xref: /linux/fs/pipe.c (revision ca64d84e93762f4e587e040a44ad9f6089afc777)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  *  linux/fs/pipe.c
4  *
5  *  Copyright (C) 1991, 1992, 1999  Linus Torvalds
6  */
7 
8 #include <linux/mm.h>
9 #include <linux/file.h>
10 #include <linux/poll.h>
11 #include <linux/slab.h>
12 #include <linux/module.h>
13 #include <linux/init.h>
14 #include <linux/fs.h>
15 #include <linux/log2.h>
16 #include <linux/mount.h>
17 #include <linux/pseudo_fs.h>
18 #include <linux/magic.h>
19 #include <linux/pipe_fs_i.h>
20 #include <linux/uio.h>
21 #include <linux/highmem.h>
22 #include <linux/pagemap.h>
23 #include <linux/audit.h>
24 #include <linux/syscalls.h>
25 #include <linux/fcntl.h>
26 #include <linux/memcontrol.h>
27 
28 #include <linux/uaccess.h>
29 #include <asm/ioctls.h>
30 
31 #include "internal.h"
32 
33 /*
34  * The max size that a non-root user is allowed to grow the pipe. Can
35  * be set by root in /proc/sys/fs/pipe-max-size
36  */
37 unsigned int pipe_max_size = 1048576;
38 
39 /* Maximum allocatable pages per user. Hard limit is unset by default, soft
40  * matches default values.
41  */
42 unsigned long pipe_user_pages_hard;
43 unsigned long pipe_user_pages_soft = PIPE_DEF_BUFFERS * INR_OPEN_CUR;
44 
45 /*
46  * We use head and tail indices that aren't masked off, except at the point of
47  * dereference, but rather they're allowed to wrap naturally.  This means there
48  * isn't a dead spot in the buffer, but the ring has to be a power of two and
49  * <= 2^31.
50  * -- David Howells 2019-09-23.
51  *
52  * Reads with count = 0 should always return 0.
53  * -- Julian Bradfield 1999-06-07.
54  *
55  * FIFOs and Pipes now generate SIGIO for both readers and writers.
56  * -- Jeremy Elson <jelson@circlemud.org> 2001-08-16
57  *
58  * pipe_read & write cleanup
59  * -- Manfred Spraul <manfred@colorfullife.com> 2002-05-09
60  */
61 
62 static void pipe_lock_nested(struct pipe_inode_info *pipe, int subclass)
63 {
64 	if (pipe->files)
65 		mutex_lock_nested(&pipe->mutex, subclass);
66 }
67 
68 void pipe_lock(struct pipe_inode_info *pipe)
69 {
70 	/*
71 	 * pipe_lock() nests non-pipe inode locks (for writing to a file)
72 	 */
73 	pipe_lock_nested(pipe, I_MUTEX_PARENT);
74 }
75 EXPORT_SYMBOL(pipe_lock);
76 
77 void pipe_unlock(struct pipe_inode_info *pipe)
78 {
79 	if (pipe->files)
80 		mutex_unlock(&pipe->mutex);
81 }
82 EXPORT_SYMBOL(pipe_unlock);
83 
84 static inline void __pipe_lock(struct pipe_inode_info *pipe)
85 {
86 	mutex_lock_nested(&pipe->mutex, I_MUTEX_PARENT);
87 }
88 
89 static inline void __pipe_unlock(struct pipe_inode_info *pipe)
90 {
91 	mutex_unlock(&pipe->mutex);
92 }
93 
94 void pipe_double_lock(struct pipe_inode_info *pipe1,
95 		      struct pipe_inode_info *pipe2)
96 {
97 	BUG_ON(pipe1 == pipe2);
98 
99 	if (pipe1 < pipe2) {
100 		pipe_lock_nested(pipe1, I_MUTEX_PARENT);
101 		pipe_lock_nested(pipe2, I_MUTEX_CHILD);
102 	} else {
103 		pipe_lock_nested(pipe2, I_MUTEX_PARENT);
104 		pipe_lock_nested(pipe1, I_MUTEX_CHILD);
105 	}
106 }
107 
108 /* Drop the inode semaphore and wait for a pipe event, atomically */
109 void pipe_wait(struct pipe_inode_info *pipe)
110 {
111 	DEFINE_WAIT(rdwait);
112 	DEFINE_WAIT(wrwait);
113 
114 	/*
115 	 * Pipes are system-local resources, so sleeping on them
116 	 * is considered a noninteractive wait:
117 	 */
118 	prepare_to_wait(&pipe->rd_wait, &rdwait, TASK_INTERRUPTIBLE);
119 	prepare_to_wait(&pipe->wr_wait, &wrwait, TASK_INTERRUPTIBLE);
120 	pipe_unlock(pipe);
121 	schedule();
122 	finish_wait(&pipe->rd_wait, &rdwait);
123 	finish_wait(&pipe->wr_wait, &wrwait);
124 	pipe_lock(pipe);
125 }
126 
127 static void anon_pipe_buf_release(struct pipe_inode_info *pipe,
128 				  struct pipe_buffer *buf)
129 {
130 	struct page *page = buf->page;
131 
132 	/*
133 	 * If nobody else uses this page, and we don't already have a
134 	 * temporary page, let's keep track of it as a one-deep
135 	 * allocation cache. (Otherwise just release our reference to it)
136 	 */
137 	if (page_count(page) == 1 && !pipe->tmp_page)
138 		pipe->tmp_page = page;
139 	else
140 		put_page(page);
141 }
142 
143 static int anon_pipe_buf_steal(struct pipe_inode_info *pipe,
144 			       struct pipe_buffer *buf)
145 {
146 	struct page *page = buf->page;
147 
148 	if (page_count(page) == 1) {
149 		memcg_kmem_uncharge_page(page, 0);
150 		__SetPageLocked(page);
151 		return 0;
152 	}
153 	return 1;
154 }
155 
156 /**
157  * generic_pipe_buf_steal - attempt to take ownership of a &pipe_buffer
158  * @pipe:	the pipe that the buffer belongs to
159  * @buf:	the buffer to attempt to steal
160  *
161  * Description:
162  *	This function attempts to steal the &struct page attached to
163  *	@buf. If successful, this function returns 0 and returns with
164  *	the page locked. The caller may then reuse the page for whatever
165  *	he wishes; the typical use is insertion into a different file
166  *	page cache.
167  */
168 int generic_pipe_buf_steal(struct pipe_inode_info *pipe,
169 			   struct pipe_buffer *buf)
170 {
171 	struct page *page = buf->page;
172 
173 	/*
174 	 * A reference of one is golden, that means that the owner of this
175 	 * page is the only one holding a reference to it. lock the page
176 	 * and return OK.
177 	 */
178 	if (page_count(page) == 1) {
179 		lock_page(page);
180 		return 0;
181 	}
182 
183 	return 1;
184 }
185 EXPORT_SYMBOL(generic_pipe_buf_steal);
186 
187 /**
188  * generic_pipe_buf_get - get a reference to a &struct pipe_buffer
189  * @pipe:	the pipe that the buffer belongs to
190  * @buf:	the buffer to get a reference to
191  *
192  * Description:
193  *	This function grabs an extra reference to @buf. It's used in
194  *	in the tee() system call, when we duplicate the buffers in one
195  *	pipe into another.
196  */
197 bool generic_pipe_buf_get(struct pipe_inode_info *pipe, struct pipe_buffer *buf)
198 {
199 	return try_get_page(buf->page);
200 }
201 EXPORT_SYMBOL(generic_pipe_buf_get);
202 
203 /**
204  * generic_pipe_buf_confirm - verify contents of the pipe buffer
205  * @info:	the pipe that the buffer belongs to
206  * @buf:	the buffer to confirm
207  *
208  * Description:
209  *	This function does nothing, because the generic pipe code uses
210  *	pages that are always good when inserted into the pipe.
211  */
212 int generic_pipe_buf_confirm(struct pipe_inode_info *info,
213 			     struct pipe_buffer *buf)
214 {
215 	return 0;
216 }
217 EXPORT_SYMBOL(generic_pipe_buf_confirm);
218 
219 /**
220  * generic_pipe_buf_release - put a reference to a &struct pipe_buffer
221  * @pipe:	the pipe that the buffer belongs to
222  * @buf:	the buffer to put a reference to
223  *
224  * Description:
225  *	This function releases a reference to @buf.
226  */
227 void generic_pipe_buf_release(struct pipe_inode_info *pipe,
228 			      struct pipe_buffer *buf)
229 {
230 	put_page(buf->page);
231 }
232 EXPORT_SYMBOL(generic_pipe_buf_release);
233 
234 /* New data written to a pipe may be appended to a buffer with this type. */
235 static const struct pipe_buf_operations anon_pipe_buf_ops = {
236 	.confirm = generic_pipe_buf_confirm,
237 	.release = anon_pipe_buf_release,
238 	.steal = anon_pipe_buf_steal,
239 	.get = generic_pipe_buf_get,
240 };
241 
242 static const struct pipe_buf_operations anon_pipe_buf_nomerge_ops = {
243 	.confirm = generic_pipe_buf_confirm,
244 	.release = anon_pipe_buf_release,
245 	.steal = anon_pipe_buf_steal,
246 	.get = generic_pipe_buf_get,
247 };
248 
249 static const struct pipe_buf_operations packet_pipe_buf_ops = {
250 	.confirm = generic_pipe_buf_confirm,
251 	.release = anon_pipe_buf_release,
252 	.steal = anon_pipe_buf_steal,
253 	.get = generic_pipe_buf_get,
254 };
255 
256 /**
257  * pipe_buf_mark_unmergeable - mark a &struct pipe_buffer as unmergeable
258  * @buf:	the buffer to mark
259  *
260  * Description:
261  *	This function ensures that no future writes will be merged into the
262  *	given &struct pipe_buffer. This is necessary when multiple pipe buffers
263  *	share the same backing page.
264  */
265 void pipe_buf_mark_unmergeable(struct pipe_buffer *buf)
266 {
267 	if (buf->ops == &anon_pipe_buf_ops)
268 		buf->ops = &anon_pipe_buf_nomerge_ops;
269 }
270 
271 static bool pipe_buf_can_merge(struct pipe_buffer *buf)
272 {
273 	return buf->ops == &anon_pipe_buf_ops;
274 }
275 
276 /* Done while waiting without holding the pipe lock - thus the READ_ONCE() */
277 static inline bool pipe_readable(const struct pipe_inode_info *pipe)
278 {
279 	unsigned int head = READ_ONCE(pipe->head);
280 	unsigned int tail = READ_ONCE(pipe->tail);
281 	unsigned int writers = READ_ONCE(pipe->writers);
282 
283 	return !pipe_empty(head, tail) || !writers;
284 }
285 
286 static ssize_t
287 pipe_read(struct kiocb *iocb, struct iov_iter *to)
288 {
289 	size_t total_len = iov_iter_count(to);
290 	struct file *filp = iocb->ki_filp;
291 	struct pipe_inode_info *pipe = filp->private_data;
292 	bool was_full, wake_next_reader = false;
293 	ssize_t ret;
294 
295 	/* Null read succeeds. */
296 	if (unlikely(total_len == 0))
297 		return 0;
298 
299 	ret = 0;
300 	__pipe_lock(pipe);
301 
302 	/*
303 	 * We only wake up writers if the pipe was full when we started
304 	 * reading in order to avoid unnecessary wakeups.
305 	 *
306 	 * But when we do wake up writers, we do so using a sync wakeup
307 	 * (WF_SYNC), because we want them to get going and generate more
308 	 * data for us.
309 	 */
310 	was_full = pipe_full(pipe->head, pipe->tail, pipe->max_usage);
311 	for (;;) {
312 		unsigned int head = pipe->head;
313 		unsigned int tail = pipe->tail;
314 		unsigned int mask = pipe->ring_size - 1;
315 
316 		if (!pipe_empty(head, tail)) {
317 			struct pipe_buffer *buf = &pipe->bufs[tail & mask];
318 			size_t chars = buf->len;
319 			size_t written;
320 			int error;
321 
322 			if (chars > total_len)
323 				chars = total_len;
324 
325 			error = pipe_buf_confirm(pipe, buf);
326 			if (error) {
327 				if (!ret)
328 					ret = error;
329 				break;
330 			}
331 
332 			written = copy_page_to_iter(buf->page, buf->offset, chars, to);
333 			if (unlikely(written < chars)) {
334 				if (!ret)
335 					ret = -EFAULT;
336 				break;
337 			}
338 			ret += chars;
339 			buf->offset += chars;
340 			buf->len -= chars;
341 
342 			/* Was it a packet buffer? Clean up and exit */
343 			if (buf->flags & PIPE_BUF_FLAG_PACKET) {
344 				total_len = chars;
345 				buf->len = 0;
346 			}
347 
348 			if (!buf->len) {
349 				pipe_buf_release(pipe, buf);
350 				spin_lock_irq(&pipe->rd_wait.lock);
351 				tail++;
352 				pipe->tail = tail;
353 				spin_unlock_irq(&pipe->rd_wait.lock);
354 			}
355 			total_len -= chars;
356 			if (!total_len)
357 				break;	/* common path: read succeeded */
358 			if (!pipe_empty(head, tail))	/* More to do? */
359 				continue;
360 		}
361 
362 		if (!pipe->writers)
363 			break;
364 		if (ret)
365 			break;
366 		if (filp->f_flags & O_NONBLOCK) {
367 			ret = -EAGAIN;
368 			break;
369 		}
370 		__pipe_unlock(pipe);
371 
372 		/*
373 		 * We only get here if we didn't actually read anything.
374 		 *
375 		 * However, we could have seen (and removed) a zero-sized
376 		 * pipe buffer, and might have made space in the buffers
377 		 * that way.
378 		 *
379 		 * You can't make zero-sized pipe buffers by doing an empty
380 		 * write (not even in packet mode), but they can happen if
381 		 * the writer gets an EFAULT when trying to fill a buffer
382 		 * that already got allocated and inserted in the buffer
383 		 * array.
384 		 *
385 		 * So we still need to wake up any pending writers in the
386 		 * _very_ unlikely case that the pipe was full, but we got
387 		 * no data.
388 		 */
389 		if (unlikely(was_full)) {
390 			wake_up_interruptible_sync_poll(&pipe->wr_wait, EPOLLOUT | EPOLLWRNORM);
391 			kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT);
392 		}
393 
394 		/*
395 		 * But because we didn't read anything, at this point we can
396 		 * just return directly with -ERESTARTSYS if we're interrupted,
397 		 * since we've done any required wakeups and there's no need
398 		 * to mark anything accessed. And we've dropped the lock.
399 		 */
400 		if (wait_event_interruptible_exclusive(pipe->rd_wait, pipe_readable(pipe)) < 0)
401 			return -ERESTARTSYS;
402 
403 		__pipe_lock(pipe);
404 		was_full = pipe_full(pipe->head, pipe->tail, pipe->max_usage);
405 		wake_next_reader = true;
406 	}
407 	if (pipe_empty(pipe->head, pipe->tail))
408 		wake_next_reader = false;
409 	__pipe_unlock(pipe);
410 
411 	if (was_full) {
412 		wake_up_interruptible_sync_poll(&pipe->wr_wait, EPOLLOUT | EPOLLWRNORM);
413 		kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT);
414 	}
415 	if (wake_next_reader)
416 		wake_up_interruptible_sync_poll(&pipe->rd_wait, EPOLLIN | EPOLLRDNORM);
417 	if (ret > 0)
418 		file_accessed(filp);
419 	return ret;
420 }
421 
422 static inline int is_packetized(struct file *file)
423 {
424 	return (file->f_flags & O_DIRECT) != 0;
425 }
426 
427 /* Done while waiting without holding the pipe lock - thus the READ_ONCE() */
428 static inline bool pipe_writable(const struct pipe_inode_info *pipe)
429 {
430 	unsigned int head = READ_ONCE(pipe->head);
431 	unsigned int tail = READ_ONCE(pipe->tail);
432 	unsigned int max_usage = READ_ONCE(pipe->max_usage);
433 
434 	return !pipe_full(head, tail, max_usage) ||
435 		!READ_ONCE(pipe->readers);
436 }
437 
438 static ssize_t
439 pipe_write(struct kiocb *iocb, struct iov_iter *from)
440 {
441 	struct file *filp = iocb->ki_filp;
442 	struct pipe_inode_info *pipe = filp->private_data;
443 	unsigned int head;
444 	ssize_t ret = 0;
445 	size_t total_len = iov_iter_count(from);
446 	ssize_t chars;
447 	bool was_empty = false;
448 	bool wake_next_writer = false;
449 
450 	/* Null write succeeds. */
451 	if (unlikely(total_len == 0))
452 		return 0;
453 
454 	__pipe_lock(pipe);
455 
456 	if (!pipe->readers) {
457 		send_sig(SIGPIPE, current, 0);
458 		ret = -EPIPE;
459 		goto out;
460 	}
461 
462 	/*
463 	 * Only wake up if the pipe started out empty, since
464 	 * otherwise there should be no readers waiting.
465 	 *
466 	 * If it wasn't empty we try to merge new data into
467 	 * the last buffer.
468 	 *
469 	 * That naturally merges small writes, but it also
470 	 * page-aligs the rest of the writes for large writes
471 	 * spanning multiple pages.
472 	 */
473 	head = pipe->head;
474 	was_empty = pipe_empty(head, pipe->tail);
475 	chars = total_len & (PAGE_SIZE-1);
476 	if (chars && !was_empty) {
477 		unsigned int mask = pipe->ring_size - 1;
478 		struct pipe_buffer *buf = &pipe->bufs[(head - 1) & mask];
479 		int offset = buf->offset + buf->len;
480 
481 		if (pipe_buf_can_merge(buf) && offset + chars <= PAGE_SIZE) {
482 			ret = pipe_buf_confirm(pipe, buf);
483 			if (ret)
484 				goto out;
485 
486 			ret = copy_page_from_iter(buf->page, offset, chars, from);
487 			if (unlikely(ret < chars)) {
488 				ret = -EFAULT;
489 				goto out;
490 			}
491 
492 			buf->len += ret;
493 			if (!iov_iter_count(from))
494 				goto out;
495 		}
496 	}
497 
498 	for (;;) {
499 		if (!pipe->readers) {
500 			send_sig(SIGPIPE, current, 0);
501 			if (!ret)
502 				ret = -EPIPE;
503 			break;
504 		}
505 
506 		head = pipe->head;
507 		if (!pipe_full(head, pipe->tail, pipe->max_usage)) {
508 			unsigned int mask = pipe->ring_size - 1;
509 			struct pipe_buffer *buf = &pipe->bufs[head & mask];
510 			struct page *page = pipe->tmp_page;
511 			int copied;
512 
513 			if (!page) {
514 				page = alloc_page(GFP_HIGHUSER | __GFP_ACCOUNT);
515 				if (unlikely(!page)) {
516 					ret = ret ? : -ENOMEM;
517 					break;
518 				}
519 				pipe->tmp_page = page;
520 			}
521 
522 			/* Allocate a slot in the ring in advance and attach an
523 			 * empty buffer.  If we fault or otherwise fail to use
524 			 * it, either the reader will consume it or it'll still
525 			 * be there for the next write.
526 			 */
527 			spin_lock_irq(&pipe->rd_wait.lock);
528 
529 			head = pipe->head;
530 			if (pipe_full(head, pipe->tail, pipe->max_usage)) {
531 				spin_unlock_irq(&pipe->rd_wait.lock);
532 				continue;
533 			}
534 
535 			pipe->head = head + 1;
536 			spin_unlock_irq(&pipe->rd_wait.lock);
537 
538 			/* Insert it into the buffer array */
539 			buf = &pipe->bufs[head & mask];
540 			buf->page = page;
541 			buf->ops = &anon_pipe_buf_ops;
542 			buf->offset = 0;
543 			buf->len = 0;
544 			buf->flags = 0;
545 			if (is_packetized(filp)) {
546 				buf->ops = &packet_pipe_buf_ops;
547 				buf->flags = PIPE_BUF_FLAG_PACKET;
548 			}
549 			pipe->tmp_page = NULL;
550 
551 			copied = copy_page_from_iter(page, 0, PAGE_SIZE, from);
552 			if (unlikely(copied < PAGE_SIZE && iov_iter_count(from))) {
553 				if (!ret)
554 					ret = -EFAULT;
555 				break;
556 			}
557 			ret += copied;
558 			buf->offset = 0;
559 			buf->len = copied;
560 
561 			if (!iov_iter_count(from))
562 				break;
563 		}
564 
565 		if (!pipe_full(head, pipe->tail, pipe->max_usage))
566 			continue;
567 
568 		/* Wait for buffer space to become available. */
569 		if (filp->f_flags & O_NONBLOCK) {
570 			if (!ret)
571 				ret = -EAGAIN;
572 			break;
573 		}
574 		if (signal_pending(current)) {
575 			if (!ret)
576 				ret = -ERESTARTSYS;
577 			break;
578 		}
579 
580 		/*
581 		 * We're going to release the pipe lock and wait for more
582 		 * space. We wake up any readers if necessary, and then
583 		 * after waiting we need to re-check whether the pipe
584 		 * become empty while we dropped the lock.
585 		 */
586 		__pipe_unlock(pipe);
587 		if (was_empty) {
588 			wake_up_interruptible_sync_poll(&pipe->rd_wait, EPOLLIN | EPOLLRDNORM);
589 			kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
590 		}
591 		wait_event_interruptible_exclusive(pipe->wr_wait, pipe_writable(pipe));
592 		__pipe_lock(pipe);
593 		was_empty = pipe_empty(pipe->head, pipe->tail);
594 		wake_next_writer = true;
595 	}
596 out:
597 	if (pipe_full(pipe->head, pipe->tail, pipe->max_usage))
598 		wake_next_writer = false;
599 	__pipe_unlock(pipe);
600 
601 	/*
602 	 * If we do do a wakeup event, we do a 'sync' wakeup, because we
603 	 * want the reader to start processing things asap, rather than
604 	 * leave the data pending.
605 	 *
606 	 * This is particularly important for small writes, because of
607 	 * how (for example) the GNU make jobserver uses small writes to
608 	 * wake up pending jobs
609 	 */
610 	if (was_empty) {
611 		wake_up_interruptible_sync_poll(&pipe->rd_wait, EPOLLIN | EPOLLRDNORM);
612 		kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
613 	}
614 	if (wake_next_writer)
615 		wake_up_interruptible_sync_poll(&pipe->wr_wait, EPOLLOUT | EPOLLWRNORM);
616 	if (ret > 0 && sb_start_write_trylock(file_inode(filp)->i_sb)) {
617 		int err = file_update_time(filp);
618 		if (err)
619 			ret = err;
620 		sb_end_write(file_inode(filp)->i_sb);
621 	}
622 	return ret;
623 }
624 
625 static long pipe_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
626 {
627 	struct pipe_inode_info *pipe = filp->private_data;
628 	int count, head, tail, mask;
629 
630 	switch (cmd) {
631 		case FIONREAD:
632 			__pipe_lock(pipe);
633 			count = 0;
634 			head = pipe->head;
635 			tail = pipe->tail;
636 			mask = pipe->ring_size - 1;
637 
638 			while (tail != head) {
639 				count += pipe->bufs[tail & mask].len;
640 				tail++;
641 			}
642 			__pipe_unlock(pipe);
643 
644 			return put_user(count, (int __user *)arg);
645 		default:
646 			return -ENOIOCTLCMD;
647 	}
648 }
649 
650 /* No kernel lock held - fine */
651 static __poll_t
652 pipe_poll(struct file *filp, poll_table *wait)
653 {
654 	__poll_t mask;
655 	struct pipe_inode_info *pipe = filp->private_data;
656 	unsigned int head, tail;
657 
658 	/*
659 	 * Reading pipe state only -- no need for acquiring the semaphore.
660 	 *
661 	 * But because this is racy, the code has to add the
662 	 * entry to the poll table _first_ ..
663 	 */
664 	if (filp->f_mode & FMODE_READ)
665 		poll_wait(filp, &pipe->rd_wait, wait);
666 	if (filp->f_mode & FMODE_WRITE)
667 		poll_wait(filp, &pipe->wr_wait, wait);
668 
669 	/*
670 	 * .. and only then can you do the racy tests. That way,
671 	 * if something changes and you got it wrong, the poll
672 	 * table entry will wake you up and fix it.
673 	 */
674 	head = READ_ONCE(pipe->head);
675 	tail = READ_ONCE(pipe->tail);
676 
677 	mask = 0;
678 	if (filp->f_mode & FMODE_READ) {
679 		if (!pipe_empty(head, tail))
680 			mask |= EPOLLIN | EPOLLRDNORM;
681 		if (!pipe->writers && filp->f_version != pipe->w_counter)
682 			mask |= EPOLLHUP;
683 	}
684 
685 	if (filp->f_mode & FMODE_WRITE) {
686 		if (!pipe_full(head, tail, pipe->max_usage))
687 			mask |= EPOLLOUT | EPOLLWRNORM;
688 		/*
689 		 * Most Unices do not set EPOLLERR for FIFOs but on Linux they
690 		 * behave exactly like pipes for poll().
691 		 */
692 		if (!pipe->readers)
693 			mask |= EPOLLERR;
694 	}
695 
696 	return mask;
697 }
698 
699 static void put_pipe_info(struct inode *inode, struct pipe_inode_info *pipe)
700 {
701 	int kill = 0;
702 
703 	spin_lock(&inode->i_lock);
704 	if (!--pipe->files) {
705 		inode->i_pipe = NULL;
706 		kill = 1;
707 	}
708 	spin_unlock(&inode->i_lock);
709 
710 	if (kill)
711 		free_pipe_info(pipe);
712 }
713 
714 static int
715 pipe_release(struct inode *inode, struct file *file)
716 {
717 	struct pipe_inode_info *pipe = file->private_data;
718 
719 	__pipe_lock(pipe);
720 	if (file->f_mode & FMODE_READ)
721 		pipe->readers--;
722 	if (file->f_mode & FMODE_WRITE)
723 		pipe->writers--;
724 
725 	/* Was that the last reader or writer, but not the other side? */
726 	if (!pipe->readers != !pipe->writers) {
727 		wake_up_interruptible_all(&pipe->rd_wait);
728 		wake_up_interruptible_all(&pipe->wr_wait);
729 		kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
730 		kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT);
731 	}
732 	__pipe_unlock(pipe);
733 
734 	put_pipe_info(inode, pipe);
735 	return 0;
736 }
737 
738 static int
739 pipe_fasync(int fd, struct file *filp, int on)
740 {
741 	struct pipe_inode_info *pipe = filp->private_data;
742 	int retval = 0;
743 
744 	__pipe_lock(pipe);
745 	if (filp->f_mode & FMODE_READ)
746 		retval = fasync_helper(fd, filp, on, &pipe->fasync_readers);
747 	if ((filp->f_mode & FMODE_WRITE) && retval >= 0) {
748 		retval = fasync_helper(fd, filp, on, &pipe->fasync_writers);
749 		if (retval < 0 && (filp->f_mode & FMODE_READ))
750 			/* this can happen only if on == T */
751 			fasync_helper(-1, filp, 0, &pipe->fasync_readers);
752 	}
753 	__pipe_unlock(pipe);
754 	return retval;
755 }
756 
757 static unsigned long account_pipe_buffers(struct user_struct *user,
758                                  unsigned long old, unsigned long new)
759 {
760 	return atomic_long_add_return(new - old, &user->pipe_bufs);
761 }
762 
763 static bool too_many_pipe_buffers_soft(unsigned long user_bufs)
764 {
765 	unsigned long soft_limit = READ_ONCE(pipe_user_pages_soft);
766 
767 	return soft_limit && user_bufs > soft_limit;
768 }
769 
770 static bool too_many_pipe_buffers_hard(unsigned long user_bufs)
771 {
772 	unsigned long hard_limit = READ_ONCE(pipe_user_pages_hard);
773 
774 	return hard_limit && user_bufs > hard_limit;
775 }
776 
777 static bool is_unprivileged_user(void)
778 {
779 	return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);
780 }
781 
782 struct pipe_inode_info *alloc_pipe_info(void)
783 {
784 	struct pipe_inode_info *pipe;
785 	unsigned long pipe_bufs = PIPE_DEF_BUFFERS;
786 	struct user_struct *user = get_current_user();
787 	unsigned long user_bufs;
788 	unsigned int max_size = READ_ONCE(pipe_max_size);
789 
790 	pipe = kzalloc(sizeof(struct pipe_inode_info), GFP_KERNEL_ACCOUNT);
791 	if (pipe == NULL)
792 		goto out_free_uid;
793 
794 	if (pipe_bufs * PAGE_SIZE > max_size && !capable(CAP_SYS_RESOURCE))
795 		pipe_bufs = max_size >> PAGE_SHIFT;
796 
797 	user_bufs = account_pipe_buffers(user, 0, pipe_bufs);
798 
799 	if (too_many_pipe_buffers_soft(user_bufs) && is_unprivileged_user()) {
800 		user_bufs = account_pipe_buffers(user, pipe_bufs, 1);
801 		pipe_bufs = 1;
802 	}
803 
804 	if (too_many_pipe_buffers_hard(user_bufs) && is_unprivileged_user())
805 		goto out_revert_acct;
806 
807 	pipe->bufs = kcalloc(pipe_bufs, sizeof(struct pipe_buffer),
808 			     GFP_KERNEL_ACCOUNT);
809 
810 	if (pipe->bufs) {
811 		init_waitqueue_head(&pipe->rd_wait);
812 		init_waitqueue_head(&pipe->wr_wait);
813 		pipe->r_counter = pipe->w_counter = 1;
814 		pipe->max_usage = pipe_bufs;
815 		pipe->ring_size = pipe_bufs;
816 		pipe->user = user;
817 		mutex_init(&pipe->mutex);
818 		return pipe;
819 	}
820 
821 out_revert_acct:
822 	(void) account_pipe_buffers(user, pipe_bufs, 0);
823 	kfree(pipe);
824 out_free_uid:
825 	free_uid(user);
826 	return NULL;
827 }
828 
829 void free_pipe_info(struct pipe_inode_info *pipe)
830 {
831 	int i;
832 
833 	(void) account_pipe_buffers(pipe->user, pipe->ring_size, 0);
834 	free_uid(pipe->user);
835 	for (i = 0; i < pipe->ring_size; i++) {
836 		struct pipe_buffer *buf = pipe->bufs + i;
837 		if (buf->ops)
838 			pipe_buf_release(pipe, buf);
839 	}
840 	if (pipe->tmp_page)
841 		__free_page(pipe->tmp_page);
842 	kfree(pipe->bufs);
843 	kfree(pipe);
844 }
845 
846 static struct vfsmount *pipe_mnt __read_mostly;
847 
848 /*
849  * pipefs_dname() is called from d_path().
850  */
851 static char *pipefs_dname(struct dentry *dentry, char *buffer, int buflen)
852 {
853 	return dynamic_dname(dentry, buffer, buflen, "pipe:[%lu]",
854 				d_inode(dentry)->i_ino);
855 }
856 
857 static const struct dentry_operations pipefs_dentry_operations = {
858 	.d_dname	= pipefs_dname,
859 };
860 
861 static struct inode * get_pipe_inode(void)
862 {
863 	struct inode *inode = new_inode_pseudo(pipe_mnt->mnt_sb);
864 	struct pipe_inode_info *pipe;
865 
866 	if (!inode)
867 		goto fail_inode;
868 
869 	inode->i_ino = get_next_ino();
870 
871 	pipe = alloc_pipe_info();
872 	if (!pipe)
873 		goto fail_iput;
874 
875 	inode->i_pipe = pipe;
876 	pipe->files = 2;
877 	pipe->readers = pipe->writers = 1;
878 	inode->i_fop = &pipefifo_fops;
879 
880 	/*
881 	 * Mark the inode dirty from the very beginning,
882 	 * that way it will never be moved to the dirty
883 	 * list because "mark_inode_dirty()" will think
884 	 * that it already _is_ on the dirty list.
885 	 */
886 	inode->i_state = I_DIRTY;
887 	inode->i_mode = S_IFIFO | S_IRUSR | S_IWUSR;
888 	inode->i_uid = current_fsuid();
889 	inode->i_gid = current_fsgid();
890 	inode->i_atime = inode->i_mtime = inode->i_ctime = current_time(inode);
891 
892 	return inode;
893 
894 fail_iput:
895 	iput(inode);
896 
897 fail_inode:
898 	return NULL;
899 }
900 
901 int create_pipe_files(struct file **res, int flags)
902 {
903 	struct inode *inode = get_pipe_inode();
904 	struct file *f;
905 
906 	if (!inode)
907 		return -ENFILE;
908 
909 	f = alloc_file_pseudo(inode, pipe_mnt, "",
910 				O_WRONLY | (flags & (O_NONBLOCK | O_DIRECT)),
911 				&pipefifo_fops);
912 	if (IS_ERR(f)) {
913 		free_pipe_info(inode->i_pipe);
914 		iput(inode);
915 		return PTR_ERR(f);
916 	}
917 
918 	f->private_data = inode->i_pipe;
919 
920 	res[0] = alloc_file_clone(f, O_RDONLY | (flags & O_NONBLOCK),
921 				  &pipefifo_fops);
922 	if (IS_ERR(res[0])) {
923 		put_pipe_info(inode, inode->i_pipe);
924 		fput(f);
925 		return PTR_ERR(res[0]);
926 	}
927 	res[0]->private_data = inode->i_pipe;
928 	res[1] = f;
929 	stream_open(inode, res[0]);
930 	stream_open(inode, res[1]);
931 	return 0;
932 }
933 
934 static int __do_pipe_flags(int *fd, struct file **files, int flags)
935 {
936 	int error;
937 	int fdw, fdr;
938 
939 	if (flags & ~(O_CLOEXEC | O_NONBLOCK | O_DIRECT))
940 		return -EINVAL;
941 
942 	error = create_pipe_files(files, flags);
943 	if (error)
944 		return error;
945 
946 	error = get_unused_fd_flags(flags);
947 	if (error < 0)
948 		goto err_read_pipe;
949 	fdr = error;
950 
951 	error = get_unused_fd_flags(flags);
952 	if (error < 0)
953 		goto err_fdr;
954 	fdw = error;
955 
956 	audit_fd_pair(fdr, fdw);
957 	fd[0] = fdr;
958 	fd[1] = fdw;
959 	return 0;
960 
961  err_fdr:
962 	put_unused_fd(fdr);
963  err_read_pipe:
964 	fput(files[0]);
965 	fput(files[1]);
966 	return error;
967 }
968 
969 int do_pipe_flags(int *fd, int flags)
970 {
971 	struct file *files[2];
972 	int error = __do_pipe_flags(fd, files, flags);
973 	if (!error) {
974 		fd_install(fd[0], files[0]);
975 		fd_install(fd[1], files[1]);
976 	}
977 	return error;
978 }
979 
980 /*
981  * sys_pipe() is the normal C calling standard for creating
982  * a pipe. It's not the way Unix traditionally does this, though.
983  */
984 static int do_pipe2(int __user *fildes, int flags)
985 {
986 	struct file *files[2];
987 	int fd[2];
988 	int error;
989 
990 	error = __do_pipe_flags(fd, files, flags);
991 	if (!error) {
992 		if (unlikely(copy_to_user(fildes, fd, sizeof(fd)))) {
993 			fput(files[0]);
994 			fput(files[1]);
995 			put_unused_fd(fd[0]);
996 			put_unused_fd(fd[1]);
997 			error = -EFAULT;
998 		} else {
999 			fd_install(fd[0], files[0]);
1000 			fd_install(fd[1], files[1]);
1001 		}
1002 	}
1003 	return error;
1004 }
1005 
1006 SYSCALL_DEFINE2(pipe2, int __user *, fildes, int, flags)
1007 {
1008 	return do_pipe2(fildes, flags);
1009 }
1010 
1011 SYSCALL_DEFINE1(pipe, int __user *, fildes)
1012 {
1013 	return do_pipe2(fildes, 0);
1014 }
1015 
1016 static int wait_for_partner(struct pipe_inode_info *pipe, unsigned int *cnt)
1017 {
1018 	int cur = *cnt;
1019 
1020 	while (cur == *cnt) {
1021 		pipe_wait(pipe);
1022 		if (signal_pending(current))
1023 			break;
1024 	}
1025 	return cur == *cnt ? -ERESTARTSYS : 0;
1026 }
1027 
1028 static void wake_up_partner(struct pipe_inode_info *pipe)
1029 {
1030 	wake_up_interruptible_all(&pipe->rd_wait);
1031 	wake_up_interruptible_all(&pipe->wr_wait);
1032 }
1033 
1034 static int fifo_open(struct inode *inode, struct file *filp)
1035 {
1036 	struct pipe_inode_info *pipe;
1037 	bool is_pipe = inode->i_sb->s_magic == PIPEFS_MAGIC;
1038 	int ret;
1039 
1040 	filp->f_version = 0;
1041 
1042 	spin_lock(&inode->i_lock);
1043 	if (inode->i_pipe) {
1044 		pipe = inode->i_pipe;
1045 		pipe->files++;
1046 		spin_unlock(&inode->i_lock);
1047 	} else {
1048 		spin_unlock(&inode->i_lock);
1049 		pipe = alloc_pipe_info();
1050 		if (!pipe)
1051 			return -ENOMEM;
1052 		pipe->files = 1;
1053 		spin_lock(&inode->i_lock);
1054 		if (unlikely(inode->i_pipe)) {
1055 			inode->i_pipe->files++;
1056 			spin_unlock(&inode->i_lock);
1057 			free_pipe_info(pipe);
1058 			pipe = inode->i_pipe;
1059 		} else {
1060 			inode->i_pipe = pipe;
1061 			spin_unlock(&inode->i_lock);
1062 		}
1063 	}
1064 	filp->private_data = pipe;
1065 	/* OK, we have a pipe and it's pinned down */
1066 
1067 	__pipe_lock(pipe);
1068 
1069 	/* We can only do regular read/write on fifos */
1070 	stream_open(inode, filp);
1071 
1072 	switch (filp->f_mode & (FMODE_READ | FMODE_WRITE)) {
1073 	case FMODE_READ:
1074 	/*
1075 	 *  O_RDONLY
1076 	 *  POSIX.1 says that O_NONBLOCK means return with the FIFO
1077 	 *  opened, even when there is no process writing the FIFO.
1078 	 */
1079 		pipe->r_counter++;
1080 		if (pipe->readers++ == 0)
1081 			wake_up_partner(pipe);
1082 
1083 		if (!is_pipe && !pipe->writers) {
1084 			if ((filp->f_flags & O_NONBLOCK)) {
1085 				/* suppress EPOLLHUP until we have
1086 				 * seen a writer */
1087 				filp->f_version = pipe->w_counter;
1088 			} else {
1089 				if (wait_for_partner(pipe, &pipe->w_counter))
1090 					goto err_rd;
1091 			}
1092 		}
1093 		break;
1094 
1095 	case FMODE_WRITE:
1096 	/*
1097 	 *  O_WRONLY
1098 	 *  POSIX.1 says that O_NONBLOCK means return -1 with
1099 	 *  errno=ENXIO when there is no process reading the FIFO.
1100 	 */
1101 		ret = -ENXIO;
1102 		if (!is_pipe && (filp->f_flags & O_NONBLOCK) && !pipe->readers)
1103 			goto err;
1104 
1105 		pipe->w_counter++;
1106 		if (!pipe->writers++)
1107 			wake_up_partner(pipe);
1108 
1109 		if (!is_pipe && !pipe->readers) {
1110 			if (wait_for_partner(pipe, &pipe->r_counter))
1111 				goto err_wr;
1112 		}
1113 		break;
1114 
1115 	case FMODE_READ | FMODE_WRITE:
1116 	/*
1117 	 *  O_RDWR
1118 	 *  POSIX.1 leaves this case "undefined" when O_NONBLOCK is set.
1119 	 *  This implementation will NEVER block on a O_RDWR open, since
1120 	 *  the process can at least talk to itself.
1121 	 */
1122 
1123 		pipe->readers++;
1124 		pipe->writers++;
1125 		pipe->r_counter++;
1126 		pipe->w_counter++;
1127 		if (pipe->readers == 1 || pipe->writers == 1)
1128 			wake_up_partner(pipe);
1129 		break;
1130 
1131 	default:
1132 		ret = -EINVAL;
1133 		goto err;
1134 	}
1135 
1136 	/* Ok! */
1137 	__pipe_unlock(pipe);
1138 	return 0;
1139 
1140 err_rd:
1141 	if (!--pipe->readers)
1142 		wake_up_interruptible(&pipe->wr_wait);
1143 	ret = -ERESTARTSYS;
1144 	goto err;
1145 
1146 err_wr:
1147 	if (!--pipe->writers)
1148 		wake_up_interruptible_all(&pipe->rd_wait);
1149 	ret = -ERESTARTSYS;
1150 	goto err;
1151 
1152 err:
1153 	__pipe_unlock(pipe);
1154 
1155 	put_pipe_info(inode, pipe);
1156 	return ret;
1157 }
1158 
1159 const struct file_operations pipefifo_fops = {
1160 	.open		= fifo_open,
1161 	.llseek		= no_llseek,
1162 	.read_iter	= pipe_read,
1163 	.write_iter	= pipe_write,
1164 	.poll		= pipe_poll,
1165 	.unlocked_ioctl	= pipe_ioctl,
1166 	.release	= pipe_release,
1167 	.fasync		= pipe_fasync,
1168 };
1169 
1170 /*
1171  * Currently we rely on the pipe array holding a power-of-2 number
1172  * of pages. Returns 0 on error.
1173  */
1174 unsigned int round_pipe_size(unsigned long size)
1175 {
1176 	if (size > (1U << 31))
1177 		return 0;
1178 
1179 	/* Minimum pipe size, as required by POSIX */
1180 	if (size < PAGE_SIZE)
1181 		return PAGE_SIZE;
1182 
1183 	return roundup_pow_of_two(size);
1184 }
1185 
1186 /*
1187  * Allocate a new array of pipe buffers and copy the info over. Returns the
1188  * pipe size if successful, or return -ERROR on error.
1189  */
1190 static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg)
1191 {
1192 	struct pipe_buffer *bufs;
1193 	unsigned int size, nr_slots, head, tail, mask, n;
1194 	unsigned long user_bufs;
1195 	long ret = 0;
1196 
1197 	size = round_pipe_size(arg);
1198 	nr_slots = size >> PAGE_SHIFT;
1199 
1200 	if (!nr_slots)
1201 		return -EINVAL;
1202 
1203 	/*
1204 	 * If trying to increase the pipe capacity, check that an
1205 	 * unprivileged user is not trying to exceed various limits
1206 	 * (soft limit check here, hard limit check just below).
1207 	 * Decreasing the pipe capacity is always permitted, even
1208 	 * if the user is currently over a limit.
1209 	 */
1210 	if (nr_slots > pipe->ring_size &&
1211 			size > pipe_max_size && !capable(CAP_SYS_RESOURCE))
1212 		return -EPERM;
1213 
1214 	user_bufs = account_pipe_buffers(pipe->user, pipe->ring_size, nr_slots);
1215 
1216 	if (nr_slots > pipe->ring_size &&
1217 			(too_many_pipe_buffers_hard(user_bufs) ||
1218 			 too_many_pipe_buffers_soft(user_bufs)) &&
1219 			is_unprivileged_user()) {
1220 		ret = -EPERM;
1221 		goto out_revert_acct;
1222 	}
1223 
1224 	/*
1225 	 * We can shrink the pipe, if arg is greater than the ring occupancy.
1226 	 * Since we don't expect a lot of shrink+grow operations, just free and
1227 	 * allocate again like we would do for growing.  If the pipe currently
1228 	 * contains more buffers than arg, then return busy.
1229 	 */
1230 	mask = pipe->ring_size - 1;
1231 	head = pipe->head;
1232 	tail = pipe->tail;
1233 	n = pipe_occupancy(pipe->head, pipe->tail);
1234 	if (nr_slots < n) {
1235 		ret = -EBUSY;
1236 		goto out_revert_acct;
1237 	}
1238 
1239 	bufs = kcalloc(nr_slots, sizeof(*bufs),
1240 		       GFP_KERNEL_ACCOUNT | __GFP_NOWARN);
1241 	if (unlikely(!bufs)) {
1242 		ret = -ENOMEM;
1243 		goto out_revert_acct;
1244 	}
1245 
1246 	/*
1247 	 * The pipe array wraps around, so just start the new one at zero
1248 	 * and adjust the indices.
1249 	 */
1250 	if (n > 0) {
1251 		unsigned int h = head & mask;
1252 		unsigned int t = tail & mask;
1253 		if (h > t) {
1254 			memcpy(bufs, pipe->bufs + t,
1255 			       n * sizeof(struct pipe_buffer));
1256 		} else {
1257 			unsigned int tsize = pipe->ring_size - t;
1258 			if (h > 0)
1259 				memcpy(bufs + tsize, pipe->bufs,
1260 				       h * sizeof(struct pipe_buffer));
1261 			memcpy(bufs, pipe->bufs + t,
1262 			       tsize * sizeof(struct pipe_buffer));
1263 		}
1264 	}
1265 
1266 	head = n;
1267 	tail = 0;
1268 
1269 	kfree(pipe->bufs);
1270 	pipe->bufs = bufs;
1271 	pipe->ring_size = nr_slots;
1272 	pipe->max_usage = nr_slots;
1273 	pipe->tail = tail;
1274 	pipe->head = head;
1275 
1276 	/* This might have made more room for writers */
1277 	wake_up_interruptible(&pipe->wr_wait);
1278 	return pipe->max_usage * PAGE_SIZE;
1279 
1280 out_revert_acct:
1281 	(void) account_pipe_buffers(pipe->user, nr_slots, pipe->ring_size);
1282 	return ret;
1283 }
1284 
1285 /*
1286  * After the inode slimming patch, i_pipe/i_bdev/i_cdev share the same
1287  * location, so checking ->i_pipe is not enough to verify that this is a
1288  * pipe.
1289  */
1290 struct pipe_inode_info *get_pipe_info(struct file *file)
1291 {
1292 	return file->f_op == &pipefifo_fops ? file->private_data : NULL;
1293 }
1294 
1295 long pipe_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
1296 {
1297 	struct pipe_inode_info *pipe;
1298 	long ret;
1299 
1300 	pipe = get_pipe_info(file);
1301 	if (!pipe)
1302 		return -EBADF;
1303 
1304 	__pipe_lock(pipe);
1305 
1306 	switch (cmd) {
1307 	case F_SETPIPE_SZ:
1308 		ret = pipe_set_size(pipe, arg);
1309 		break;
1310 	case F_GETPIPE_SZ:
1311 		ret = pipe->max_usage * PAGE_SIZE;
1312 		break;
1313 	default:
1314 		ret = -EINVAL;
1315 		break;
1316 	}
1317 
1318 	__pipe_unlock(pipe);
1319 	return ret;
1320 }
1321 
1322 static const struct super_operations pipefs_ops = {
1323 	.destroy_inode = free_inode_nonrcu,
1324 	.statfs = simple_statfs,
1325 };
1326 
1327 /*
1328  * pipefs should _never_ be mounted by userland - too much of security hassle,
1329  * no real gain from having the whole whorehouse mounted. So we don't need
1330  * any operations on the root directory. However, we need a non-trivial
1331  * d_name - pipe: will go nicely and kill the special-casing in procfs.
1332  */
1333 
1334 static int pipefs_init_fs_context(struct fs_context *fc)
1335 {
1336 	struct pseudo_fs_context *ctx = init_pseudo(fc, PIPEFS_MAGIC);
1337 	if (!ctx)
1338 		return -ENOMEM;
1339 	ctx->ops = &pipefs_ops;
1340 	ctx->dops = &pipefs_dentry_operations;
1341 	return 0;
1342 }
1343 
1344 static struct file_system_type pipe_fs_type = {
1345 	.name		= "pipefs",
1346 	.init_fs_context = pipefs_init_fs_context,
1347 	.kill_sb	= kill_anon_super,
1348 };
1349 
1350 static int __init init_pipe_fs(void)
1351 {
1352 	int err = register_filesystem(&pipe_fs_type);
1353 
1354 	if (!err) {
1355 		pipe_mnt = kern_mount(&pipe_fs_type);
1356 		if (IS_ERR(pipe_mnt)) {
1357 			err = PTR_ERR(pipe_mnt);
1358 			unregister_filesystem(&pipe_fs_type);
1359 		}
1360 	}
1361 	return err;
1362 }
1363 
1364 fs_initcall(init_pipe_fs);
1365