long) this_cpu);
436

437
	put_cpu();
438
}
439

440
/*
441
 * This function unregisters poll callbacks from the associated file
442
 * descriptor.  Must be called with "mtx" held (or "epmutex" if called from
443
 * ep_free).
444
 */
445
static void ep_unregister_pollwait(struct eventpoll *ep, struct epitem *epi)
446
{
447
	struct list_head *lsthead = &epi->pwqlist;
448
	struct eppoll_entry *pwq;
449

450
	while (!list_empty(lsthead)) {
451
		pwq = list_first_entry(lsthead, struct eppoll_entry, llink);
452

453
		list_del(&pwq->llink);
454
		remove_wait_queue(pwq->whead, &pwq->wait);
455
		kmem_cache_free(pwq_cache, pwq);
456
	}
457
}
458

459
/**
460
 * ep_scan_ready_list - Scans the ready list in a way that makes possible for
461
 *                      the scan code, to call f_op->poll(). Also allows for
462
 *                      O(NumReady) performance.
463
 *
464
 * @ep: Pointer to the epoll private data structure.
465
 * @sproc: Pointer to the scan callback.
466
 * @priv: Private opaque data passed to the @sproc callback.
467
 *
468
 * Returns: The same integer error code returned by the @sproc callback.
469
 */
470
static int ep_scan_ready_list(struct eventpoll *ep,
471
			      int (*sproc)(struct eventpoll *,
472
					   struct list_head *, void *),
473
			      void *priv)
474
{
475
	int error, pwake = 0;
476
	unsigned long flags;
477
	struct epitem *epi, *nepi;
478
	LIST_HEAD(txlist);
479

480
	/*
481
	 * We need to lock this because we could be hit by
482
	 * eventpoll_release_file() and epoll_ctl().
483
	 */
484
	mutex_lock(&ep->mtx);
485

486
	/*
487
	 * Steal the ready list, and re-init the original one to the
488
	 * empty list. Also, set ep->ovflist to NULL so that events
489
	 * happening while looping w/out locks, are not lost. We cannot
490
	 * have the poll callback to queue directly on ep->rdllist,
491
	 * because we want the "sproc" callback to be able to do it
492
	 * in a lockless way.
493
	 */
494
	spin_lock_irqsave(&ep->lock, flags);
495
	list_splice_init(&ep->rdllist, &txlist);
496
	ep->ovflist = NULL;
497
	spin_unlock_irqrestore(&ep->lock, flags);
498

499
	/*
500
	 * Now call the callback function.
501
	 */
502
	error = (*sproc)(ep, &txlist, priv);
503

504
	spin_lock_irqsave(&ep->lock, flags);
505
	/*
506
	 * During the time we spent inside the "sproc" callback, some
507
	 * other events might have been queued by the poll callback.
508
	 * We re-insert them inside the main ready-list here.
509
	 */
510
	for (nepi = ep->ovflist; (epi = nepi) != NULL;
511
	     nepi = epi->next, epi->next = EP_UNACTIVE_PTR) {
512
		/*
513
		 * We need to check if the item is already in the list.
514
		 * During the "sproc" callback execution time, items are
515
		 * queued into ->ovflist but the "txlist" might already
516
		 * contain them, and the list_splice() below takes care of them.
517
		 */
518
		if (!ep_is_linked(&epi->rdllink))
519
			list_add_tail(&epi->rdllink, &ep->rdllist);
520
	}
521
	/*
522
	 * We need to set back ep->ovflist to EP_UNACTIVE_PTR, so that after
523
	 * releasing the lock, events will be queued in the normal way inside
524
	 * ep->rdllist.
525
	 */
526
	ep->ovflist = EP_UNACTIVE_PTR;
527

528
	/*
529
	 * Quickly re-inject items left on "txlist".
530
	 */
531
	list_splice(&txlist, &ep->rdllist);
532

533
	if (!list_empty(&ep->rdllist)) {
534
		/*
535
		 * Wake up (if active) both the eventpoll wait list and
536
		 * the ->poll() wait list (delayed after we release the lock).
537
		 */
538
		if (waitqueue_active(&ep->wq))
539
			wake_up_locked(&ep->wq);
540
		if (waitqueue_active(&ep->poll_wait))
541
			pwake++;
542
	}
543
	spin_unlock_irqrestore(&ep->lock, flags);
544

545
	mutex_unlock(&ep->mtx);
546

547
	/* We have to call this outside the lock */
548
	if (pwake)
549
		ep_poll_safewake(&ep->poll_wait);
550

551
	return error;
552
}
553

554
/*
555
 * Removes a "struct epitem" from the eventpoll RB tree and deallocates
556
 * all the associated resources. Must be called with "mtx" held.
557
 */
558
static int ep_remove(struct eventpoll *ep, struct epitem *epi)
559
{
560
	unsigned long flags;
561
	struct file *file = epi->ffd.file;
562

563
	/*
564
	 * Removes poll wait queue hooks. We _have_ to do this without holding
565
	 * the "ep->lock" otherwise a deadlock might occur. This because of the
566
	 * sequence of the lock acquisition. Here we do "ep->lock" then the wait
567
	 * queue head lock when unregistering the wait queue. The wakeup callback
568
	 * will run by holding the wait queue head lock and will call our callback
569
	 * that will try to get "ep->lock".
570
	 */
571
	ep_unregister_pollwait(ep, epi);
572

573
	/* Remove the current item from the list of epoll hooks */
574
	spin_lock(&file->f_lock);
575
	if (ep_is_linked(&epi->fllink))
576
		list_del_init(&epi->fllink);
577
	spin_unlock(&file->f_lock);
578

579
	rb_erase(&epi->rbn, &ep->rbr);
580

581
	spin_lock_irqsave(&ep->lock, flags);
582
	if (ep_is_linked(&epi->rdllink))
583
		list_del_init(&epi->rdllink);
584
	spin_unlock_irqrestore(&ep->lock, flags);
585

586
	/* At this point it is safe to free the eventpoll item */
587
	kmem_cache_free(epi_cache, epi);
588

589
	atomic_long_dec(&ep->user->epoll_watches);
590

591
	return 0;
592
}
593

594
static void ep_free(struct eventpoll *ep)
595
{
596
	struct rb_node *rbp;
597
	struct epitem *epi;
598

599
	/* We need to release all tasks waiting for these file */
600
	if (waitqueue_active(&ep->poll_wait))
601
		ep_poll_safewake(&ep->poll_wait);
602

603
	/*
604
	 * We need to lock this because we could be hit by
605
	 * eventpoll_release_file() while we're freeing the "struct eventpoll".
606
	 * We do not need to hold "ep->mtx" here because the epoll file
607
	 * is on the way to be removed and no one has references to it
608
	 * anymore. The only hit might come from eventpoll_release_file() but
609
	 * holding "epmutex" is sufficient here.
610
	 */
611
	mutex_lock(&epmutex);
612

613
	/*
614
	 * Walks through the whole tree by unregistering poll callbacks.
615
	 */
616
	for (rbp = rb_first(&ep->rbr); rbp; rbp = rb_next(rbp)) {
617
		epi = rb_entry(rbp, struct epitem, rbn);
618

619
		ep_unregister_pollwait(ep, epi);
620
	}
621

622
	/*
623
	 * Walks through the whole tree by freeing each "struct epitem". At this
624
	 * point we are sure no poll callbacks will be lingering around, and also by
625
	 * holding "epmutex" we can be sure that no file cleanup code will hit
626
	 * us during this operation. So we can avoid the lock on "ep->lock".
627
	 */
628
	while ((rbp = rb_first(&ep->rbr)) != NULL) {
629
		epi = rb_entry(rbp, struct epitem, rbn);
630
		ep_remove(ep, epi);
631
	}
632

633
	mutex_unlock(&epmutex);
634
	mutex_destroy(&ep->mtx);
635
	free_uid(ep->user);
636
	kfree(ep);
637
}
638

639
static int ep_eventpoll_release(struct inode *inode, struct file *file)
640
{
641
	struct eventpoll *ep = file->private_data;
642

643
	if (ep)
644
		ep_free(ep);
645

646
	return 0;
647
}
648

649
static int ep_read_events_proc(struct eventpoll *ep, struct list_head *head,
650
			       void *priv)
651
{
652
	struct epitem *epi, *tmp;
653

654
	list_for_each_entry_safe(epi, tmp, head, rdllink) {
655
		if (epi->ffd.file->f_op->poll(epi->ffd.file, NULL) &
656
		    epi->event.events)
657
			return POLLIN | POLLRDNORM;
658
		else {
659
			/*
660
			 * Item has been dropped into the ready list by the poll
661
			 * callback, but it's not actually ready, as far as
662
			 * caller requested events goes. We can remove it here.
663
			 */
664
			list_del_init(&epi->rdllink);
665
		}
666
	}
667

668
	return 0;
669
}
670

671
static int ep_poll_readyevents_proc(void *priv, void *cookie, int call_nests)
672
{
673
	return ep_scan_ready_list(priv, ep_read_events_proc, NULL);
674
}
675

676
static unsigned int ep_eventpoll_poll(struct file *file, poll_table *wait)
677
{
678
	int pollflags;
679
	struct eventpoll *ep = file->private_data;
680

681
	/* Insert inside our poll wait queue */
682
	poll_wait(file, &ep->poll_wait, wait);
683

684
	/*
685
	 * Proceed to find out if wanted events are really available inside
686
	 * the ready list. This need to be done under ep_call_nested()
687
	 * supervision, since the call to f_op->poll() done on listed files
688
	 * could re-enter here.
689
	 */
690
	pollflags = ep_call_nested(&poll_readywalk_ncalls, EP_MAX_NESTS,
691
				   ep_poll_readyevents_proc, ep, ep, current);
692

693
	return pollflags != -1 ? pollflags : 0;
694
}
695

696
/* File callbacks that implement the eventpoll file behaviour */
697
static const struct file_operations eventpoll_fops = {
698
	.release	= ep_eventpoll_release,
699
	.poll		= ep_eventpoll_poll,
700
	.llseek		= noop_llseek,
701
};
702

703
/* Fast test to see if the file is an evenpoll file */
704
static inline int is_file_epoll(struct file *f)
705
{
706
	return f->f_op == &eventpoll_fops;
707
}
708

709
/*
710
 * This is called from eventpoll_release() to unlink files from the eventpoll
711
 * interface. We need to have this facility to cleanup correctly files that are
712
 * closed without being removed from the eventpoll interface.
713
 */
714
void eventpoll_release_file(struct file *file)
715
{
716
	struct list_head *lsthead = &file->f_ep_links;
717
	struct eventpoll *ep;
718
	struct epitem *epi;
719

720
	/*
721
	 * We don't want to get "file->f_lock" because it is not
722
	 * necessary. It is not necessary because we're in the "struct file"
723
	 * cleanup path, and this means that no one is using this file anymore.
724
	 * So, for example, epoll_ctl() cannot hit here since if we reach this
725
	 * point, the file counter already went to zero and fget() would fail.
726
	 * The only hit might come from ep_free() but by holding the mutex
727
	 * will correctly serialize the operation. We do need to acquire
728
	 * "ep->mtx" after "epmutex" because ep_remove() requires it when called
729
	 * from anywhere but ep_free().
730
	 *
731
	 * Besides, ep_remove() acquires the lock, so we can't hold it here.
732
	 */
733
	mutex_lock(&epmutex);
734

735
	while (!list_empty(lsthead)) {
736
		epi = list_first_entry(lsthead, struct epitem, fllink);
737

738
		ep = epi->ep;
739
		list_del_init(&epi->fllink);
740
		mutex_lock(&ep->mtx);
741
		ep_remove(ep, epi);
742
		mutex_unlock(&ep->mtx);
743
	}
744

745
	mutex_unlock(&epmutex);
746
}
747

748
static int ep_alloc(struct eventpoll **pep)
749
{
750
	int error;
751
	struct user_struct *user;
752
	struct eventpoll *ep;
753

754
	user = get_current_user();
755
	error = -ENOMEM;
756
	ep = kzalloc(sizeof(*ep), GFP_KERNEL);
757
	if (unlikely(!ep))
758
		goto free_uid;
759

760
	spin_lock_init(&ep->lock);
761
	mutex_init(&ep->mtx);
762
	init_waitqueue_head(&ep->wq);
763
	init_waitqueue_head(&ep->poll_wait);
764
	INIT_LIST_HEAD(&ep->rdllist);
765
	ep->rbr = RB_ROOT;
766
	ep->ovflist = EP_UNACTIVE_PTR;
767
	ep->user = user;
768

769
	*pep = ep;
770

771
	return 0;
772

773
free_uid:
774
	free_uid(user);
775
	return error;
776
}
777

778
/*
779
 * Search the file inside the eventpoll tree. The RB tree operations
780
 * are protected by the "mtx" mutex, and ep_find() must be called with
781
 * "mtx" held.
782
 */
783
static struct epitem *ep_find(struct eventpoll *ep, struct file *file, int fd)
784
{
785
	int kcmp;
786
	struct rb_node *rbp;
787
	struct epitem *epi, *epir = NULL;
788
	struct epoll_filefd ffd;
789

790
	ep_set_ffd(&ffd, file, fd);
791
	for (rbp = ep->rbr.rb_node; rbp; ) {
792
		epi = rb_entry(rbp, struct epitem, rbn);
793
		kcmp = ep_cmp_ffd(&ffd, &epi->ffd);
794
		if (kcmp > 0)
795
			rbp = rbp->rb_right;
796
		else if (kcmp < 0)
797
			rbp = rbp->rb_left;
798
		else {
799
			epir = epi;
800
			break;
801
		}
802
	}
803

804
	return epir;
805
}
806

807
/*
808
 * This is the callback that is passed to the wait queue wakeup
809
 * mechanism. It is called by the stored file descriptors when they
810
 * have events to report.
811
 */
812
static int ep_poll_callback(wait_queue_t *wait, unsigned mode, int sync, void *key)
813
{
814
	int pwake = 0;
815
	unsigned long flags;
816
	struct epitem *epi = ep_item_from_wait(wait);
817
	struct eventpoll *ep = epi->ep;
818

819
	spin_lock_irqsave(&ep->lock, flags);
820

821
	/*
822
	 * If the event mask does not contain any poll(2) event, we consider the
823
	 * descriptor to be disabled. This condition is likely the effect of the
824
	 * EPOLLONESHOT bit that disables the descriptor when an event is received,
825
	 * until the next EPOLL_CTL_MOD will be issued.
826
	 */
827
	if (!(epi->event.events & ~EP_PRIVATE_BITS))
828
		goto out_unlock;
829

830
	/*
831
	 * Check the events coming with the callback. At this stage, not
832
	 * every device reports the events in the "key" parameter of the
833
	 * callback. We need to be able to handle both cases here, hence the
834
	 * test for "key" != NULL before the event match test.
835
	 */
836
	if (key && !((unsigned long) key & epi->event.events))
837
		goto out_unlock;
838

839
	/*
840
	 * If we are transferring events to userspace, we can hold no locks
841
	 * (because we're accessing user memory, and because of linux f_op->poll()
842
	 * semantics). All the events that happen during that period of time are
843
	 * chained in ep->ovflist and requeued later on.
844
	 */
845
	if (unlikely(ep->ovflist != EP_UNACTIVE_PTR)) {
846
		if (epi->next == EP_UNACTIVE_PTR) {
847
			epi->next = ep->ovflist;
848
			ep->ovflist = epi;
849
		}
850
		goto out_unlock;
851
	}
852

853
	/* If this file is already in the ready list we exit soon */
854
	if (!ep_is_linked(&epi->rdllink))
855
		list_add_tail(&epi->rdllink, &ep->rdllist);
856

857
	/*
858
	 * Wake up ( if active ) both the eventpoll wait list and the ->poll()
859
	 * wait list.
860
	 */
861
	if (waitqueue_active(&ep->wq))
862
		wake_up_locked(&ep->wq);
863
	if (waitqueue_active(&ep->poll_wait))
864
		pwake++;
865

866
out_unlock:
867
	spin_unlock_irqrestore(&ep->lock, flags);
868

869
	/* We have to call this outside the lock */
870
	if (pwake)
871
		ep_poll_safewake(&ep->poll_wait);
872

873
	return 1;
874
}
875

876
/*
877
 * This is the callback that is used to add our wait queue to the
878
 * target file wakeup lists.
879
 */
880
static void ep_ptable_queue_proc(struct file *file, wait_queue_head_t *whead,
881
				 poll_table *pt)
882
{
883
	struct epitem *epi = ep_item_from_epqueue(pt);
884
	struct eppoll_entry *pwq;
885

886
	if (epi->nwait >= 0 && (pwq = kmem_cache_alloc(pwq_cache, GFP_KERNEL))) {
887
		init_waitqueue_func_entry(&pwq->wait, ep_poll_callback);
888
		pwq->whead = whead;
889
		pwq->base = epi;
890
		add_wait_queue(whead, &pwq->wait);
891
		list_add_tail(&pwq->llink, &epi->pwqlist);
892
		epi->nwait++;
893
	} else {
894
		/* We have to signal that an error occurred */
895
		epi->nwait = -1;
896
	}
897
}
898

899
static void ep_rbtree_insert(struct eventpoll *ep, struct epitem *epi)
900
{
901
	int kcmp;
902
	struct rb_node **p = &ep->rbr.rb_node, *parent = NULL;
903
	struct epitem *epic;
904

905
	while (*p) {
906
		parent = *p;
907
		epic = rb_entry(parent, struct epitem, rbn);
908
		kcmp = ep_cmp_ffd(&epi->ffd, &epic->ffd);
909
		if (kcmp > 0)
910
			p = &parent->rb_right;
911
		else
912
			p = &parent->rb_left;
913
	}
914
	rb_link_node(&epi->rbn, parent, p);
915
	rb_insert_color(&epi->rbn, &ep->rbr);
916
}
917

918
/*
919
 * Must be called with "mtx" held.
920
 */
921
static int ep_insert(struct eventpoll *ep, struct epoll_event *event,
922
		     struct file *tfile, int fd)
923
{
924
	int error, revents, pwake = 0;
925
	unsigned long flags;
926
	long user_watches;
927
	struct epitem *epi;
928
	struct ep_pqueue epq;
929

930
	user_watches = atomic_long_read(&ep->user->epoll_watches);
931
	if (unlikely(user_watches >= max_user_watches))
932
		return -ENOSPC;
933
	if (!(epi = kmem_cache_alloc(epi_cache, GFP_KERNEL)))
934
		return -ENOMEM;
935

936
	/* Item initialization follow here ... */
937
	INIT_LIST_HEAD(&epi->rdllink);
938
	INIT_LIST_HEAD(&epi->fllink);
939
	INIT_LIST_HEAD(&epi->pwqlist);
940
	epi->ep = ep;
941
	ep_set_ffd(&epi->ffd, tfile, fd);
942
	epi->event = *event;
943
	epi->nwait = 0;
944
	epi->next = EP_UNACTIVE_PTR;
945

946
	/* Initialize the poll table using the queue callback */
947
	epq.epi = epi;
948
	init_poll_funcptr(&epq.pt, ep_ptable_queue_proc);
949

950
	/*
951
	 * Attach the item to the poll hooks and get current event bits.
952
	 * We can safely use the file* here because its usage count has
953
	 * been increased by the caller of this function. Note that after
954
	 * this operation completes, the poll callback can start hitting
955
	 * the new item.
956
	 */
957
	revents = tfile->f_op->poll(tfile, &epq.pt);
958

959
	/*
960
	 * We have to check if something went wrong during the poll wait queue
961
	 * install process. Namely an allocation for a wait queue failed due
962
	 * high memory pressure.
963
	 */
964
	error = -ENOMEM;
965
	if (epi->nwait < 0)
966
		goto error_unregister;
967

968
	/* Add the current item to the list of active epoll hook for this file */
969
	spin_lock(&tfile->f_lock);
970
	list_add_tail(&epi->fllink, &tfile->f_ep_links);
971
	spin_unlock(&tfile->f_lock);
972

973
	/*
974
	 * Add the current item to the RB tree. All RB tree operations are
975
	 * protected by "mtx", and ep_insert() is called with "mtx" held.
976
	 */
977
	ep_rbtree_insert(ep, epi);
978

979
	/* We have to drop the new item inside our item list to keep track of it */
980
	spin_lock_irqsave(&ep->lock, flags);
981

982
	/* If the file is already "ready" we drop it inside the ready list */
983
	if ((revents & event->events) && !ep_is_linked(&epi->rdllink)) {
984
		list_add_tail(&epi->rdllink, &ep->rdllist);
985

986
		/* Notify waiting tasks that events are available */
987
		if (waitqueue_active(&ep->wq))
988
			wake_up_locked(&ep->wq);
989
		if (waitqueue_active(&ep->poll_wait))
990
			pwake++;
991
	}
992

993
	spin_unlock_irqrestore(&ep->lock, flags);
994

995
	atomic_long_inc(&ep->user->epoll_watches);
996

997
	/* We have to call this outside the lock */
998
	if (pwake)
999
		ep_poll_safewake(&ep->poll_wait);
1000

1001
	return 0;
1002

1003
error_unregister:
1004
	ep_unregister_pollwait(ep, epi);
1005

1006
	/*
1007
	 * We need to do this because an event could have been arrived on some
1008
	 * allocated wait queue. Note that we don't care about the ep->ovflist
1009
	 * list, since that is used/cleaned only inside a section bound by "mtx".
1010
	 * And ep_insert() is called with "mtx" held.
1011
	 */
1012
	spin_lock_irqsave(&ep->lock, flags);
1013
	if (ep_is_linked(&epi->rdllink))
1014
		list_del_init(&epi->rdllink);
1015
	spin_unlock_irqrestore(&ep->lock, flags);
1016

1017
	kmem_cache_free(epi_cache, epi);
1018

1019
	return error;
1020
}
1021

1022
/*
1023
 * Modify the interest event mask by dropping an event if the new mask
1024
 * has a match in the current file status. Must be called with "mtx" held.
1025
 */
1026
static int ep_modify(struct eventpoll *ep, struct epitem *epi, struct epoll_event *event)
1027
{
1028
	int pwake = 0;
1029
	unsigned int revents;
1030

1031
	/*
1032
	 * Set the new event interest mask before calling f_op->poll();
1033
	 * otherwise we might miss an event that happens between the
1034
	 * f_op->poll() call and the new event set registering.
1035
	 */
1036
	epi->event.events = event->events;
1037
	epi->event.data = event->data; /* protected by mtx */
1038

1039
	/*
1040
	 * Get current event bits. We can safely use the file* here because
1041
	 * its usage count has been increased by the caller of this function.
1042
	 */
1043
	revents = epi->ffd.file->f_op->poll(epi->ffd.file, NULL);
1044

1045
	/*
1046
	 * If the item is "hot" and it is not registered inside the ready
1047
	 * list, push it inside.
1048
	 */
1049
	if (revents & event->events) {
1050
		spin_lock_irq(&ep->lock);
1051
		if (!ep_is_linked(&epi->rdllink)) {
1052
			list_add_tail(&epi->rdllink, &ep->rdllist);
1053

1054
			/* Notify waiting tasks that events are available */
1055
			if (waitqueue_active(&ep->wq))
1056
				wake_up_locked(&ep->wq);
1057
			if (waitqueue_active(&ep->poll_wait))
1058
				pwake++;
1059
		}
1060
		spin_unlock_irq(&ep->lock);
1061
	}
1062

1063
	/* We have to call this outside the lock */
1064
	if (pwake)
1065
		ep_poll_safewake(&ep->poll_wait);
1066

1067
	return 0;
1068
}
1069

1070
static int ep_send_events_proc(struct eventpoll *ep, struct list_head *head,
1071
			       void *priv)
1072
{
1073
	struct ep_send_events_data *esed = priv;
1074
	int eventcnt;
1075
	unsigned int revents;
1076
	struct epitem *epi;
1077
	struct epoll_event __user *uevent;
1078

1079
	/*
1080
	 * We can loop without lock because we are passed a task private list.
1081
	 * Items cannot vanish during the loop because ep_scan_ready_list() is
1082
	 * holding "mtx" during this call.
1083
	 */
1084
	for (eventcnt = 0, uevent = esed->events;
1085
	     !list_empty(head) && eventcnt < esed->maxevents;) {
1086
		epi = list_first_entry(head, struct epitem, rdllink);
1087

1088
		list_del_init(&epi->rdllink);
1089

1090
		revents = epi->ffd.file->f_op->poll(epi->ffd.file, NULL) &
1091
			epi->event.events;
1092

1093
		/*
1094
		 * If the event mask intersect the caller-requested one,
1095
		 * deliver the event to userspace. Again, ep_scan_ready_list()
1096
		 * is holding "mtx", so no operations coming from userspace
1097
		 * can change the item.
1098
		 */
1099
		if (revents) {
1100
			if (__put_user(revents, &uevent->events) ||
1101
			    __put_user(epi->event.data, &uevent->data)) {
1102
				list_add(&epi->rdllink, head);
1103
				return eventcnt ? eventcnt : -EFAULT;
1104
			}
1105
			eventcnt++;
1106
			uevent++;
1107
			if (epi->event.events & EPOLLONESHOT)
1108
				epi->event.events &= EP_PRIVATE_BITS;
1109
			else if (!(epi->event.events & EPOLLET)) {
1110
				/*
1111
				 * If this file has been added with Level
1112
				 * Trigger mode, we need to insert back inside
1113
				 * the ready list, so that the next call to
1114
				 * epoll_wait() will check again the events
1115
				 * availability. At this point, no one can insert
1116
				 * into ep->rdllist besides us. The epoll_ctl()
1117
				 * callers are locked out by
1118
				 * ep_scan_ready_list() holding "mtx" and the
1119
				 * poll callback will queue them in ep->ovflist.
1120
				 */
1121
				list_add_tail(&epi->rdllink, &ep->rdllist);
1122
			}
1123
		}
1124
	}
1125

1126
	return eventcnt;
1127
}
1128

1129
static int ep_send_events(struct eventpoll *ep,
1130
			  struct epoll_event __user *events, int maxevents)
1131
{
1132
	struct ep_send_events_data esed;
1133

1134
	esed.maxevents = maxevents;
1135
	esed.events = events;
1136

1137
	return ep_scan_ready_list(ep, ep_send_events_proc, &esed);
1138
}
1139

1140
static inline struct timespec ep_set_mstimeout(long ms)
1141
{
1142
	struct timespec now, ts = {
1143
		.tv_sec = ms / MSEC_PER_SEC,
1144
		.tv_nsec = NSEC_PER_MSEC * (ms % MSEC_PER_SEC),
1145
	};
1146

1147
	ktime_get_ts(&now);
1148
	return timespec_add_safe(now, ts);
1149
}
1150

1151
/**
1152
 * ep_poll - Retrieves ready events, and delivers them to the caller supplied
1153
 *           event buffer.
1154
 *
1155
 * @ep: Pointer to the eventpoll context.
1156
 * @events: Pointer to the userspace buffer where the ready events should be
1157
 *          stored.
1158
 * @maxevents: Size (in terms of number of events) of the caller event buffer.
1159
 * @timeout: Maximum timeout for the ready events fetch operation, in
1160
 *           milliseconds. If the @timeout is zero, the function will not block,
1161
 *           while if the @timeout is less than zero, the function will block
1162
 *           until at least one event has been retrieved (or an error
1163
 *           occurred).
1164
 *
1165
 * Returns: Returns the number of ready events which have been fetched, or an
1166
 *          error code, in case of error.
1167
 */
1168
static int ep_poll(struct eventpoll *ep, struct epoll_event __user *events,
1169
		   int maxevents, long timeout)
1170
{
1171
	int res = 0, eavail, timed_out = 0;
1172
	unsigned long flags;
1173
	long slack = 0;
1174
	wait_queue_t wait;
1175
	ktime_t expires, *to = NULL;
1176

1177
	if (timeout > 0) {
1178
		struct timespec end_time = ep_set_mstimeout(timeout);
1179

1180
		slack = select_estimate_accuracy(&end_time);
1181
		to = &expires;
1182
		*to = timespec_to_ktime(end_time);
1183
	} else if (timeout == 0) {
1184
		/*
1185
		 * Avoid the unnecessary trip to the wait queue loop, if the
1186
		 * caller specified a non blocking operation.
1187
		 */
1188
		timed_out = 1;
1189
		spin_lock_irqsave(&ep->lock, flags);
1190
		goto check_events;
1191
	}
1192

1193
fetch_events:
1194
	spin_lock_irqsave(&ep->lock, flags);
1195

1196
	if (!ep_events_available(ep)) {
1197
		/*
1198
		 * We don't have any available event to return to the caller.
1199
		 * We need to sleep here, and we will be wake up by
1200
		 * ep_poll_callback() when events will become available.
1201
		 */
1202
		init_waitqueue_entry(&wait, current);
1203
		__add_wait_queue_exclusive(&ep->wq, &wait);
1204

1205
		for (;;) {
1206
			/*
1207
			 * We don't want to sleep if the ep_poll_callback() sends us
1208
			 * a wakeup in between. That's why we set the task state
1209
			 * to TASK_INTERRUPTIBLE before doing the checks.
1210
			 */
1211
			set_current_state(TASK_INTERRUPTIBLE);
1212
			if (ep_events_available(ep) || timed_out)
1213
				break;
1214
			if (signal_pending(current)) {
1215
				res = -EINTR;
1216
				break;
1217
			}
1218

1219
			spin_unlock_irqrestore(&ep->lock, flags);
1220
			if (!schedule_hrtimeout_range(to, slack, HRTIMER_MODE_ABS))
1221
				timed_out = 1;
1222

1223
			spin_lock_irqsave(&ep->lock, flags);
1224
		}
1225
		__remove_wait_queue(&ep->wq, &wait);
1226

1227
		set_current_state(TASK_RUNNING);
1228
	}
1229
check_events:
1230
	/* Is it worth to try to dig for events ? */
1231
	eavail = ep_events_available(ep);
1232

1233
	spin_unlock_irqrestore(&ep->lock, flags);
1234

1235
	/*
1236
	 * Try to transfer events to user space. In case we get 0 events and
1237
	 * there's still timeout left over, we go trying again in search of
1238
	 * more luck.
1239
	 */
1240
	if (!res && eavail &&
1241
	    !(res = ep_send_events(ep, events, maxevents)) && !timed_out)
1242
		goto fetch_events;
1243

1244
	return res;
1245
}
1246

1247
/**
1248
 * ep_loop_check_proc - Callback function to be passed to the @ep_call_nested()
1249
 *                      API, to verify that adding an epoll file inside another
1250
 *                      epoll structure, does not violate the constraints, in
1251
 *                      terms of closed loops, or too deep chains (which can
1252
 *                      result in excessive stack usage).
1253
 *
1254
 * @priv: Pointer to the epoll file to be currently checked.
1255
 * @cookie: Original cookie for this call. This is the top-of-the-chain epoll
1256
 *          data structure pointer.
1257
 * @call_nests: Current dept of the @ep_call_nested() call stack.
1258
 *
1259
 * Returns: Returns zero if adding the epoll @file inside current epoll
1260
 *          structure @ep does not violate the constraints, or -1 otherwise.
1261
 */
1262
static int ep_loop_check_proc(void *priv, void *cookie, int call_nests)
1263
{
1264
	int error = 0;
1265
	struct file *file = priv;
1266
	struct eventpoll *ep = file->private_data;
1267
	struct rb_node *rbp;
1268
	struct epitem *epi;
1269

1270
	mutex_lock(&ep->mtx);
1271
	for (rbp = rb_first(&ep->rbr); rbp; rbp = rb_next(rbp)) {
1272
		epi = rb_entry(rbp, struct epitem, rbn);
1273
		if (unlikely(is_file_epoll(epi->ffd.file))) {
1274
			error = ep_call_nested(&poll_loop_ncalls, EP_MAX_NESTS,
1275
					       ep_loop_check_proc, epi->ffd.file,
1276
					       epi->ffd.file->private_data, current);
1277
			if (error != 0)
1278
				break;
1279
		}
1280
	}
1281
	mutex_unlock(&ep->mtx);
1282

1283
	return error;
1284
}
1285

1286
/**
1287
 * ep_loop_check - Performs a check to verify that adding an epoll file (@file)
1288
 *                 another epoll file (represented by @ep) does not create
1289
 *                 closed loops or too deep chains.
1290
 *
1291
 * @ep: Pointer to the epoll private data structure.
1292
 * @file: Pointer to the epoll file to be checked.
1293
 *
1294
 * Returns: Returns zero if adding the epoll @file inside current epoll
1295
 *          structure @ep does not violate the constraints, or -1 otherwise.
1296
 */
1297
static int ep_loop_check(struct eventpoll *ep, struct file *file)
1298
{
1299
	return ep_call_nested(&poll_loop_ncalls, EP_MAX_NESTS,
1300
			      ep_loop_check_proc, file, ep, current);
1301
}
1302

1303
/*
1304
 * Open an eventpoll file descriptor.
1305
 */
1306
SYSCALL_DEFINE1(epoll_create1, int, flags)
1307
{
1308
	int error;
1309
	struct eventpoll *ep = NULL;
1310

1311
	/* Check the EPOLL_* constant for consistency.  */
1312
	BUILD_BUG_ON(EPOLL_CLOEXEC != O_CLOEXEC);
1313

1314
	if (flags & ~EPOLL_CLOEXEC)
1315
		return -EINVAL;
1316
	/*
1317
	 * Create the internal data structure ("struct eventpoll").
1318
	 */
1319
	error = ep_alloc(&ep);
1320
	if (error < 0)
1321
		return error;
1322
	/*
1323
	 * Creates all the items needed to setup an eventpoll file. That is,
1324
	 * a file structure and a free file descriptor.
1325
	 */
1326
	error = anon_inode_getfd("[eventpoll]", &eventpoll_fops, ep,
1327
				 O_RDWR | (flags & O_CLOEXEC));
1328
	if (error < 0)
1329
		ep_free(ep);
1330

1331
	return error;
1332
}
1333

1334
SYSCALL_DEFINE1(epoll_create, int, size)
1335
{
1336
	if (size <= 0)
1337
		return -EINVAL;
1338

1339
	return sys_epoll_create1(0);
1340
}
1341

1342
/*
1343
 * The following function implements the controller interface for
1344
 * the eventpoll file that enables the insertion/removal/change of
1345
 * file descriptors inside the interest set.
1346
 */
1347
SYSCALL_DEFINE4(epoll_ctl, int, epfd, int, op, int, fd,
1348
		struct epoll_event __user *, event)
1349
{
1350
	int error;
1351
	int did_lock_epmutex = 0;
1352
	struct file *file, *tfile;
1353
	struct eventpoll *ep;
1354
	struct epitem *epi;
1355
	struct epoll_event epds;
1356

1357
	error = -EFAULT;
1358
	if (ep_op_has_event(op) &&
1359
	    copy_from_user(&epds, event, sizeof(struct epoll_event)))
1360
		goto error_return;
1361

1362
	/* Get the "struct file *" for the eventpoll file */
1363
	error = -EBADF;
1364
	file = fget(epfd);
1365
	if (!file)
1366
		goto error_return;
1367

1368
	/* Get the "struct file *" for the target file */
1369
	tfile = fget(fd);
1370
	if (!tfile)
1371
		goto error_fput;
1372

1373
	/* The target file descriptor must support poll */
1374
	error = -EPERM;
1375
	if (!tfile->f_op || !tfile->f_op->poll)
1376
		goto error_tgt_fput;
1377

1378
	/*
1379
	 * We have to check that the file structure underneath the file descriptor
1380
	 * the user passed to us _is_ an eventpoll file. And also we do not permit
1381
	 * adding an epoll file descriptor inside itself.
1382
	 */
1383
	error = -EINVAL;
1384
	if (file == tfile || !is_file_epoll(file))
1385
		goto error_tgt_fput;
1386

1387
	/*
1388
	 * At this point it is safe to assume that the "private_data" contains
1389
	 * our own data structure.
1390
	 */
1391
	ep = file->private_data;
1392

1393
	/*
1394
	 * When we insert an epoll file descriptor, inside another epoll file
1395
	 * descriptor, there is the change of creating closed loops, which are
1396
	 * better be handled here, than in more critical paths.
1397
	 *
1398
	 * We hold epmutex across the loop check and the insert in this case, in
1399
	 * order to prevent two separate inserts from racing and each doing the
1400
	 * insert "at the same time" such that ep_loop_check passes on both
1401
	 * before either one does the insert, thereby creating a cycle.
1402
	 */
1403
	if (unlikely(is_file_epoll(tfile) && op == EPOLL_CTL_ADD)) {
1404
		mutex_lock(&epmutex);
1405
		did_lock_epmutex = 1;
1406
		error = -ELOOP;
1407
		if (ep_loop_check(ep, tfile) != 0)
1408
			goto error_tgt_fput;
1409
	}
1410

1411

1412
	mutex_lock(&ep->mtx);
1413

1414
	/*
1415
	 * Try to lookup the file inside our RB tree, Since we grabbed "mtx"
1416
	 * above, we can be sure to be able to use the item looked up by
1417
	 * ep_find() till we release the mutex.
1418
	 */
1419
	epi = ep_find(ep, tfile, fd);
1420

1421
	error = -EINVAL;
1422
	switch (op) {
1423
	case EPOLL_CTL_ADD:
1424
		if (!epi) {
1425
			epds.events |= POLLERR | POLLHUP;
1426
			error = ep_insert(ep, &epds, tfile, fd);
1427
		} else
1428
			error = -EEXIST;
1429
		break;
1430
	case EPOLL_CTL_DEL:
1431
		if (epi)
1432
			error = ep_remove(ep, epi);
1433
		else
1434
			error = -ENOENT;
1435
		break;
1436
	case EPOLL_CTL_MOD:
1437
		if (epi) {
1438
			epds.events |= POLLERR | POLLHUP;
1439
			error = ep_modify(ep, epi, &epds);
1440
		} else
1441
			error = -ENOENT;
1442
		break;
1443
	}
1444
	mutex_unlock(&ep->mtx);
1445

1446
error_tgt_fput:
1447
	if (unlikely(did_lock_epmutex))
1448
		mutex_unlock(&epmutex);
1449

1450
	fput(tfile);
1451
error_fput:
1452
	fput(file);
1453
error_return:
1454

1455
	return error;
1456
}
1457

1458
/*
1459
 * Implement the event wait interface for the eventpoll file. It is the kernel
1460
 * part of the user space epoll_wait(2).
1461
 */
1462
SYSCALL_DEFINE4(epoll_wait, int, epfd, struct epoll_event __user *, events,
1463
		int, maxevents, int, timeout)
1464
{
1465
	int error;
1466
	struct file *file;
1467
	struct eventpoll *ep;
1468

1469
	/* The maximum number of event must be greater than zero */
1470
	if (maxevents <= 0 || maxevents > EP_MAX_EVENTS)
1471
		return -EINVAL;
1472

1473
	/* Verify that the area passed by the user is writeable */
1474
	if (!access_ok(VERIFY_WRITE, events, maxevents * sizeof(struct epoll_event))) {
1475
		error = -EFAULT;
1476
		goto error_return;
1477
	}
1478

1479
	/* Get the "struct file *" for the eventpoll file */
1480
	error = -EBADF;
1481
	file = fget(epfd);
1482
	if (!file)
1483
		goto error_return;
1484

1485
	/*
1486
	 * We have to check that the file structure underneath the fd
1487
	 * the user passed to us _is_ an eventpoll file.
1488
	 */
1489
	error = -EINVAL;
1490
	if (!is_file_epoll(file))
1491
		goto error_fput;
1492

1493
	/*
1494
	 * At this point it is safe to assume that the "private_data" contains
1495
	 * our own data structure.
1496
	 */
1497
	ep = file->private_data;
1498

1499
	/* Time to fish for events ... */
1500
	error = ep_poll(ep, events, maxevents, timeout);
1501

1502
error_fput:
1503
	fput(file);
1504
error_return:
1505

1506
	return error;
1507
}
1508

1509
#ifdef HAVE_SET_RESTORE_SIGMASK
1510

1511
/*
1512
 * Implement the event wait interface for the eventpoll file. It is the kernel
1513
 * part of the user space epoll_pwait(2).
1514
 */
1515
SYSCALL_DEFINE6(epoll_pwait, int, epfd, struct epoll_event __user *, events,
1516
		int, maxevents, int, timeout, const sigset_t __user *, sigmask,
1517
		size_t, sigsetsize)
1518
{
1519
	int error;
1520
	sigset_t ksigmask, sigsaved;
1521

1522
	/*
1523
	 * If the caller wants a certain signal mask to be set during the wait,
1524
	 * we apply it here.
1525
	 */
1526
	if (sigmask) {
1527
		if (sigsetsize != sizeof(sigset_t))
1528
			return -EINVAL;
1529
		if (copy_from_user(&ksigmask, sigmask, sizeof(ksigmask)))
1530
			return -EFAULT;
1531
		sigdelsetmask(&ksigmask, sigmask(SIGKILL) | sigmask(SIGSTOP));
1532
		sigprocmask(SIG_SETMASK, &ksigmask, &sigsaved);
1533
	}
1534

1535
	error = sys_epoll_wait(epfd, events, maxevents, timeout);
1536

1537
	/*
1538
	 * If we changed the signal mask, we need to restore the original one.
1539
	 * In case we've got a signal while waiting, we do not restore the
1540
	 * signal mask yet, and we allow do_signal() to deliver the signal on
1541
	 * the way back to userspace, before the signal mask is restored.
1542
	 */
1543
	if (sigmask) {
1544
		if (error == -EINTR) {
1545
			memcpy(&current->saved_sigmask, &sigsaved,
1546
			       sizeof(sigsaved));
1547
			set_restore_sigmask();
1548
		} else
1549
			sigprocmask(SIG_SETMASK, &sigsaved, NULL);
1550
	}
1551

1552
	return error;
1553
}
1554

1555
#endif /* HAVE_SET_RESTORE_SIGMASK */
1556

1557
static int __init eventpoll_init(void)
1558
{
1559
	struct sysinfo si;
1560

1561
	si_meminfo(&si);
1562
	/*
1563
	 * Allows top 4% of lomem to be allocated for epoll watches (per user).
1564
	 */
1565
	max_user_watches = (((si.totalram - si.totalhigh) / 25) << PAGE_SHIFT) /
1566
		EP_ITEM_COST;
1567
	BUG_ON(max_user_watches < 0);
1568

1569
	/*
1570
	 * Initialize the structure used to perform epoll file descriptor
1571
	 * inclusion loops checks.
1572
	 */
1573
	ep_nested_calls_init(&poll_loop_ncalls);
1574

1575
	/* Initialize the structure used to perform safe poll wait head wake ups */
1576
	ep_nested_calls_init(&poll_safewake_ncalls);
1577

1578
	/* Initialize the structure used to perform file's f_op->poll() calls */
1579
	ep_nested_calls_init(&poll_readywalk_ncalls);
1580

1581
	/* Allocates slab cache used to allocate "struct epitem" items */
1582
	epi_cache = kmem_cache_create("eventpoll_epi", sizeof(struct epitem),
1583
			0, SLAB_HWCACHE_ALIGN | SLAB_PANIC, NULL);
1584

1585
	/* Allocates slab cache used to allocate "struct eppoll_entry" */
1586
	pwq_cache = kmem_cache_create("eventpoll_pwq",
1587
			sizeof(struct eppoll_entry), 0, SLAB_PANIC, NULL);
1588

1589
	return 0;
1590
}
1591
fs_initcall(eventpoll_init);
1592

1593