xref: /openbmc/linux/fs/fuse/dev.c (revision e868d61272caa648214046a096e5a6bfc068dc8c)
1 /*
2   FUSE: Filesystem in Userspace
3   Copyright (C) 2001-2006  Miklos Szeredi <miklos@szeredi.hu>
4 
5   This program can be distributed under the terms of the GNU GPL.
6   See the file COPYING.
7 */
8 
9 #include "fuse_i.h"
10 
11 #include <linux/init.h>
12 #include <linux/module.h>
13 #include <linux/poll.h>
14 #include <linux/uio.h>
15 #include <linux/miscdevice.h>
16 #include <linux/pagemap.h>
17 #include <linux/file.h>
18 #include <linux/slab.h>
19 
20 MODULE_ALIAS_MISCDEV(FUSE_MINOR);
21 
22 static struct kmem_cache *fuse_req_cachep;
23 
24 static struct fuse_conn *fuse_get_conn(struct file *file)
25 {
26 	/*
27 	 * Lockless access is OK, because file->private data is set
28 	 * once during mount and is valid until the file is released.
29 	 */
30 	return file->private_data;
31 }
32 
33 static void fuse_request_init(struct fuse_req *req)
34 {
35 	memset(req, 0, sizeof(*req));
36 	INIT_LIST_HEAD(&req->list);
37 	INIT_LIST_HEAD(&req->intr_entry);
38 	init_waitqueue_head(&req->waitq);
39 	atomic_set(&req->count, 1);
40 }
41 
42 struct fuse_req *fuse_request_alloc(void)
43 {
44 	struct fuse_req *req = kmem_cache_alloc(fuse_req_cachep, GFP_KERNEL);
45 	if (req)
46 		fuse_request_init(req);
47 	return req;
48 }
49 
50 void fuse_request_free(struct fuse_req *req)
51 {
52 	kmem_cache_free(fuse_req_cachep, req);
53 }
54 
55 static void block_sigs(sigset_t *oldset)
56 {
57 	sigset_t mask;
58 
59 	siginitsetinv(&mask, sigmask(SIGKILL));
60 	sigprocmask(SIG_BLOCK, &mask, oldset);
61 }
62 
63 static void restore_sigs(sigset_t *oldset)
64 {
65 	sigprocmask(SIG_SETMASK, oldset, NULL);
66 }
67 
68 static void __fuse_get_request(struct fuse_req *req)
69 {
70 	atomic_inc(&req->count);
71 }
72 
73 /* Must be called with > 1 refcount */
74 static void __fuse_put_request(struct fuse_req *req)
75 {
76 	BUG_ON(atomic_read(&req->count) < 2);
77 	atomic_dec(&req->count);
78 }
79 
80 static void fuse_req_init_context(struct fuse_req *req)
81 {
82 	req->in.h.uid = current->fsuid;
83 	req->in.h.gid = current->fsgid;
84 	req->in.h.pid = current->pid;
85 }
86 
87 struct fuse_req *fuse_get_req(struct fuse_conn *fc)
88 {
89 	struct fuse_req *req;
90 	sigset_t oldset;
91 	int intr;
92 	int err;
93 
94 	atomic_inc(&fc->num_waiting);
95 	block_sigs(&oldset);
96 	intr = wait_event_interruptible(fc->blocked_waitq, !fc->blocked);
97 	restore_sigs(&oldset);
98 	err = -EINTR;
99 	if (intr)
100 		goto out;
101 
102 	err = -ENOTCONN;
103 	if (!fc->connected)
104 		goto out;
105 
106 	req = fuse_request_alloc();
107 	err = -ENOMEM;
108 	if (!req)
109 		goto out;
110 
111 	fuse_req_init_context(req);
112 	req->waiting = 1;
113 	return req;
114 
115  out:
116 	atomic_dec(&fc->num_waiting);
117 	return ERR_PTR(err);
118 }
119 
120 /*
121  * Return request in fuse_file->reserved_req.  However that may
122  * currently be in use.  If that is the case, wait for it to become
123  * available.
124  */
125 static struct fuse_req *get_reserved_req(struct fuse_conn *fc,
126 					 struct file *file)
127 {
128 	struct fuse_req *req = NULL;
129 	struct fuse_file *ff = file->private_data;
130 
131 	do {
132 		wait_event(fc->blocked_waitq, ff->reserved_req);
133 		spin_lock(&fc->lock);
134 		if (ff->reserved_req) {
135 			req = ff->reserved_req;
136 			ff->reserved_req = NULL;
137 			get_file(file);
138 			req->stolen_file = file;
139 		}
140 		spin_unlock(&fc->lock);
141 	} while (!req);
142 
143 	return req;
144 }
145 
146 /*
147  * Put stolen request back into fuse_file->reserved_req
148  */
149 static void put_reserved_req(struct fuse_conn *fc, struct fuse_req *req)
150 {
151 	struct file *file = req->stolen_file;
152 	struct fuse_file *ff = file->private_data;
153 
154 	spin_lock(&fc->lock);
155 	fuse_request_init(req);
156 	BUG_ON(ff->reserved_req);
157 	ff->reserved_req = req;
158 	wake_up(&fc->blocked_waitq);
159 	spin_unlock(&fc->lock);
160 	fput(file);
161 }
162 
163 /*
164  * Gets a requests for a file operation, always succeeds
165  *
166  * This is used for sending the FLUSH request, which must get to
167  * userspace, due to POSIX locks which may need to be unlocked.
168  *
169  * If allocation fails due to OOM, use the reserved request in
170  * fuse_file.
171  *
172  * This is very unlikely to deadlock accidentally, since the
173  * filesystem should not have it's own file open.  If deadlock is
174  * intentional, it can still be broken by "aborting" the filesystem.
175  */
176 struct fuse_req *fuse_get_req_nofail(struct fuse_conn *fc, struct file *file)
177 {
178 	struct fuse_req *req;
179 
180 	atomic_inc(&fc->num_waiting);
181 	wait_event(fc->blocked_waitq, !fc->blocked);
182 	req = fuse_request_alloc();
183 	if (!req)
184 		req = get_reserved_req(fc, file);
185 
186 	fuse_req_init_context(req);
187 	req->waiting = 1;
188 	return req;
189 }
190 
191 void fuse_put_request(struct fuse_conn *fc, struct fuse_req *req)
192 {
193 	if (atomic_dec_and_test(&req->count)) {
194 		if (req->waiting)
195 			atomic_dec(&fc->num_waiting);
196 
197 		if (req->stolen_file)
198 			put_reserved_req(fc, req);
199 		else
200 			fuse_request_free(req);
201 	}
202 }
203 
204 /*
205  * This function is called when a request is finished.  Either a reply
206  * has arrived or it was aborted (and not yet sent) or some error
207  * occurred during communication with userspace, or the device file
208  * was closed.  The requester thread is woken up (if still waiting),
209  * the 'end' callback is called if given, else the reference to the
210  * request is released
211  *
212  * Called with fc->lock, unlocks it
213  */
214 static void request_end(struct fuse_conn *fc, struct fuse_req *req)
215 	__releases(fc->lock)
216 {
217 	void (*end) (struct fuse_conn *, struct fuse_req *) = req->end;
218 	req->end = NULL;
219 	list_del(&req->list);
220 	list_del(&req->intr_entry);
221 	req->state = FUSE_REQ_FINISHED;
222 	if (req->background) {
223 		if (fc->num_background == FUSE_MAX_BACKGROUND) {
224 			fc->blocked = 0;
225 			wake_up_all(&fc->blocked_waitq);
226 		}
227 		fc->num_background--;
228 	}
229 	spin_unlock(&fc->lock);
230 	dput(req->dentry);
231 	mntput(req->vfsmount);
232 	if (req->file)
233 		fput(req->file);
234 	wake_up(&req->waitq);
235 	if (end)
236 		end(fc, req);
237 	else
238 		fuse_put_request(fc, req);
239 }
240 
241 static void wait_answer_interruptible(struct fuse_conn *fc,
242 				      struct fuse_req *req)
243 {
244 	if (signal_pending(current))
245 		return;
246 
247 	spin_unlock(&fc->lock);
248 	wait_event_interruptible(req->waitq, req->state == FUSE_REQ_FINISHED);
249 	spin_lock(&fc->lock);
250 }
251 
252 static void queue_interrupt(struct fuse_conn *fc, struct fuse_req *req)
253 {
254 	list_add_tail(&req->intr_entry, &fc->interrupts);
255 	wake_up(&fc->waitq);
256 	kill_fasync(&fc->fasync, SIGIO, POLL_IN);
257 }
258 
259 /* Called with fc->lock held.  Releases, and then reacquires it. */
260 static void request_wait_answer(struct fuse_conn *fc, struct fuse_req *req)
261 {
262 	if (!fc->no_interrupt) {
263 		/* Any signal may interrupt this */
264 		wait_answer_interruptible(fc, req);
265 
266 		if (req->aborted)
267 			goto aborted;
268 		if (req->state == FUSE_REQ_FINISHED)
269 			return;
270 
271 		req->interrupted = 1;
272 		if (req->state == FUSE_REQ_SENT)
273 			queue_interrupt(fc, req);
274 	}
275 
276 	if (req->force) {
277 		spin_unlock(&fc->lock);
278 		wait_event(req->waitq, req->state == FUSE_REQ_FINISHED);
279 		spin_lock(&fc->lock);
280 	} else {
281 		sigset_t oldset;
282 
283 		/* Only fatal signals may interrupt this */
284 		block_sigs(&oldset);
285 		wait_answer_interruptible(fc, req);
286 		restore_sigs(&oldset);
287 	}
288 
289 	if (req->aborted)
290 		goto aborted;
291 	if (req->state == FUSE_REQ_FINISHED)
292  		return;
293 
294 	req->out.h.error = -EINTR;
295 	req->aborted = 1;
296 
297  aborted:
298 	if (req->locked) {
299 		/* This is uninterruptible sleep, because data is
300 		   being copied to/from the buffers of req.  During
301 		   locked state, there mustn't be any filesystem
302 		   operation (e.g. page fault), since that could lead
303 		   to deadlock */
304 		spin_unlock(&fc->lock);
305 		wait_event(req->waitq, !req->locked);
306 		spin_lock(&fc->lock);
307 	}
308 	if (req->state == FUSE_REQ_PENDING) {
309 		list_del(&req->list);
310 		__fuse_put_request(req);
311 	} else if (req->state == FUSE_REQ_SENT) {
312 		spin_unlock(&fc->lock);
313 		wait_event(req->waitq, req->state == FUSE_REQ_FINISHED);
314 		spin_lock(&fc->lock);
315 	}
316 }
317 
318 static unsigned len_args(unsigned numargs, struct fuse_arg *args)
319 {
320 	unsigned nbytes = 0;
321 	unsigned i;
322 
323 	for (i = 0; i < numargs; i++)
324 		nbytes += args[i].size;
325 
326 	return nbytes;
327 }
328 
329 static u64 fuse_get_unique(struct fuse_conn *fc)
330  {
331  	fc->reqctr++;
332  	/* zero is special */
333  	if (fc->reqctr == 0)
334  		fc->reqctr = 1;
335 
336 	return fc->reqctr;
337 }
338 
339 static void queue_request(struct fuse_conn *fc, struct fuse_req *req)
340 {
341 	req->in.h.unique = fuse_get_unique(fc);
342 	req->in.h.len = sizeof(struct fuse_in_header) +
343 		len_args(req->in.numargs, (struct fuse_arg *) req->in.args);
344 	list_add_tail(&req->list, &fc->pending);
345 	req->state = FUSE_REQ_PENDING;
346 	if (!req->waiting) {
347 		req->waiting = 1;
348 		atomic_inc(&fc->num_waiting);
349 	}
350 	wake_up(&fc->waitq);
351 	kill_fasync(&fc->fasync, SIGIO, POLL_IN);
352 }
353 
354 void request_send(struct fuse_conn *fc, struct fuse_req *req)
355 {
356 	req->isreply = 1;
357 	spin_lock(&fc->lock);
358 	if (!fc->connected)
359 		req->out.h.error = -ENOTCONN;
360 	else if (fc->conn_error)
361 		req->out.h.error = -ECONNREFUSED;
362 	else {
363 		queue_request(fc, req);
364 		/* acquire extra reference, since request is still needed
365 		   after request_end() */
366 		__fuse_get_request(req);
367 
368 		request_wait_answer(fc, req);
369 	}
370 	spin_unlock(&fc->lock);
371 }
372 
373 static void request_send_nowait(struct fuse_conn *fc, struct fuse_req *req)
374 {
375 	spin_lock(&fc->lock);
376 	if (fc->connected) {
377 		req->background = 1;
378 		fc->num_background++;
379 		if (fc->num_background == FUSE_MAX_BACKGROUND)
380 			fc->blocked = 1;
381 
382 		queue_request(fc, req);
383 		spin_unlock(&fc->lock);
384 	} else {
385 		req->out.h.error = -ENOTCONN;
386 		request_end(fc, req);
387 	}
388 }
389 
390 void request_send_noreply(struct fuse_conn *fc, struct fuse_req *req)
391 {
392 	req->isreply = 0;
393 	request_send_nowait(fc, req);
394 }
395 
396 void request_send_background(struct fuse_conn *fc, struct fuse_req *req)
397 {
398 	req->isreply = 1;
399 	request_send_nowait(fc, req);
400 }
401 
402 /*
403  * Lock the request.  Up to the next unlock_request() there mustn't be
404  * anything that could cause a page-fault.  If the request was already
405  * aborted bail out.
406  */
407 static int lock_request(struct fuse_conn *fc, struct fuse_req *req)
408 {
409 	int err = 0;
410 	if (req) {
411 		spin_lock(&fc->lock);
412 		if (req->aborted)
413 			err = -ENOENT;
414 		else
415 			req->locked = 1;
416 		spin_unlock(&fc->lock);
417 	}
418 	return err;
419 }
420 
421 /*
422  * Unlock request.  If it was aborted during being locked, the
423  * requester thread is currently waiting for it to be unlocked, so
424  * wake it up.
425  */
426 static void unlock_request(struct fuse_conn *fc, struct fuse_req *req)
427 {
428 	if (req) {
429 		spin_lock(&fc->lock);
430 		req->locked = 0;
431 		if (req->aborted)
432 			wake_up(&req->waitq);
433 		spin_unlock(&fc->lock);
434 	}
435 }
436 
437 struct fuse_copy_state {
438 	struct fuse_conn *fc;
439 	int write;
440 	struct fuse_req *req;
441 	const struct iovec *iov;
442 	unsigned long nr_segs;
443 	unsigned long seglen;
444 	unsigned long addr;
445 	struct page *pg;
446 	void *mapaddr;
447 	void *buf;
448 	unsigned len;
449 };
450 
451 static void fuse_copy_init(struct fuse_copy_state *cs, struct fuse_conn *fc,
452 			   int write, struct fuse_req *req,
453 			   const struct iovec *iov, unsigned long nr_segs)
454 {
455 	memset(cs, 0, sizeof(*cs));
456 	cs->fc = fc;
457 	cs->write = write;
458 	cs->req = req;
459 	cs->iov = iov;
460 	cs->nr_segs = nr_segs;
461 }
462 
463 /* Unmap and put previous page of userspace buffer */
464 static void fuse_copy_finish(struct fuse_copy_state *cs)
465 {
466 	if (cs->mapaddr) {
467 		kunmap_atomic(cs->mapaddr, KM_USER0);
468 		if (cs->write) {
469 			flush_dcache_page(cs->pg);
470 			set_page_dirty_lock(cs->pg);
471 		}
472 		put_page(cs->pg);
473 		cs->mapaddr = NULL;
474 	}
475 }
476 
477 /*
478  * Get another pagefull of userspace buffer, and map it to kernel
479  * address space, and lock request
480  */
481 static int fuse_copy_fill(struct fuse_copy_state *cs)
482 {
483 	unsigned long offset;
484 	int err;
485 
486 	unlock_request(cs->fc, cs->req);
487 	fuse_copy_finish(cs);
488 	if (!cs->seglen) {
489 		BUG_ON(!cs->nr_segs);
490 		cs->seglen = cs->iov[0].iov_len;
491 		cs->addr = (unsigned long) cs->iov[0].iov_base;
492 		cs->iov ++;
493 		cs->nr_segs --;
494 	}
495 	down_read(&current->mm->mmap_sem);
496 	err = get_user_pages(current, current->mm, cs->addr, 1, cs->write, 0,
497 			     &cs->pg, NULL);
498 	up_read(&current->mm->mmap_sem);
499 	if (err < 0)
500 		return err;
501 	BUG_ON(err != 1);
502 	offset = cs->addr % PAGE_SIZE;
503 	cs->mapaddr = kmap_atomic(cs->pg, KM_USER0);
504 	cs->buf = cs->mapaddr + offset;
505 	cs->len = min(PAGE_SIZE - offset, cs->seglen);
506 	cs->seglen -= cs->len;
507 	cs->addr += cs->len;
508 
509 	return lock_request(cs->fc, cs->req);
510 }
511 
512 /* Do as much copy to/from userspace buffer as we can */
513 static int fuse_copy_do(struct fuse_copy_state *cs, void **val, unsigned *size)
514 {
515 	unsigned ncpy = min(*size, cs->len);
516 	if (val) {
517 		if (cs->write)
518 			memcpy(cs->buf, *val, ncpy);
519 		else
520 			memcpy(*val, cs->buf, ncpy);
521 		*val += ncpy;
522 	}
523 	*size -= ncpy;
524 	cs->len -= ncpy;
525 	cs->buf += ncpy;
526 	return ncpy;
527 }
528 
529 /*
530  * Copy a page in the request to/from the userspace buffer.  Must be
531  * done atomically
532  */
533 static int fuse_copy_page(struct fuse_copy_state *cs, struct page *page,
534 			  unsigned offset, unsigned count, int zeroing)
535 {
536 	if (page && zeroing && count < PAGE_SIZE) {
537 		void *mapaddr = kmap_atomic(page, KM_USER1);
538 		memset(mapaddr, 0, PAGE_SIZE);
539 		kunmap_atomic(mapaddr, KM_USER1);
540 	}
541 	while (count) {
542 		int err;
543 		if (!cs->len && (err = fuse_copy_fill(cs)))
544 			return err;
545 		if (page) {
546 			void *mapaddr = kmap_atomic(page, KM_USER1);
547 			void *buf = mapaddr + offset;
548 			offset += fuse_copy_do(cs, &buf, &count);
549 			kunmap_atomic(mapaddr, KM_USER1);
550 		} else
551 			offset += fuse_copy_do(cs, NULL, &count);
552 	}
553 	if (page && !cs->write)
554 		flush_dcache_page(page);
555 	return 0;
556 }
557 
558 /* Copy pages in the request to/from userspace buffer */
559 static int fuse_copy_pages(struct fuse_copy_state *cs, unsigned nbytes,
560 			   int zeroing)
561 {
562 	unsigned i;
563 	struct fuse_req *req = cs->req;
564 	unsigned offset = req->page_offset;
565 	unsigned count = min(nbytes, (unsigned) PAGE_SIZE - offset);
566 
567 	for (i = 0; i < req->num_pages && (nbytes || zeroing); i++) {
568 		struct page *page = req->pages[i];
569 		int err = fuse_copy_page(cs, page, offset, count, zeroing);
570 		if (err)
571 			return err;
572 
573 		nbytes -= count;
574 		count = min(nbytes, (unsigned) PAGE_SIZE);
575 		offset = 0;
576 	}
577 	return 0;
578 }
579 
580 /* Copy a single argument in the request to/from userspace buffer */
581 static int fuse_copy_one(struct fuse_copy_state *cs, void *val, unsigned size)
582 {
583 	while (size) {
584 		int err;
585 		if (!cs->len && (err = fuse_copy_fill(cs)))
586 			return err;
587 		fuse_copy_do(cs, &val, &size);
588 	}
589 	return 0;
590 }
591 
592 /* Copy request arguments to/from userspace buffer */
593 static int fuse_copy_args(struct fuse_copy_state *cs, unsigned numargs,
594 			  unsigned argpages, struct fuse_arg *args,
595 			  int zeroing)
596 {
597 	int err = 0;
598 	unsigned i;
599 
600 	for (i = 0; !err && i < numargs; i++)  {
601 		struct fuse_arg *arg = &args[i];
602 		if (i == numargs - 1 && argpages)
603 			err = fuse_copy_pages(cs, arg->size, zeroing);
604 		else
605 			err = fuse_copy_one(cs, arg->value, arg->size);
606 	}
607 	return err;
608 }
609 
610 static int request_pending(struct fuse_conn *fc)
611 {
612 	return !list_empty(&fc->pending) || !list_empty(&fc->interrupts);
613 }
614 
615 /* Wait until a request is available on the pending list */
616 static void request_wait(struct fuse_conn *fc)
617 {
618 	DECLARE_WAITQUEUE(wait, current);
619 
620 	add_wait_queue_exclusive(&fc->waitq, &wait);
621 	while (fc->connected && !request_pending(fc)) {
622 		set_current_state(TASK_INTERRUPTIBLE);
623 		if (signal_pending(current))
624 			break;
625 
626 		spin_unlock(&fc->lock);
627 		schedule();
628 		spin_lock(&fc->lock);
629 	}
630 	set_current_state(TASK_RUNNING);
631 	remove_wait_queue(&fc->waitq, &wait);
632 }
633 
634 /*
635  * Transfer an interrupt request to userspace
636  *
637  * Unlike other requests this is assembled on demand, without a need
638  * to allocate a separate fuse_req structure.
639  *
640  * Called with fc->lock held, releases it
641  */
642 static int fuse_read_interrupt(struct fuse_conn *fc, struct fuse_req *req,
643 			       const struct iovec *iov, unsigned long nr_segs)
644 	__releases(fc->lock)
645 {
646 	struct fuse_copy_state cs;
647 	struct fuse_in_header ih;
648 	struct fuse_interrupt_in arg;
649 	unsigned reqsize = sizeof(ih) + sizeof(arg);
650 	int err;
651 
652 	list_del_init(&req->intr_entry);
653 	req->intr_unique = fuse_get_unique(fc);
654 	memset(&ih, 0, sizeof(ih));
655 	memset(&arg, 0, sizeof(arg));
656 	ih.len = reqsize;
657 	ih.opcode = FUSE_INTERRUPT;
658 	ih.unique = req->intr_unique;
659 	arg.unique = req->in.h.unique;
660 
661 	spin_unlock(&fc->lock);
662 	if (iov_length(iov, nr_segs) < reqsize)
663 		return -EINVAL;
664 
665 	fuse_copy_init(&cs, fc, 1, NULL, iov, nr_segs);
666 	err = fuse_copy_one(&cs, &ih, sizeof(ih));
667 	if (!err)
668 		err = fuse_copy_one(&cs, &arg, sizeof(arg));
669 	fuse_copy_finish(&cs);
670 
671 	return err ? err : reqsize;
672 }
673 
674 /*
675  * Read a single request into the userspace filesystem's buffer.  This
676  * function waits until a request is available, then removes it from
677  * the pending list and copies request data to userspace buffer.  If
678  * no reply is needed (FORGET) or request has been aborted or there
679  * was an error during the copying then it's finished by calling
680  * request_end().  Otherwise add it to the processing list, and set
681  * the 'sent' flag.
682  */
683 static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
684 			      unsigned long nr_segs, loff_t pos)
685 {
686 	int err;
687 	struct fuse_req *req;
688 	struct fuse_in *in;
689 	struct fuse_copy_state cs;
690 	unsigned reqsize;
691 	struct file *file = iocb->ki_filp;
692 	struct fuse_conn *fc = fuse_get_conn(file);
693 	if (!fc)
694 		return -EPERM;
695 
696  restart:
697 	spin_lock(&fc->lock);
698 	err = -EAGAIN;
699 	if ((file->f_flags & O_NONBLOCK) && fc->connected &&
700 	    !request_pending(fc))
701 		goto err_unlock;
702 
703 	request_wait(fc);
704 	err = -ENODEV;
705 	if (!fc->connected)
706 		goto err_unlock;
707 	err = -ERESTARTSYS;
708 	if (!request_pending(fc))
709 		goto err_unlock;
710 
711 	if (!list_empty(&fc->interrupts)) {
712 		req = list_entry(fc->interrupts.next, struct fuse_req,
713 				 intr_entry);
714 		return fuse_read_interrupt(fc, req, iov, nr_segs);
715 	}
716 
717 	req = list_entry(fc->pending.next, struct fuse_req, list);
718 	req->state = FUSE_REQ_READING;
719 	list_move(&req->list, &fc->io);
720 
721 	in = &req->in;
722 	reqsize = in->h.len;
723 	/* If request is too large, reply with an error and restart the read */
724 	if (iov_length(iov, nr_segs) < reqsize) {
725 		req->out.h.error = -EIO;
726 		/* SETXATTR is special, since it may contain too large data */
727 		if (in->h.opcode == FUSE_SETXATTR)
728 			req->out.h.error = -E2BIG;
729 		request_end(fc, req);
730 		goto restart;
731 	}
732 	spin_unlock(&fc->lock);
733 	fuse_copy_init(&cs, fc, 1, req, iov, nr_segs);
734 	err = fuse_copy_one(&cs, &in->h, sizeof(in->h));
735 	if (!err)
736 		err = fuse_copy_args(&cs, in->numargs, in->argpages,
737 				     (struct fuse_arg *) in->args, 0);
738 	fuse_copy_finish(&cs);
739 	spin_lock(&fc->lock);
740 	req->locked = 0;
741 	if (!err && req->aborted)
742 		err = -ENOENT;
743 	if (err) {
744 		if (!req->aborted)
745 			req->out.h.error = -EIO;
746 		request_end(fc, req);
747 		return err;
748 	}
749 	if (!req->isreply)
750 		request_end(fc, req);
751 	else {
752 		req->state = FUSE_REQ_SENT;
753 		list_move_tail(&req->list, &fc->processing);
754 		if (req->interrupted)
755 			queue_interrupt(fc, req);
756 		spin_unlock(&fc->lock);
757 	}
758 	return reqsize;
759 
760  err_unlock:
761 	spin_unlock(&fc->lock);
762 	return err;
763 }
764 
765 /* Look up request on processing list by unique ID */
766 static struct fuse_req *request_find(struct fuse_conn *fc, u64 unique)
767 {
768 	struct list_head *entry;
769 
770 	list_for_each(entry, &fc->processing) {
771 		struct fuse_req *req;
772 		req = list_entry(entry, struct fuse_req, list);
773 		if (req->in.h.unique == unique || req->intr_unique == unique)
774 			return req;
775 	}
776 	return NULL;
777 }
778 
779 static int copy_out_args(struct fuse_copy_state *cs, struct fuse_out *out,
780 			 unsigned nbytes)
781 {
782 	unsigned reqsize = sizeof(struct fuse_out_header);
783 
784 	if (out->h.error)
785 		return nbytes != reqsize ? -EINVAL : 0;
786 
787 	reqsize += len_args(out->numargs, out->args);
788 
789 	if (reqsize < nbytes || (reqsize > nbytes && !out->argvar))
790 		return -EINVAL;
791 	else if (reqsize > nbytes) {
792 		struct fuse_arg *lastarg = &out->args[out->numargs-1];
793 		unsigned diffsize = reqsize - nbytes;
794 		if (diffsize > lastarg->size)
795 			return -EINVAL;
796 		lastarg->size -= diffsize;
797 	}
798 	return fuse_copy_args(cs, out->numargs, out->argpages, out->args,
799 			      out->page_zeroing);
800 }
801 
802 /*
803  * Write a single reply to a request.  First the header is copied from
804  * the write buffer.  The request is then searched on the processing
805  * list by the unique ID found in the header.  If found, then remove
806  * it from the list and copy the rest of the buffer to the request.
807  * The request is finished by calling request_end()
808  */
809 static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
810 			       unsigned long nr_segs, loff_t pos)
811 {
812 	int err;
813 	unsigned nbytes = iov_length(iov, nr_segs);
814 	struct fuse_req *req;
815 	struct fuse_out_header oh;
816 	struct fuse_copy_state cs;
817 	struct fuse_conn *fc = fuse_get_conn(iocb->ki_filp);
818 	if (!fc)
819 		return -EPERM;
820 
821 	fuse_copy_init(&cs, fc, 0, NULL, iov, nr_segs);
822 	if (nbytes < sizeof(struct fuse_out_header))
823 		return -EINVAL;
824 
825 	err = fuse_copy_one(&cs, &oh, sizeof(oh));
826 	if (err)
827 		goto err_finish;
828 	err = -EINVAL;
829 	if (!oh.unique || oh.error <= -1000 || oh.error > 0 ||
830 	    oh.len != nbytes)
831 		goto err_finish;
832 
833 	spin_lock(&fc->lock);
834 	err = -ENOENT;
835 	if (!fc->connected)
836 		goto err_unlock;
837 
838 	req = request_find(fc, oh.unique);
839 	if (!req)
840 		goto err_unlock;
841 
842 	if (req->aborted) {
843 		spin_unlock(&fc->lock);
844 		fuse_copy_finish(&cs);
845 		spin_lock(&fc->lock);
846 		request_end(fc, req);
847 		return -ENOENT;
848 	}
849 	/* Is it an interrupt reply? */
850 	if (req->intr_unique == oh.unique) {
851 		err = -EINVAL;
852 		if (nbytes != sizeof(struct fuse_out_header))
853 			goto err_unlock;
854 
855 		if (oh.error == -ENOSYS)
856 			fc->no_interrupt = 1;
857 		else if (oh.error == -EAGAIN)
858 			queue_interrupt(fc, req);
859 
860 		spin_unlock(&fc->lock);
861 		fuse_copy_finish(&cs);
862 		return nbytes;
863 	}
864 
865 	req->state = FUSE_REQ_WRITING;
866 	list_move(&req->list, &fc->io);
867 	req->out.h = oh;
868 	req->locked = 1;
869 	cs.req = req;
870 	spin_unlock(&fc->lock);
871 
872 	err = copy_out_args(&cs, &req->out, nbytes);
873 	fuse_copy_finish(&cs);
874 
875 	spin_lock(&fc->lock);
876 	req->locked = 0;
877 	if (!err) {
878 		if (req->aborted)
879 			err = -ENOENT;
880 	} else if (!req->aborted)
881 		req->out.h.error = -EIO;
882 	request_end(fc, req);
883 
884 	return err ? err : nbytes;
885 
886  err_unlock:
887 	spin_unlock(&fc->lock);
888  err_finish:
889 	fuse_copy_finish(&cs);
890 	return err;
891 }
892 
893 static unsigned fuse_dev_poll(struct file *file, poll_table *wait)
894 {
895 	unsigned mask = POLLOUT | POLLWRNORM;
896 	struct fuse_conn *fc = fuse_get_conn(file);
897 	if (!fc)
898 		return POLLERR;
899 
900 	poll_wait(file, &fc->waitq, wait);
901 
902 	spin_lock(&fc->lock);
903 	if (!fc->connected)
904 		mask = POLLERR;
905 	else if (request_pending(fc))
906 		mask |= POLLIN | POLLRDNORM;
907 	spin_unlock(&fc->lock);
908 
909 	return mask;
910 }
911 
912 /*
913  * Abort all requests on the given list (pending or processing)
914  *
915  * This function releases and reacquires fc->lock
916  */
917 static void end_requests(struct fuse_conn *fc, struct list_head *head)
918 {
919 	while (!list_empty(head)) {
920 		struct fuse_req *req;
921 		req = list_entry(head->next, struct fuse_req, list);
922 		req->out.h.error = -ECONNABORTED;
923 		request_end(fc, req);
924 		spin_lock(&fc->lock);
925 	}
926 }
927 
928 /*
929  * Abort requests under I/O
930  *
931  * The requests are set to aborted and finished, and the request
932  * waiter is woken up.  This will make request_wait_answer() wait
933  * until the request is unlocked and then return.
934  *
935  * If the request is asynchronous, then the end function needs to be
936  * called after waiting for the request to be unlocked (if it was
937  * locked).
938  */
939 static void end_io_requests(struct fuse_conn *fc)
940 {
941 	while (!list_empty(&fc->io)) {
942 		struct fuse_req *req =
943 			list_entry(fc->io.next, struct fuse_req, list);
944 		void (*end) (struct fuse_conn *, struct fuse_req *) = req->end;
945 
946 		req->aborted = 1;
947 		req->out.h.error = -ECONNABORTED;
948 		req->state = FUSE_REQ_FINISHED;
949 		list_del_init(&req->list);
950 		wake_up(&req->waitq);
951 		if (end) {
952 			req->end = NULL;
953 			/* The end function will consume this reference */
954 			__fuse_get_request(req);
955 			spin_unlock(&fc->lock);
956 			wait_event(req->waitq, !req->locked);
957 			end(fc, req);
958 			spin_lock(&fc->lock);
959 		}
960 	}
961 }
962 
963 /*
964  * Abort all requests.
965  *
966  * Emergency exit in case of a malicious or accidental deadlock, or
967  * just a hung filesystem.
968  *
969  * The same effect is usually achievable through killing the
970  * filesystem daemon and all users of the filesystem.  The exception
971  * is the combination of an asynchronous request and the tricky
972  * deadlock (see Documentation/filesystems/fuse.txt).
973  *
974  * During the aborting, progression of requests from the pending and
975  * processing lists onto the io list, and progression of new requests
976  * onto the pending list is prevented by req->connected being false.
977  *
978  * Progression of requests under I/O to the processing list is
979  * prevented by the req->aborted flag being true for these requests.
980  * For this reason requests on the io list must be aborted first.
981  */
982 void fuse_abort_conn(struct fuse_conn *fc)
983 {
984 	spin_lock(&fc->lock);
985 	if (fc->connected) {
986 		fc->connected = 0;
987 		fc->blocked = 0;
988 		end_io_requests(fc);
989 		end_requests(fc, &fc->pending);
990 		end_requests(fc, &fc->processing);
991 		wake_up_all(&fc->waitq);
992 		wake_up_all(&fc->blocked_waitq);
993 		kill_fasync(&fc->fasync, SIGIO, POLL_IN);
994 	}
995 	spin_unlock(&fc->lock);
996 }
997 
998 static int fuse_dev_release(struct inode *inode, struct file *file)
999 {
1000 	struct fuse_conn *fc = fuse_get_conn(file);
1001 	if (fc) {
1002 		spin_lock(&fc->lock);
1003 		fc->connected = 0;
1004 		end_requests(fc, &fc->pending);
1005 		end_requests(fc, &fc->processing);
1006 		spin_unlock(&fc->lock);
1007 		fasync_helper(-1, file, 0, &fc->fasync);
1008 		fuse_conn_put(fc);
1009 	}
1010 
1011 	return 0;
1012 }
1013 
1014 static int fuse_dev_fasync(int fd, struct file *file, int on)
1015 {
1016 	struct fuse_conn *fc = fuse_get_conn(file);
1017 	if (!fc)
1018 		return -EPERM;
1019 
1020 	/* No locking - fasync_helper does its own locking */
1021 	return fasync_helper(fd, file, on, &fc->fasync);
1022 }
1023 
1024 const struct file_operations fuse_dev_operations = {
1025 	.owner		= THIS_MODULE,
1026 	.llseek		= no_llseek,
1027 	.read		= do_sync_read,
1028 	.aio_read	= fuse_dev_read,
1029 	.write		= do_sync_write,
1030 	.aio_write	= fuse_dev_write,
1031 	.poll		= fuse_dev_poll,
1032 	.release	= fuse_dev_release,
1033 	.fasync		= fuse_dev_fasync,
1034 };
1035 
1036 static struct miscdevice fuse_miscdevice = {
1037 	.minor = FUSE_MINOR,
1038 	.name  = "fuse",
1039 	.fops = &fuse_dev_operations,
1040 };
1041 
1042 int __init fuse_dev_init(void)
1043 {
1044 	int err = -ENOMEM;
1045 	fuse_req_cachep = kmem_cache_create("fuse_request",
1046 					    sizeof(struct fuse_req),
1047 					    0, 0, NULL, NULL);
1048 	if (!fuse_req_cachep)
1049 		goto out;
1050 
1051 	err = misc_register(&fuse_miscdevice);
1052 	if (err)
1053 		goto out_cache_clean;
1054 
1055 	return 0;
1056 
1057  out_cache_clean:
1058 	kmem_cache_destroy(fuse_req_cachep);
1059  out:
1060 	return err;
1061 }
1062 
1063 void fuse_dev_cleanup(void)
1064 {
1065 	misc_deregister(&fuse_miscdevice);
1066 	kmem_cache_destroy(fuse_req_cachep);
1067 }
1068