1 /* 2 FUSE: Filesystem in Userspace 3 Copyright (C) 2001-2006 Miklos Szeredi <miklos@szeredi.hu> 4 5 This program can be distributed under the terms of the GNU GPL. 6 See the file COPYING. 7 */ 8 9 #include "fuse_i.h" 10 11 #include <linux/init.h> 12 #include <linux/module.h> 13 #include <linux/poll.h> 14 #include <linux/uio.h> 15 #include <linux/miscdevice.h> 16 #include <linux/pagemap.h> 17 #include <linux/file.h> 18 #include <linux/slab.h> 19 20 MODULE_ALIAS_MISCDEV(FUSE_MINOR); 21 22 static struct kmem_cache *fuse_req_cachep; 23 24 static struct fuse_conn *fuse_get_conn(struct file *file) 25 { 26 /* 27 * Lockless access is OK, because file->private data is set 28 * once during mount and is valid until the file is released. 29 */ 30 return file->private_data; 31 } 32 33 static void fuse_request_init(struct fuse_req *req) 34 { 35 memset(req, 0, sizeof(*req)); 36 INIT_LIST_HEAD(&req->list); 37 INIT_LIST_HEAD(&req->intr_entry); 38 init_waitqueue_head(&req->waitq); 39 atomic_set(&req->count, 1); 40 } 41 42 struct fuse_req *fuse_request_alloc(void) 43 { 44 struct fuse_req *req = kmem_cache_alloc(fuse_req_cachep, GFP_KERNEL); 45 if (req) 46 fuse_request_init(req); 47 return req; 48 } 49 50 void fuse_request_free(struct fuse_req *req) 51 { 52 kmem_cache_free(fuse_req_cachep, req); 53 } 54 55 static void block_sigs(sigset_t *oldset) 56 { 57 sigset_t mask; 58 59 siginitsetinv(&mask, sigmask(SIGKILL)); 60 sigprocmask(SIG_BLOCK, &mask, oldset); 61 } 62 63 static void restore_sigs(sigset_t *oldset) 64 { 65 sigprocmask(SIG_SETMASK, oldset, NULL); 66 } 67 68 static void __fuse_get_request(struct fuse_req *req) 69 { 70 atomic_inc(&req->count); 71 } 72 73 /* Must be called with > 1 refcount */ 74 static void __fuse_put_request(struct fuse_req *req) 75 { 76 BUG_ON(atomic_read(&req->count) < 2); 77 atomic_dec(&req->count); 78 } 79 80 static void fuse_req_init_context(struct fuse_req *req) 81 { 82 req->in.h.uid = current->fsuid; 83 req->in.h.gid = current->fsgid; 84 req->in.h.pid = current->pid; 85 } 86 87 struct fuse_req *fuse_get_req(struct fuse_conn *fc) 88 { 89 struct fuse_req *req; 90 sigset_t oldset; 91 int intr; 92 int err; 93 94 atomic_inc(&fc->num_waiting); 95 block_sigs(&oldset); 96 intr = wait_event_interruptible(fc->blocked_waitq, !fc->blocked); 97 restore_sigs(&oldset); 98 err = -EINTR; 99 if (intr) 100 goto out; 101 102 err = -ENOTCONN; 103 if (!fc->connected) 104 goto out; 105 106 req = fuse_request_alloc(); 107 err = -ENOMEM; 108 if (!req) 109 goto out; 110 111 fuse_req_init_context(req); 112 req->waiting = 1; 113 return req; 114 115 out: 116 atomic_dec(&fc->num_waiting); 117 return ERR_PTR(err); 118 } 119 120 /* 121 * Return request in fuse_file->reserved_req. However that may 122 * currently be in use. If that is the case, wait for it to become 123 * available. 124 */ 125 static struct fuse_req *get_reserved_req(struct fuse_conn *fc, 126 struct file *file) 127 { 128 struct fuse_req *req = NULL; 129 struct fuse_file *ff = file->private_data; 130 131 do { 132 wait_event(fc->blocked_waitq, ff->reserved_req); 133 spin_lock(&fc->lock); 134 if (ff->reserved_req) { 135 req = ff->reserved_req; 136 ff->reserved_req = NULL; 137 get_file(file); 138 req->stolen_file = file; 139 } 140 spin_unlock(&fc->lock); 141 } while (!req); 142 143 return req; 144 } 145 146 /* 147 * Put stolen request back into fuse_file->reserved_req 148 */ 149 static void put_reserved_req(struct fuse_conn *fc, struct fuse_req *req) 150 { 151 struct file *file = req->stolen_file; 152 struct fuse_file *ff = file->private_data; 153 154 spin_lock(&fc->lock); 155 fuse_request_init(req); 156 BUG_ON(ff->reserved_req); 157 ff->reserved_req = req; 158 wake_up(&fc->blocked_waitq); 159 spin_unlock(&fc->lock); 160 fput(file); 161 } 162 163 /* 164 * Gets a requests for a file operation, always succeeds 165 * 166 * This is used for sending the FLUSH request, which must get to 167 * userspace, due to POSIX locks which may need to be unlocked. 168 * 169 * If allocation fails due to OOM, use the reserved request in 170 * fuse_file. 171 * 172 * This is very unlikely to deadlock accidentally, since the 173 * filesystem should not have it's own file open. If deadlock is 174 * intentional, it can still be broken by "aborting" the filesystem. 175 */ 176 struct fuse_req *fuse_get_req_nofail(struct fuse_conn *fc, struct file *file) 177 { 178 struct fuse_req *req; 179 180 atomic_inc(&fc->num_waiting); 181 wait_event(fc->blocked_waitq, !fc->blocked); 182 req = fuse_request_alloc(); 183 if (!req) 184 req = get_reserved_req(fc, file); 185 186 fuse_req_init_context(req); 187 req->waiting = 1; 188 return req; 189 } 190 191 void fuse_put_request(struct fuse_conn *fc, struct fuse_req *req) 192 { 193 if (atomic_dec_and_test(&req->count)) { 194 if (req->waiting) 195 atomic_dec(&fc->num_waiting); 196 197 if (req->stolen_file) 198 put_reserved_req(fc, req); 199 else 200 fuse_request_free(req); 201 } 202 } 203 204 /* 205 * This function is called when a request is finished. Either a reply 206 * has arrived or it was aborted (and not yet sent) or some error 207 * occurred during communication with userspace, or the device file 208 * was closed. The requester thread is woken up (if still waiting), 209 * the 'end' callback is called if given, else the reference to the 210 * request is released 211 * 212 * Called with fc->lock, unlocks it 213 */ 214 static void request_end(struct fuse_conn *fc, struct fuse_req *req) 215 __releases(fc->lock) 216 { 217 void (*end) (struct fuse_conn *, struct fuse_req *) = req->end; 218 req->end = NULL; 219 list_del(&req->list); 220 list_del(&req->intr_entry); 221 req->state = FUSE_REQ_FINISHED; 222 if (req->background) { 223 if (fc->num_background == FUSE_MAX_BACKGROUND) { 224 fc->blocked = 0; 225 wake_up_all(&fc->blocked_waitq); 226 } 227 fc->num_background--; 228 } 229 spin_unlock(&fc->lock); 230 dput(req->dentry); 231 mntput(req->vfsmount); 232 if (req->file) 233 fput(req->file); 234 wake_up(&req->waitq); 235 if (end) 236 end(fc, req); 237 else 238 fuse_put_request(fc, req); 239 } 240 241 static void wait_answer_interruptible(struct fuse_conn *fc, 242 struct fuse_req *req) 243 { 244 if (signal_pending(current)) 245 return; 246 247 spin_unlock(&fc->lock); 248 wait_event_interruptible(req->waitq, req->state == FUSE_REQ_FINISHED); 249 spin_lock(&fc->lock); 250 } 251 252 static void queue_interrupt(struct fuse_conn *fc, struct fuse_req *req) 253 { 254 list_add_tail(&req->intr_entry, &fc->interrupts); 255 wake_up(&fc->waitq); 256 kill_fasync(&fc->fasync, SIGIO, POLL_IN); 257 } 258 259 /* Called with fc->lock held. Releases, and then reacquires it. */ 260 static void request_wait_answer(struct fuse_conn *fc, struct fuse_req *req) 261 { 262 if (!fc->no_interrupt) { 263 /* Any signal may interrupt this */ 264 wait_answer_interruptible(fc, req); 265 266 if (req->aborted) 267 goto aborted; 268 if (req->state == FUSE_REQ_FINISHED) 269 return; 270 271 req->interrupted = 1; 272 if (req->state == FUSE_REQ_SENT) 273 queue_interrupt(fc, req); 274 } 275 276 if (req->force) { 277 spin_unlock(&fc->lock); 278 wait_event(req->waitq, req->state == FUSE_REQ_FINISHED); 279 spin_lock(&fc->lock); 280 } else { 281 sigset_t oldset; 282 283 /* Only fatal signals may interrupt this */ 284 block_sigs(&oldset); 285 wait_answer_interruptible(fc, req); 286 restore_sigs(&oldset); 287 } 288 289 if (req->aborted) 290 goto aborted; 291 if (req->state == FUSE_REQ_FINISHED) 292 return; 293 294 req->out.h.error = -EINTR; 295 req->aborted = 1; 296 297 aborted: 298 if (req->locked) { 299 /* This is uninterruptible sleep, because data is 300 being copied to/from the buffers of req. During 301 locked state, there mustn't be any filesystem 302 operation (e.g. page fault), since that could lead 303 to deadlock */ 304 spin_unlock(&fc->lock); 305 wait_event(req->waitq, !req->locked); 306 spin_lock(&fc->lock); 307 } 308 if (req->state == FUSE_REQ_PENDING) { 309 list_del(&req->list); 310 __fuse_put_request(req); 311 } else if (req->state == FUSE_REQ_SENT) { 312 spin_unlock(&fc->lock); 313 wait_event(req->waitq, req->state == FUSE_REQ_FINISHED); 314 spin_lock(&fc->lock); 315 } 316 } 317 318 static unsigned len_args(unsigned numargs, struct fuse_arg *args) 319 { 320 unsigned nbytes = 0; 321 unsigned i; 322 323 for (i = 0; i < numargs; i++) 324 nbytes += args[i].size; 325 326 return nbytes; 327 } 328 329 static u64 fuse_get_unique(struct fuse_conn *fc) 330 { 331 fc->reqctr++; 332 /* zero is special */ 333 if (fc->reqctr == 0) 334 fc->reqctr = 1; 335 336 return fc->reqctr; 337 } 338 339 static void queue_request(struct fuse_conn *fc, struct fuse_req *req) 340 { 341 req->in.h.unique = fuse_get_unique(fc); 342 req->in.h.len = sizeof(struct fuse_in_header) + 343 len_args(req->in.numargs, (struct fuse_arg *) req->in.args); 344 list_add_tail(&req->list, &fc->pending); 345 req->state = FUSE_REQ_PENDING; 346 if (!req->waiting) { 347 req->waiting = 1; 348 atomic_inc(&fc->num_waiting); 349 } 350 wake_up(&fc->waitq); 351 kill_fasync(&fc->fasync, SIGIO, POLL_IN); 352 } 353 354 void request_send(struct fuse_conn *fc, struct fuse_req *req) 355 { 356 req->isreply = 1; 357 spin_lock(&fc->lock); 358 if (!fc->connected) 359 req->out.h.error = -ENOTCONN; 360 else if (fc->conn_error) 361 req->out.h.error = -ECONNREFUSED; 362 else { 363 queue_request(fc, req); 364 /* acquire extra reference, since request is still needed 365 after request_end() */ 366 __fuse_get_request(req); 367 368 request_wait_answer(fc, req); 369 } 370 spin_unlock(&fc->lock); 371 } 372 373 static void request_send_nowait(struct fuse_conn *fc, struct fuse_req *req) 374 { 375 spin_lock(&fc->lock); 376 if (fc->connected) { 377 req->background = 1; 378 fc->num_background++; 379 if (fc->num_background == FUSE_MAX_BACKGROUND) 380 fc->blocked = 1; 381 382 queue_request(fc, req); 383 spin_unlock(&fc->lock); 384 } else { 385 req->out.h.error = -ENOTCONN; 386 request_end(fc, req); 387 } 388 } 389 390 void request_send_noreply(struct fuse_conn *fc, struct fuse_req *req) 391 { 392 req->isreply = 0; 393 request_send_nowait(fc, req); 394 } 395 396 void request_send_background(struct fuse_conn *fc, struct fuse_req *req) 397 { 398 req->isreply = 1; 399 request_send_nowait(fc, req); 400 } 401 402 /* 403 * Lock the request. Up to the next unlock_request() there mustn't be 404 * anything that could cause a page-fault. If the request was already 405 * aborted bail out. 406 */ 407 static int lock_request(struct fuse_conn *fc, struct fuse_req *req) 408 { 409 int err = 0; 410 if (req) { 411 spin_lock(&fc->lock); 412 if (req->aborted) 413 err = -ENOENT; 414 else 415 req->locked = 1; 416 spin_unlock(&fc->lock); 417 } 418 return err; 419 } 420 421 /* 422 * Unlock request. If it was aborted during being locked, the 423 * requester thread is currently waiting for it to be unlocked, so 424 * wake it up. 425 */ 426 static void unlock_request(struct fuse_conn *fc, struct fuse_req *req) 427 { 428 if (req) { 429 spin_lock(&fc->lock); 430 req->locked = 0; 431 if (req->aborted) 432 wake_up(&req->waitq); 433 spin_unlock(&fc->lock); 434 } 435 } 436 437 struct fuse_copy_state { 438 struct fuse_conn *fc; 439 int write; 440 struct fuse_req *req; 441 const struct iovec *iov; 442 unsigned long nr_segs; 443 unsigned long seglen; 444 unsigned long addr; 445 struct page *pg; 446 void *mapaddr; 447 void *buf; 448 unsigned len; 449 }; 450 451 static void fuse_copy_init(struct fuse_copy_state *cs, struct fuse_conn *fc, 452 int write, struct fuse_req *req, 453 const struct iovec *iov, unsigned long nr_segs) 454 { 455 memset(cs, 0, sizeof(*cs)); 456 cs->fc = fc; 457 cs->write = write; 458 cs->req = req; 459 cs->iov = iov; 460 cs->nr_segs = nr_segs; 461 } 462 463 /* Unmap and put previous page of userspace buffer */ 464 static void fuse_copy_finish(struct fuse_copy_state *cs) 465 { 466 if (cs->mapaddr) { 467 kunmap_atomic(cs->mapaddr, KM_USER0); 468 if (cs->write) { 469 flush_dcache_page(cs->pg); 470 set_page_dirty_lock(cs->pg); 471 } 472 put_page(cs->pg); 473 cs->mapaddr = NULL; 474 } 475 } 476 477 /* 478 * Get another pagefull of userspace buffer, and map it to kernel 479 * address space, and lock request 480 */ 481 static int fuse_copy_fill(struct fuse_copy_state *cs) 482 { 483 unsigned long offset; 484 int err; 485 486 unlock_request(cs->fc, cs->req); 487 fuse_copy_finish(cs); 488 if (!cs->seglen) { 489 BUG_ON(!cs->nr_segs); 490 cs->seglen = cs->iov[0].iov_len; 491 cs->addr = (unsigned long) cs->iov[0].iov_base; 492 cs->iov ++; 493 cs->nr_segs --; 494 } 495 down_read(¤t->mm->mmap_sem); 496 err = get_user_pages(current, current->mm, cs->addr, 1, cs->write, 0, 497 &cs->pg, NULL); 498 up_read(¤t->mm->mmap_sem); 499 if (err < 0) 500 return err; 501 BUG_ON(err != 1); 502 offset = cs->addr % PAGE_SIZE; 503 cs->mapaddr = kmap_atomic(cs->pg, KM_USER0); 504 cs->buf = cs->mapaddr + offset; 505 cs->len = min(PAGE_SIZE - offset, cs->seglen); 506 cs->seglen -= cs->len; 507 cs->addr += cs->len; 508 509 return lock_request(cs->fc, cs->req); 510 } 511 512 /* Do as much copy to/from userspace buffer as we can */ 513 static int fuse_copy_do(struct fuse_copy_state *cs, void **val, unsigned *size) 514 { 515 unsigned ncpy = min(*size, cs->len); 516 if (val) { 517 if (cs->write) 518 memcpy(cs->buf, *val, ncpy); 519 else 520 memcpy(*val, cs->buf, ncpy); 521 *val += ncpy; 522 } 523 *size -= ncpy; 524 cs->len -= ncpy; 525 cs->buf += ncpy; 526 return ncpy; 527 } 528 529 /* 530 * Copy a page in the request to/from the userspace buffer. Must be 531 * done atomically 532 */ 533 static int fuse_copy_page(struct fuse_copy_state *cs, struct page *page, 534 unsigned offset, unsigned count, int zeroing) 535 { 536 if (page && zeroing && count < PAGE_SIZE) { 537 void *mapaddr = kmap_atomic(page, KM_USER1); 538 memset(mapaddr, 0, PAGE_SIZE); 539 kunmap_atomic(mapaddr, KM_USER1); 540 } 541 while (count) { 542 int err; 543 if (!cs->len && (err = fuse_copy_fill(cs))) 544 return err; 545 if (page) { 546 void *mapaddr = kmap_atomic(page, KM_USER1); 547 void *buf = mapaddr + offset; 548 offset += fuse_copy_do(cs, &buf, &count); 549 kunmap_atomic(mapaddr, KM_USER1); 550 } else 551 offset += fuse_copy_do(cs, NULL, &count); 552 } 553 if (page && !cs->write) 554 flush_dcache_page(page); 555 return 0; 556 } 557 558 /* Copy pages in the request to/from userspace buffer */ 559 static int fuse_copy_pages(struct fuse_copy_state *cs, unsigned nbytes, 560 int zeroing) 561 { 562 unsigned i; 563 struct fuse_req *req = cs->req; 564 unsigned offset = req->page_offset; 565 unsigned count = min(nbytes, (unsigned) PAGE_SIZE - offset); 566 567 for (i = 0; i < req->num_pages && (nbytes || zeroing); i++) { 568 struct page *page = req->pages[i]; 569 int err = fuse_copy_page(cs, page, offset, count, zeroing); 570 if (err) 571 return err; 572 573 nbytes -= count; 574 count = min(nbytes, (unsigned) PAGE_SIZE); 575 offset = 0; 576 } 577 return 0; 578 } 579 580 /* Copy a single argument in the request to/from userspace buffer */ 581 static int fuse_copy_one(struct fuse_copy_state *cs, void *val, unsigned size) 582 { 583 while (size) { 584 int err; 585 if (!cs->len && (err = fuse_copy_fill(cs))) 586 return err; 587 fuse_copy_do(cs, &val, &size); 588 } 589 return 0; 590 } 591 592 /* Copy request arguments to/from userspace buffer */ 593 static int fuse_copy_args(struct fuse_copy_state *cs, unsigned numargs, 594 unsigned argpages, struct fuse_arg *args, 595 int zeroing) 596 { 597 int err = 0; 598 unsigned i; 599 600 for (i = 0; !err && i < numargs; i++) { 601 struct fuse_arg *arg = &args[i]; 602 if (i == numargs - 1 && argpages) 603 err = fuse_copy_pages(cs, arg->size, zeroing); 604 else 605 err = fuse_copy_one(cs, arg->value, arg->size); 606 } 607 return err; 608 } 609 610 static int request_pending(struct fuse_conn *fc) 611 { 612 return !list_empty(&fc->pending) || !list_empty(&fc->interrupts); 613 } 614 615 /* Wait until a request is available on the pending list */ 616 static void request_wait(struct fuse_conn *fc) 617 { 618 DECLARE_WAITQUEUE(wait, current); 619 620 add_wait_queue_exclusive(&fc->waitq, &wait); 621 while (fc->connected && !request_pending(fc)) { 622 set_current_state(TASK_INTERRUPTIBLE); 623 if (signal_pending(current)) 624 break; 625 626 spin_unlock(&fc->lock); 627 schedule(); 628 spin_lock(&fc->lock); 629 } 630 set_current_state(TASK_RUNNING); 631 remove_wait_queue(&fc->waitq, &wait); 632 } 633 634 /* 635 * Transfer an interrupt request to userspace 636 * 637 * Unlike other requests this is assembled on demand, without a need 638 * to allocate a separate fuse_req structure. 639 * 640 * Called with fc->lock held, releases it 641 */ 642 static int fuse_read_interrupt(struct fuse_conn *fc, struct fuse_req *req, 643 const struct iovec *iov, unsigned long nr_segs) 644 __releases(fc->lock) 645 { 646 struct fuse_copy_state cs; 647 struct fuse_in_header ih; 648 struct fuse_interrupt_in arg; 649 unsigned reqsize = sizeof(ih) + sizeof(arg); 650 int err; 651 652 list_del_init(&req->intr_entry); 653 req->intr_unique = fuse_get_unique(fc); 654 memset(&ih, 0, sizeof(ih)); 655 memset(&arg, 0, sizeof(arg)); 656 ih.len = reqsize; 657 ih.opcode = FUSE_INTERRUPT; 658 ih.unique = req->intr_unique; 659 arg.unique = req->in.h.unique; 660 661 spin_unlock(&fc->lock); 662 if (iov_length(iov, nr_segs) < reqsize) 663 return -EINVAL; 664 665 fuse_copy_init(&cs, fc, 1, NULL, iov, nr_segs); 666 err = fuse_copy_one(&cs, &ih, sizeof(ih)); 667 if (!err) 668 err = fuse_copy_one(&cs, &arg, sizeof(arg)); 669 fuse_copy_finish(&cs); 670 671 return err ? err : reqsize; 672 } 673 674 /* 675 * Read a single request into the userspace filesystem's buffer. This 676 * function waits until a request is available, then removes it from 677 * the pending list and copies request data to userspace buffer. If 678 * no reply is needed (FORGET) or request has been aborted or there 679 * was an error during the copying then it's finished by calling 680 * request_end(). Otherwise add it to the processing list, and set 681 * the 'sent' flag. 682 */ 683 static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov, 684 unsigned long nr_segs, loff_t pos) 685 { 686 int err; 687 struct fuse_req *req; 688 struct fuse_in *in; 689 struct fuse_copy_state cs; 690 unsigned reqsize; 691 struct file *file = iocb->ki_filp; 692 struct fuse_conn *fc = fuse_get_conn(file); 693 if (!fc) 694 return -EPERM; 695 696 restart: 697 spin_lock(&fc->lock); 698 err = -EAGAIN; 699 if ((file->f_flags & O_NONBLOCK) && fc->connected && 700 !request_pending(fc)) 701 goto err_unlock; 702 703 request_wait(fc); 704 err = -ENODEV; 705 if (!fc->connected) 706 goto err_unlock; 707 err = -ERESTARTSYS; 708 if (!request_pending(fc)) 709 goto err_unlock; 710 711 if (!list_empty(&fc->interrupts)) { 712 req = list_entry(fc->interrupts.next, struct fuse_req, 713 intr_entry); 714 return fuse_read_interrupt(fc, req, iov, nr_segs); 715 } 716 717 req = list_entry(fc->pending.next, struct fuse_req, list); 718 req->state = FUSE_REQ_READING; 719 list_move(&req->list, &fc->io); 720 721 in = &req->in; 722 reqsize = in->h.len; 723 /* If request is too large, reply with an error and restart the read */ 724 if (iov_length(iov, nr_segs) < reqsize) { 725 req->out.h.error = -EIO; 726 /* SETXATTR is special, since it may contain too large data */ 727 if (in->h.opcode == FUSE_SETXATTR) 728 req->out.h.error = -E2BIG; 729 request_end(fc, req); 730 goto restart; 731 } 732 spin_unlock(&fc->lock); 733 fuse_copy_init(&cs, fc, 1, req, iov, nr_segs); 734 err = fuse_copy_one(&cs, &in->h, sizeof(in->h)); 735 if (!err) 736 err = fuse_copy_args(&cs, in->numargs, in->argpages, 737 (struct fuse_arg *) in->args, 0); 738 fuse_copy_finish(&cs); 739 spin_lock(&fc->lock); 740 req->locked = 0; 741 if (!err && req->aborted) 742 err = -ENOENT; 743 if (err) { 744 if (!req->aborted) 745 req->out.h.error = -EIO; 746 request_end(fc, req); 747 return err; 748 } 749 if (!req->isreply) 750 request_end(fc, req); 751 else { 752 req->state = FUSE_REQ_SENT; 753 list_move_tail(&req->list, &fc->processing); 754 if (req->interrupted) 755 queue_interrupt(fc, req); 756 spin_unlock(&fc->lock); 757 } 758 return reqsize; 759 760 err_unlock: 761 spin_unlock(&fc->lock); 762 return err; 763 } 764 765 /* Look up request on processing list by unique ID */ 766 static struct fuse_req *request_find(struct fuse_conn *fc, u64 unique) 767 { 768 struct list_head *entry; 769 770 list_for_each(entry, &fc->processing) { 771 struct fuse_req *req; 772 req = list_entry(entry, struct fuse_req, list); 773 if (req->in.h.unique == unique || req->intr_unique == unique) 774 return req; 775 } 776 return NULL; 777 } 778 779 static int copy_out_args(struct fuse_copy_state *cs, struct fuse_out *out, 780 unsigned nbytes) 781 { 782 unsigned reqsize = sizeof(struct fuse_out_header); 783 784 if (out->h.error) 785 return nbytes != reqsize ? -EINVAL : 0; 786 787 reqsize += len_args(out->numargs, out->args); 788 789 if (reqsize < nbytes || (reqsize > nbytes && !out->argvar)) 790 return -EINVAL; 791 else if (reqsize > nbytes) { 792 struct fuse_arg *lastarg = &out->args[out->numargs-1]; 793 unsigned diffsize = reqsize - nbytes; 794 if (diffsize > lastarg->size) 795 return -EINVAL; 796 lastarg->size -= diffsize; 797 } 798 return fuse_copy_args(cs, out->numargs, out->argpages, out->args, 799 out->page_zeroing); 800 } 801 802 /* 803 * Write a single reply to a request. First the header is copied from 804 * the write buffer. The request is then searched on the processing 805 * list by the unique ID found in the header. If found, then remove 806 * it from the list and copy the rest of the buffer to the request. 807 * The request is finished by calling request_end() 808 */ 809 static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov, 810 unsigned long nr_segs, loff_t pos) 811 { 812 int err; 813 unsigned nbytes = iov_length(iov, nr_segs); 814 struct fuse_req *req; 815 struct fuse_out_header oh; 816 struct fuse_copy_state cs; 817 struct fuse_conn *fc = fuse_get_conn(iocb->ki_filp); 818 if (!fc) 819 return -EPERM; 820 821 fuse_copy_init(&cs, fc, 0, NULL, iov, nr_segs); 822 if (nbytes < sizeof(struct fuse_out_header)) 823 return -EINVAL; 824 825 err = fuse_copy_one(&cs, &oh, sizeof(oh)); 826 if (err) 827 goto err_finish; 828 err = -EINVAL; 829 if (!oh.unique || oh.error <= -1000 || oh.error > 0 || 830 oh.len != nbytes) 831 goto err_finish; 832 833 spin_lock(&fc->lock); 834 err = -ENOENT; 835 if (!fc->connected) 836 goto err_unlock; 837 838 req = request_find(fc, oh.unique); 839 if (!req) 840 goto err_unlock; 841 842 if (req->aborted) { 843 spin_unlock(&fc->lock); 844 fuse_copy_finish(&cs); 845 spin_lock(&fc->lock); 846 request_end(fc, req); 847 return -ENOENT; 848 } 849 /* Is it an interrupt reply? */ 850 if (req->intr_unique == oh.unique) { 851 err = -EINVAL; 852 if (nbytes != sizeof(struct fuse_out_header)) 853 goto err_unlock; 854 855 if (oh.error == -ENOSYS) 856 fc->no_interrupt = 1; 857 else if (oh.error == -EAGAIN) 858 queue_interrupt(fc, req); 859 860 spin_unlock(&fc->lock); 861 fuse_copy_finish(&cs); 862 return nbytes; 863 } 864 865 req->state = FUSE_REQ_WRITING; 866 list_move(&req->list, &fc->io); 867 req->out.h = oh; 868 req->locked = 1; 869 cs.req = req; 870 spin_unlock(&fc->lock); 871 872 err = copy_out_args(&cs, &req->out, nbytes); 873 fuse_copy_finish(&cs); 874 875 spin_lock(&fc->lock); 876 req->locked = 0; 877 if (!err) { 878 if (req->aborted) 879 err = -ENOENT; 880 } else if (!req->aborted) 881 req->out.h.error = -EIO; 882 request_end(fc, req); 883 884 return err ? err : nbytes; 885 886 err_unlock: 887 spin_unlock(&fc->lock); 888 err_finish: 889 fuse_copy_finish(&cs); 890 return err; 891 } 892 893 static unsigned fuse_dev_poll(struct file *file, poll_table *wait) 894 { 895 unsigned mask = POLLOUT | POLLWRNORM; 896 struct fuse_conn *fc = fuse_get_conn(file); 897 if (!fc) 898 return POLLERR; 899 900 poll_wait(file, &fc->waitq, wait); 901 902 spin_lock(&fc->lock); 903 if (!fc->connected) 904 mask = POLLERR; 905 else if (request_pending(fc)) 906 mask |= POLLIN | POLLRDNORM; 907 spin_unlock(&fc->lock); 908 909 return mask; 910 } 911 912 /* 913 * Abort all requests on the given list (pending or processing) 914 * 915 * This function releases and reacquires fc->lock 916 */ 917 static void end_requests(struct fuse_conn *fc, struct list_head *head) 918 { 919 while (!list_empty(head)) { 920 struct fuse_req *req; 921 req = list_entry(head->next, struct fuse_req, list); 922 req->out.h.error = -ECONNABORTED; 923 request_end(fc, req); 924 spin_lock(&fc->lock); 925 } 926 } 927 928 /* 929 * Abort requests under I/O 930 * 931 * The requests are set to aborted and finished, and the request 932 * waiter is woken up. This will make request_wait_answer() wait 933 * until the request is unlocked and then return. 934 * 935 * If the request is asynchronous, then the end function needs to be 936 * called after waiting for the request to be unlocked (if it was 937 * locked). 938 */ 939 static void end_io_requests(struct fuse_conn *fc) 940 { 941 while (!list_empty(&fc->io)) { 942 struct fuse_req *req = 943 list_entry(fc->io.next, struct fuse_req, list); 944 void (*end) (struct fuse_conn *, struct fuse_req *) = req->end; 945 946 req->aborted = 1; 947 req->out.h.error = -ECONNABORTED; 948 req->state = FUSE_REQ_FINISHED; 949 list_del_init(&req->list); 950 wake_up(&req->waitq); 951 if (end) { 952 req->end = NULL; 953 /* The end function will consume this reference */ 954 __fuse_get_request(req); 955 spin_unlock(&fc->lock); 956 wait_event(req->waitq, !req->locked); 957 end(fc, req); 958 spin_lock(&fc->lock); 959 } 960 } 961 } 962 963 /* 964 * Abort all requests. 965 * 966 * Emergency exit in case of a malicious or accidental deadlock, or 967 * just a hung filesystem. 968 * 969 * The same effect is usually achievable through killing the 970 * filesystem daemon and all users of the filesystem. The exception 971 * is the combination of an asynchronous request and the tricky 972 * deadlock (see Documentation/filesystems/fuse.txt). 973 * 974 * During the aborting, progression of requests from the pending and 975 * processing lists onto the io list, and progression of new requests 976 * onto the pending list is prevented by req->connected being false. 977 * 978 * Progression of requests under I/O to the processing list is 979 * prevented by the req->aborted flag being true for these requests. 980 * For this reason requests on the io list must be aborted first. 981 */ 982 void fuse_abort_conn(struct fuse_conn *fc) 983 { 984 spin_lock(&fc->lock); 985 if (fc->connected) { 986 fc->connected = 0; 987 fc->blocked = 0; 988 end_io_requests(fc); 989 end_requests(fc, &fc->pending); 990 end_requests(fc, &fc->processing); 991 wake_up_all(&fc->waitq); 992 wake_up_all(&fc->blocked_waitq); 993 kill_fasync(&fc->fasync, SIGIO, POLL_IN); 994 } 995 spin_unlock(&fc->lock); 996 } 997 998 static int fuse_dev_release(struct inode *inode, struct file *file) 999 { 1000 struct fuse_conn *fc = fuse_get_conn(file); 1001 if (fc) { 1002 spin_lock(&fc->lock); 1003 fc->connected = 0; 1004 end_requests(fc, &fc->pending); 1005 end_requests(fc, &fc->processing); 1006 spin_unlock(&fc->lock); 1007 fasync_helper(-1, file, 0, &fc->fasync); 1008 fuse_conn_put(fc); 1009 } 1010 1011 return 0; 1012 } 1013 1014 static int fuse_dev_fasync(int fd, struct file *file, int on) 1015 { 1016 struct fuse_conn *fc = fuse_get_conn(file); 1017 if (!fc) 1018 return -EPERM; 1019 1020 /* No locking - fasync_helper does its own locking */ 1021 return fasync_helper(fd, file, on, &fc->fasync); 1022 } 1023 1024 const struct file_operations fuse_dev_operations = { 1025 .owner = THIS_MODULE, 1026 .llseek = no_llseek, 1027 .read = do_sync_read, 1028 .aio_read = fuse_dev_read, 1029 .write = do_sync_write, 1030 .aio_write = fuse_dev_write, 1031 .poll = fuse_dev_poll, 1032 .release = fuse_dev_release, 1033 .fasync = fuse_dev_fasync, 1034 }; 1035 1036 static struct miscdevice fuse_miscdevice = { 1037 .minor = FUSE_MINOR, 1038 .name = "fuse", 1039 .fops = &fuse_dev_operations, 1040 }; 1041 1042 int __init fuse_dev_init(void) 1043 { 1044 int err = -ENOMEM; 1045 fuse_req_cachep = kmem_cache_create("fuse_request", 1046 sizeof(struct fuse_req), 1047 0, 0, NULL, NULL); 1048 if (!fuse_req_cachep) 1049 goto out; 1050 1051 err = misc_register(&fuse_miscdevice); 1052 if (err) 1053 goto out_cache_clean; 1054 1055 return 0; 1056 1057 out_cache_clean: 1058 kmem_cache_destroy(fuse_req_cachep); 1059 out: 1060 return err; 1061 } 1062 1063 void fuse_dev_cleanup(void) 1064 { 1065 misc_deregister(&fuse_miscdevice); 1066 kmem_cache_destroy(fuse_req_cachep); 1067 } 1068