1 /* 2 FUSE: Filesystem in Userspace 3 Copyright (C) 2001-2005 Miklos Szeredi <miklos@szeredi.hu> 4 5 This program can be distributed under the terms of the GNU GPL. 6 See the file COPYING. 7 */ 8 9 #include "fuse_i.h" 10 11 #include <linux/init.h> 12 #include <linux/module.h> 13 #include <linux/poll.h> 14 #include <linux/uio.h> 15 #include <linux/miscdevice.h> 16 #include <linux/pagemap.h> 17 #include <linux/file.h> 18 #include <linux/slab.h> 19 20 MODULE_ALIAS_MISCDEV(FUSE_MINOR); 21 22 static kmem_cache_t *fuse_req_cachep; 23 24 static inline struct fuse_conn *fuse_get_conn(struct file *file) 25 { 26 struct fuse_conn *fc; 27 spin_lock(&fuse_lock); 28 fc = file->private_data; 29 if (fc && !fc->mounted) 30 fc = NULL; 31 spin_unlock(&fuse_lock); 32 return fc; 33 } 34 35 static inline void fuse_request_init(struct fuse_req *req) 36 { 37 memset(req, 0, sizeof(*req)); 38 INIT_LIST_HEAD(&req->list); 39 init_waitqueue_head(&req->waitq); 40 atomic_set(&req->count, 1); 41 } 42 43 struct fuse_req *fuse_request_alloc(void) 44 { 45 struct fuse_req *req = kmem_cache_alloc(fuse_req_cachep, SLAB_KERNEL); 46 if (req) 47 fuse_request_init(req); 48 return req; 49 } 50 51 void fuse_request_free(struct fuse_req *req) 52 { 53 kmem_cache_free(fuse_req_cachep, req); 54 } 55 56 static inline void block_sigs(sigset_t *oldset) 57 { 58 sigset_t mask; 59 60 siginitsetinv(&mask, sigmask(SIGKILL)); 61 sigprocmask(SIG_BLOCK, &mask, oldset); 62 } 63 64 static inline void restore_sigs(sigset_t *oldset) 65 { 66 sigprocmask(SIG_SETMASK, oldset, NULL); 67 } 68 69 void fuse_reset_request(struct fuse_req *req) 70 { 71 int preallocated = req->preallocated; 72 BUG_ON(atomic_read(&req->count) != 1); 73 fuse_request_init(req); 74 req->preallocated = preallocated; 75 } 76 77 static void __fuse_get_request(struct fuse_req *req) 78 { 79 atomic_inc(&req->count); 80 } 81 82 /* Must be called with > 1 refcount */ 83 static void __fuse_put_request(struct fuse_req *req) 84 { 85 BUG_ON(atomic_read(&req->count) < 2); 86 atomic_dec(&req->count); 87 } 88 89 static struct fuse_req *do_get_request(struct fuse_conn *fc) 90 { 91 struct fuse_req *req; 92 93 spin_lock(&fuse_lock); 94 BUG_ON(list_empty(&fc->unused_list)); 95 req = list_entry(fc->unused_list.next, struct fuse_req, list); 96 list_del_init(&req->list); 97 spin_unlock(&fuse_lock); 98 fuse_request_init(req); 99 req->preallocated = 1; 100 req->in.h.uid = current->fsuid; 101 req->in.h.gid = current->fsgid; 102 req->in.h.pid = current->pid; 103 return req; 104 } 105 106 /* This can return NULL, but only in case it's interrupted by a SIGKILL */ 107 struct fuse_req *fuse_get_request(struct fuse_conn *fc) 108 { 109 int intr; 110 sigset_t oldset; 111 112 block_sigs(&oldset); 113 intr = down_interruptible(&fc->outstanding_sem); 114 restore_sigs(&oldset); 115 return intr ? NULL : do_get_request(fc); 116 } 117 118 static void fuse_putback_request(struct fuse_conn *fc, struct fuse_req *req) 119 { 120 spin_lock(&fuse_lock); 121 if (req->preallocated) 122 list_add(&req->list, &fc->unused_list); 123 else 124 fuse_request_free(req); 125 126 /* If we are in debt decrease that first */ 127 if (fc->outstanding_debt) 128 fc->outstanding_debt--; 129 else 130 up(&fc->outstanding_sem); 131 spin_unlock(&fuse_lock); 132 } 133 134 void fuse_put_request(struct fuse_conn *fc, struct fuse_req *req) 135 { 136 if (atomic_dec_and_test(&req->count)) 137 fuse_putback_request(fc, req); 138 } 139 140 void fuse_release_background(struct fuse_req *req) 141 { 142 iput(req->inode); 143 iput(req->inode2); 144 if (req->file) 145 fput(req->file); 146 spin_lock(&fuse_lock); 147 list_del(&req->bg_entry); 148 spin_unlock(&fuse_lock); 149 } 150 151 /* 152 * This function is called when a request is finished. Either a reply 153 * has arrived or it was interrupted (and not yet sent) or some error 154 * occurred during communication with userspace, or the device file was 155 * closed. It decreases the reference count for the request. In case 156 * of a background request the reference to the stored objects are 157 * released. The requester thread is woken up (if still waiting), and 158 * finally the request is either freed or put on the unused_list 159 * 160 * Called with fuse_lock, unlocks it 161 */ 162 static void request_end(struct fuse_conn *fc, struct fuse_req *req) 163 { 164 int putback; 165 req->finished = 1; 166 putback = atomic_dec_and_test(&req->count); 167 spin_unlock(&fuse_lock); 168 if (req->background) { 169 down_read(&fc->sbput_sem); 170 if (fc->mounted) 171 fuse_release_background(req); 172 up_read(&fc->sbput_sem); 173 } 174 wake_up(&req->waitq); 175 if (req->in.h.opcode == FUSE_INIT) { 176 int i; 177 178 if (req->misc.init_in_out.major != FUSE_KERNEL_VERSION) 179 fc->conn_error = 1; 180 181 fc->minor = req->misc.init_in_out.minor; 182 183 /* After INIT reply is received other requests can go 184 out. So do (FUSE_MAX_OUTSTANDING - 1) number of 185 up()s on outstanding_sem. The last up() is done in 186 fuse_putback_request() */ 187 for (i = 1; i < FUSE_MAX_OUTSTANDING; i++) 188 up(&fc->outstanding_sem); 189 } else if (req->in.h.opcode == FUSE_RELEASE && req->inode == NULL) { 190 /* Special case for failed iget in CREATE */ 191 u64 nodeid = req->in.h.nodeid; 192 __fuse_get_request(req); 193 fuse_reset_request(req); 194 fuse_send_forget(fc, req, nodeid, 1); 195 putback = 0; 196 } 197 if (putback) 198 fuse_putback_request(fc, req); 199 } 200 201 /* 202 * Unfortunately request interruption not just solves the deadlock 203 * problem, it causes problems too. These stem from the fact, that an 204 * interrupted request is continued to be processed in userspace, 205 * while all the locks and object references (inode and file) held 206 * during the operation are released. 207 * 208 * To release the locks is exactly why there's a need to interrupt the 209 * request, so there's not a lot that can be done about this, except 210 * introduce additional locking in userspace. 211 * 212 * More important is to keep inode and file references until userspace 213 * has replied, otherwise FORGET and RELEASE could be sent while the 214 * inode/file is still used by the filesystem. 215 * 216 * For this reason the concept of "background" request is introduced. 217 * An interrupted request is backgrounded if it has been already sent 218 * to userspace. Backgrounding involves getting an extra reference to 219 * inode(s) or file used in the request, and adding the request to 220 * fc->background list. When a reply is received for a background 221 * request, the object references are released, and the request is 222 * removed from the list. If the filesystem is unmounted while there 223 * are still background requests, the list is walked and references 224 * are released as if a reply was received. 225 * 226 * There's one more use for a background request. The RELEASE message is 227 * always sent as background, since it doesn't return an error or 228 * data. 229 */ 230 static void background_request(struct fuse_conn *fc, struct fuse_req *req) 231 { 232 req->background = 1; 233 list_add(&req->bg_entry, &fc->background); 234 if (req->inode) 235 req->inode = igrab(req->inode); 236 if (req->inode2) 237 req->inode2 = igrab(req->inode2); 238 if (req->file) 239 get_file(req->file); 240 } 241 242 /* Called with fuse_lock held. Releases, and then reacquires it. */ 243 static void request_wait_answer(struct fuse_conn *fc, struct fuse_req *req) 244 { 245 sigset_t oldset; 246 247 spin_unlock(&fuse_lock); 248 block_sigs(&oldset); 249 wait_event_interruptible(req->waitq, req->finished); 250 restore_sigs(&oldset); 251 spin_lock(&fuse_lock); 252 if (req->finished) 253 return; 254 255 req->out.h.error = -EINTR; 256 req->interrupted = 1; 257 if (req->locked) { 258 /* This is uninterruptible sleep, because data is 259 being copied to/from the buffers of req. During 260 locked state, there mustn't be any filesystem 261 operation (e.g. page fault), since that could lead 262 to deadlock */ 263 spin_unlock(&fuse_lock); 264 wait_event(req->waitq, !req->locked); 265 spin_lock(&fuse_lock); 266 } 267 if (!req->sent && !list_empty(&req->list)) { 268 list_del(&req->list); 269 __fuse_put_request(req); 270 } else if (!req->finished && req->sent) 271 background_request(fc, req); 272 } 273 274 static unsigned len_args(unsigned numargs, struct fuse_arg *args) 275 { 276 unsigned nbytes = 0; 277 unsigned i; 278 279 for (i = 0; i < numargs; i++) 280 nbytes += args[i].size; 281 282 return nbytes; 283 } 284 285 static void queue_request(struct fuse_conn *fc, struct fuse_req *req) 286 { 287 fc->reqctr++; 288 /* zero is special */ 289 if (fc->reqctr == 0) 290 fc->reqctr = 1; 291 req->in.h.unique = fc->reqctr; 292 req->in.h.len = sizeof(struct fuse_in_header) + 293 len_args(req->in.numargs, (struct fuse_arg *) req->in.args); 294 if (!req->preallocated) { 295 /* If request is not preallocated (either FORGET or 296 RELEASE), then still decrease outstanding_sem, so 297 user can't open infinite number of files while not 298 processing the RELEASE requests. However for 299 efficiency do it without blocking, so if down() 300 would block, just increase the debt instead */ 301 if (down_trylock(&fc->outstanding_sem)) 302 fc->outstanding_debt++; 303 } 304 list_add_tail(&req->list, &fc->pending); 305 wake_up(&fc->waitq); 306 } 307 308 /* 309 * This can only be interrupted by a SIGKILL 310 */ 311 void request_send(struct fuse_conn *fc, struct fuse_req *req) 312 { 313 req->isreply = 1; 314 spin_lock(&fuse_lock); 315 if (!fc->connected) 316 req->out.h.error = -ENOTCONN; 317 else if (fc->conn_error) 318 req->out.h.error = -ECONNREFUSED; 319 else { 320 queue_request(fc, req); 321 /* acquire extra reference, since request is still needed 322 after request_end() */ 323 __fuse_get_request(req); 324 325 request_wait_answer(fc, req); 326 } 327 spin_unlock(&fuse_lock); 328 } 329 330 static void request_send_nowait(struct fuse_conn *fc, struct fuse_req *req) 331 { 332 spin_lock(&fuse_lock); 333 if (fc->connected) { 334 queue_request(fc, req); 335 spin_unlock(&fuse_lock); 336 } else { 337 req->out.h.error = -ENOTCONN; 338 request_end(fc, req); 339 } 340 } 341 342 void request_send_noreply(struct fuse_conn *fc, struct fuse_req *req) 343 { 344 req->isreply = 0; 345 request_send_nowait(fc, req); 346 } 347 348 void request_send_background(struct fuse_conn *fc, struct fuse_req *req) 349 { 350 req->isreply = 1; 351 spin_lock(&fuse_lock); 352 background_request(fc, req); 353 spin_unlock(&fuse_lock); 354 request_send_nowait(fc, req); 355 } 356 357 void fuse_send_init(struct fuse_conn *fc) 358 { 359 /* This is called from fuse_read_super() so there's guaranteed 360 to be a request available */ 361 struct fuse_req *req = do_get_request(fc); 362 struct fuse_init_in_out *arg = &req->misc.init_in_out; 363 arg->major = FUSE_KERNEL_VERSION; 364 arg->minor = FUSE_KERNEL_MINOR_VERSION; 365 req->in.h.opcode = FUSE_INIT; 366 req->in.numargs = 1; 367 req->in.args[0].size = sizeof(*arg); 368 req->in.args[0].value = arg; 369 req->out.numargs = 1; 370 req->out.args[0].size = sizeof(*arg); 371 req->out.args[0].value = arg; 372 request_send_background(fc, req); 373 } 374 375 /* 376 * Lock the request. Up to the next unlock_request() there mustn't be 377 * anything that could cause a page-fault. If the request was already 378 * interrupted bail out. 379 */ 380 static inline int lock_request(struct fuse_req *req) 381 { 382 int err = 0; 383 if (req) { 384 spin_lock(&fuse_lock); 385 if (req->interrupted) 386 err = -ENOENT; 387 else 388 req->locked = 1; 389 spin_unlock(&fuse_lock); 390 } 391 return err; 392 } 393 394 /* 395 * Unlock request. If it was interrupted during being locked, the 396 * requester thread is currently waiting for it to be unlocked, so 397 * wake it up. 398 */ 399 static inline void unlock_request(struct fuse_req *req) 400 { 401 if (req) { 402 spin_lock(&fuse_lock); 403 req->locked = 0; 404 if (req->interrupted) 405 wake_up(&req->waitq); 406 spin_unlock(&fuse_lock); 407 } 408 } 409 410 struct fuse_copy_state { 411 int write; 412 struct fuse_req *req; 413 const struct iovec *iov; 414 unsigned long nr_segs; 415 unsigned long seglen; 416 unsigned long addr; 417 struct page *pg; 418 void *mapaddr; 419 void *buf; 420 unsigned len; 421 }; 422 423 static void fuse_copy_init(struct fuse_copy_state *cs, int write, 424 struct fuse_req *req, const struct iovec *iov, 425 unsigned long nr_segs) 426 { 427 memset(cs, 0, sizeof(*cs)); 428 cs->write = write; 429 cs->req = req; 430 cs->iov = iov; 431 cs->nr_segs = nr_segs; 432 } 433 434 /* Unmap and put previous page of userspace buffer */ 435 static inline void fuse_copy_finish(struct fuse_copy_state *cs) 436 { 437 if (cs->mapaddr) { 438 kunmap_atomic(cs->mapaddr, KM_USER0); 439 if (cs->write) { 440 flush_dcache_page(cs->pg); 441 set_page_dirty_lock(cs->pg); 442 } 443 put_page(cs->pg); 444 cs->mapaddr = NULL; 445 } 446 } 447 448 /* 449 * Get another pagefull of userspace buffer, and map it to kernel 450 * address space, and lock request 451 */ 452 static int fuse_copy_fill(struct fuse_copy_state *cs) 453 { 454 unsigned long offset; 455 int err; 456 457 unlock_request(cs->req); 458 fuse_copy_finish(cs); 459 if (!cs->seglen) { 460 BUG_ON(!cs->nr_segs); 461 cs->seglen = cs->iov[0].iov_len; 462 cs->addr = (unsigned long) cs->iov[0].iov_base; 463 cs->iov ++; 464 cs->nr_segs --; 465 } 466 down_read(¤t->mm->mmap_sem); 467 err = get_user_pages(current, current->mm, cs->addr, 1, cs->write, 0, 468 &cs->pg, NULL); 469 up_read(¤t->mm->mmap_sem); 470 if (err < 0) 471 return err; 472 BUG_ON(err != 1); 473 offset = cs->addr % PAGE_SIZE; 474 cs->mapaddr = kmap_atomic(cs->pg, KM_USER0); 475 cs->buf = cs->mapaddr + offset; 476 cs->len = min(PAGE_SIZE - offset, cs->seglen); 477 cs->seglen -= cs->len; 478 cs->addr += cs->len; 479 480 return lock_request(cs->req); 481 } 482 483 /* Do as much copy to/from userspace buffer as we can */ 484 static inline int fuse_copy_do(struct fuse_copy_state *cs, void **val, 485 unsigned *size) 486 { 487 unsigned ncpy = min(*size, cs->len); 488 if (val) { 489 if (cs->write) 490 memcpy(cs->buf, *val, ncpy); 491 else 492 memcpy(*val, cs->buf, ncpy); 493 *val += ncpy; 494 } 495 *size -= ncpy; 496 cs->len -= ncpy; 497 cs->buf += ncpy; 498 return ncpy; 499 } 500 501 /* 502 * Copy a page in the request to/from the userspace buffer. Must be 503 * done atomically 504 */ 505 static inline int fuse_copy_page(struct fuse_copy_state *cs, struct page *page, 506 unsigned offset, unsigned count, int zeroing) 507 { 508 if (page && zeroing && count < PAGE_SIZE) { 509 void *mapaddr = kmap_atomic(page, KM_USER1); 510 memset(mapaddr, 0, PAGE_SIZE); 511 kunmap_atomic(mapaddr, KM_USER1); 512 } 513 while (count) { 514 int err; 515 if (!cs->len && (err = fuse_copy_fill(cs))) 516 return err; 517 if (page) { 518 void *mapaddr = kmap_atomic(page, KM_USER1); 519 void *buf = mapaddr + offset; 520 offset += fuse_copy_do(cs, &buf, &count); 521 kunmap_atomic(mapaddr, KM_USER1); 522 } else 523 offset += fuse_copy_do(cs, NULL, &count); 524 } 525 if (page && !cs->write) 526 flush_dcache_page(page); 527 return 0; 528 } 529 530 /* Copy pages in the request to/from userspace buffer */ 531 static int fuse_copy_pages(struct fuse_copy_state *cs, unsigned nbytes, 532 int zeroing) 533 { 534 unsigned i; 535 struct fuse_req *req = cs->req; 536 unsigned offset = req->page_offset; 537 unsigned count = min(nbytes, (unsigned) PAGE_SIZE - offset); 538 539 for (i = 0; i < req->num_pages && (nbytes || zeroing); i++) { 540 struct page *page = req->pages[i]; 541 int err = fuse_copy_page(cs, page, offset, count, zeroing); 542 if (err) 543 return err; 544 545 nbytes -= count; 546 count = min(nbytes, (unsigned) PAGE_SIZE); 547 offset = 0; 548 } 549 return 0; 550 } 551 552 /* Copy a single argument in the request to/from userspace buffer */ 553 static int fuse_copy_one(struct fuse_copy_state *cs, void *val, unsigned size) 554 { 555 while (size) { 556 int err; 557 if (!cs->len && (err = fuse_copy_fill(cs))) 558 return err; 559 fuse_copy_do(cs, &val, &size); 560 } 561 return 0; 562 } 563 564 /* Copy request arguments to/from userspace buffer */ 565 static int fuse_copy_args(struct fuse_copy_state *cs, unsigned numargs, 566 unsigned argpages, struct fuse_arg *args, 567 int zeroing) 568 { 569 int err = 0; 570 unsigned i; 571 572 for (i = 0; !err && i < numargs; i++) { 573 struct fuse_arg *arg = &args[i]; 574 if (i == numargs - 1 && argpages) 575 err = fuse_copy_pages(cs, arg->size, zeroing); 576 else 577 err = fuse_copy_one(cs, arg->value, arg->size); 578 } 579 return err; 580 } 581 582 /* Wait until a request is available on the pending list */ 583 static void request_wait(struct fuse_conn *fc) 584 { 585 DECLARE_WAITQUEUE(wait, current); 586 587 add_wait_queue_exclusive(&fc->waitq, &wait); 588 while (fc->mounted && list_empty(&fc->pending)) { 589 set_current_state(TASK_INTERRUPTIBLE); 590 if (signal_pending(current)) 591 break; 592 593 spin_unlock(&fuse_lock); 594 schedule(); 595 spin_lock(&fuse_lock); 596 } 597 set_current_state(TASK_RUNNING); 598 remove_wait_queue(&fc->waitq, &wait); 599 } 600 601 /* 602 * Read a single request into the userspace filesystem's buffer. This 603 * function waits until a request is available, then removes it from 604 * the pending list and copies request data to userspace buffer. If 605 * no reply is needed (FORGET) or request has been interrupted or 606 * there was an error during the copying then it's finished by calling 607 * request_end(). Otherwise add it to the processing list, and set 608 * the 'sent' flag. 609 */ 610 static ssize_t fuse_dev_readv(struct file *file, const struct iovec *iov, 611 unsigned long nr_segs, loff_t *off) 612 { 613 int err; 614 struct fuse_conn *fc; 615 struct fuse_req *req; 616 struct fuse_in *in; 617 struct fuse_copy_state cs; 618 unsigned reqsize; 619 620 spin_lock(&fuse_lock); 621 fc = file->private_data; 622 err = -EPERM; 623 if (!fc) 624 goto err_unlock; 625 request_wait(fc); 626 err = -ENODEV; 627 if (!fc->mounted) 628 goto err_unlock; 629 err = -ERESTARTSYS; 630 if (list_empty(&fc->pending)) 631 goto err_unlock; 632 633 req = list_entry(fc->pending.next, struct fuse_req, list); 634 list_del_init(&req->list); 635 spin_unlock(&fuse_lock); 636 637 in = &req->in; 638 reqsize = req->in.h.len; 639 fuse_copy_init(&cs, 1, req, iov, nr_segs); 640 err = -EINVAL; 641 if (iov_length(iov, nr_segs) >= reqsize) { 642 err = fuse_copy_one(&cs, &in->h, sizeof(in->h)); 643 if (!err) 644 err = fuse_copy_args(&cs, in->numargs, in->argpages, 645 (struct fuse_arg *) in->args, 0); 646 } 647 fuse_copy_finish(&cs); 648 649 spin_lock(&fuse_lock); 650 req->locked = 0; 651 if (!err && req->interrupted) 652 err = -ENOENT; 653 if (err) { 654 if (!req->interrupted) 655 req->out.h.error = -EIO; 656 request_end(fc, req); 657 return err; 658 } 659 if (!req->isreply) 660 request_end(fc, req); 661 else { 662 req->sent = 1; 663 list_add_tail(&req->list, &fc->processing); 664 spin_unlock(&fuse_lock); 665 } 666 return reqsize; 667 668 err_unlock: 669 spin_unlock(&fuse_lock); 670 return err; 671 } 672 673 static ssize_t fuse_dev_read(struct file *file, char __user *buf, 674 size_t nbytes, loff_t *off) 675 { 676 struct iovec iov; 677 iov.iov_len = nbytes; 678 iov.iov_base = buf; 679 return fuse_dev_readv(file, &iov, 1, off); 680 } 681 682 /* Look up request on processing list by unique ID */ 683 static struct fuse_req *request_find(struct fuse_conn *fc, u64 unique) 684 { 685 struct list_head *entry; 686 687 list_for_each(entry, &fc->processing) { 688 struct fuse_req *req; 689 req = list_entry(entry, struct fuse_req, list); 690 if (req->in.h.unique == unique) 691 return req; 692 } 693 return NULL; 694 } 695 696 static int copy_out_args(struct fuse_copy_state *cs, struct fuse_out *out, 697 unsigned nbytes) 698 { 699 unsigned reqsize = sizeof(struct fuse_out_header); 700 701 if (out->h.error) 702 return nbytes != reqsize ? -EINVAL : 0; 703 704 reqsize += len_args(out->numargs, out->args); 705 706 if (reqsize < nbytes || (reqsize > nbytes && !out->argvar)) 707 return -EINVAL; 708 else if (reqsize > nbytes) { 709 struct fuse_arg *lastarg = &out->args[out->numargs-1]; 710 unsigned diffsize = reqsize - nbytes; 711 if (diffsize > lastarg->size) 712 return -EINVAL; 713 lastarg->size -= diffsize; 714 } 715 return fuse_copy_args(cs, out->numargs, out->argpages, out->args, 716 out->page_zeroing); 717 } 718 719 /* 720 * Write a single reply to a request. First the header is copied from 721 * the write buffer. The request is then searched on the processing 722 * list by the unique ID found in the header. If found, then remove 723 * it from the list and copy the rest of the buffer to the request. 724 * The request is finished by calling request_end() 725 */ 726 static ssize_t fuse_dev_writev(struct file *file, const struct iovec *iov, 727 unsigned long nr_segs, loff_t *off) 728 { 729 int err; 730 unsigned nbytes = iov_length(iov, nr_segs); 731 struct fuse_req *req; 732 struct fuse_out_header oh; 733 struct fuse_copy_state cs; 734 struct fuse_conn *fc = fuse_get_conn(file); 735 if (!fc) 736 return -ENODEV; 737 738 fuse_copy_init(&cs, 0, NULL, iov, nr_segs); 739 if (nbytes < sizeof(struct fuse_out_header)) 740 return -EINVAL; 741 742 err = fuse_copy_one(&cs, &oh, sizeof(oh)); 743 if (err) 744 goto err_finish; 745 err = -EINVAL; 746 if (!oh.unique || oh.error <= -1000 || oh.error > 0 || 747 oh.len != nbytes) 748 goto err_finish; 749 750 spin_lock(&fuse_lock); 751 req = request_find(fc, oh.unique); 752 err = -EINVAL; 753 if (!req) 754 goto err_unlock; 755 756 list_del_init(&req->list); 757 if (req->interrupted) { 758 request_end(fc, req); 759 fuse_copy_finish(&cs); 760 return -ENOENT; 761 } 762 req->out.h = oh; 763 req->locked = 1; 764 cs.req = req; 765 spin_unlock(&fuse_lock); 766 767 err = copy_out_args(&cs, &req->out, nbytes); 768 fuse_copy_finish(&cs); 769 770 spin_lock(&fuse_lock); 771 req->locked = 0; 772 if (!err) { 773 if (req->interrupted) 774 err = -ENOENT; 775 } else if (!req->interrupted) 776 req->out.h.error = -EIO; 777 request_end(fc, req); 778 779 return err ? err : nbytes; 780 781 err_unlock: 782 spin_unlock(&fuse_lock); 783 err_finish: 784 fuse_copy_finish(&cs); 785 return err; 786 } 787 788 static ssize_t fuse_dev_write(struct file *file, const char __user *buf, 789 size_t nbytes, loff_t *off) 790 { 791 struct iovec iov; 792 iov.iov_len = nbytes; 793 iov.iov_base = (char __user *) buf; 794 return fuse_dev_writev(file, &iov, 1, off); 795 } 796 797 static unsigned fuse_dev_poll(struct file *file, poll_table *wait) 798 { 799 struct fuse_conn *fc = fuse_get_conn(file); 800 unsigned mask = POLLOUT | POLLWRNORM; 801 802 if (!fc) 803 return -ENODEV; 804 805 poll_wait(file, &fc->waitq, wait); 806 807 spin_lock(&fuse_lock); 808 if (!list_empty(&fc->pending)) 809 mask |= POLLIN | POLLRDNORM; 810 spin_unlock(&fuse_lock); 811 812 return mask; 813 } 814 815 /* Abort all requests on the given list (pending or processing) */ 816 static void end_requests(struct fuse_conn *fc, struct list_head *head) 817 { 818 while (!list_empty(head)) { 819 struct fuse_req *req; 820 req = list_entry(head->next, struct fuse_req, list); 821 list_del_init(&req->list); 822 req->out.h.error = -ECONNABORTED; 823 request_end(fc, req); 824 spin_lock(&fuse_lock); 825 } 826 } 827 828 static int fuse_dev_release(struct inode *inode, struct file *file) 829 { 830 struct fuse_conn *fc; 831 832 spin_lock(&fuse_lock); 833 fc = file->private_data; 834 if (fc) { 835 fc->connected = 0; 836 end_requests(fc, &fc->pending); 837 end_requests(fc, &fc->processing); 838 fuse_release_conn(fc); 839 } 840 spin_unlock(&fuse_lock); 841 return 0; 842 } 843 844 struct file_operations fuse_dev_operations = { 845 .owner = THIS_MODULE, 846 .llseek = no_llseek, 847 .read = fuse_dev_read, 848 .readv = fuse_dev_readv, 849 .write = fuse_dev_write, 850 .writev = fuse_dev_writev, 851 .poll = fuse_dev_poll, 852 .release = fuse_dev_release, 853 }; 854 855 static struct miscdevice fuse_miscdevice = { 856 .minor = FUSE_MINOR, 857 .name = "fuse", 858 .fops = &fuse_dev_operations, 859 }; 860 861 int __init fuse_dev_init(void) 862 { 863 int err = -ENOMEM; 864 fuse_req_cachep = kmem_cache_create("fuse_request", 865 sizeof(struct fuse_req), 866 0, 0, NULL, NULL); 867 if (!fuse_req_cachep) 868 goto out; 869 870 err = misc_register(&fuse_miscdevice); 871 if (err) 872 goto out_cache_clean; 873 874 return 0; 875 876 out_cache_clean: 877 kmem_cache_destroy(fuse_req_cachep); 878 out: 879 return err; 880 } 881 882 void fuse_dev_cleanup(void) 883 { 884 misc_deregister(&fuse_miscdevice); 885 kmem_cache_destroy(fuse_req_cachep); 886 } 887