1 /* 2 FUSE: Filesystem in Userspace 3 Copyright (C) 2001-2008 Miklos Szeredi <miklos@szeredi.hu> 4 5 This program can be distributed under the terms of the GNU GPL. 6 See the file COPYING. 7 */ 8 9 #include "fuse_i.h" 10 11 #include <linux/init.h> 12 #include <linux/module.h> 13 #include <linux/poll.h> 14 #include <linux/uio.h> 15 #include <linux/miscdevice.h> 16 #include <linux/pagemap.h> 17 #include <linux/file.h> 18 #include <linux/slab.h> 19 20 MODULE_ALIAS_MISCDEV(FUSE_MINOR); 21 22 static struct kmem_cache *fuse_req_cachep; 23 24 static struct fuse_conn *fuse_get_conn(struct file *file) 25 { 26 /* 27 * Lockless access is OK, because file->private data is set 28 * once during mount and is valid until the file is released. 29 */ 30 return file->private_data; 31 } 32 33 static void fuse_request_init(struct fuse_req *req) 34 { 35 memset(req, 0, sizeof(*req)); 36 INIT_LIST_HEAD(&req->list); 37 INIT_LIST_HEAD(&req->intr_entry); 38 init_waitqueue_head(&req->waitq); 39 atomic_set(&req->count, 1); 40 } 41 42 struct fuse_req *fuse_request_alloc(void) 43 { 44 struct fuse_req *req = kmem_cache_alloc(fuse_req_cachep, GFP_KERNEL); 45 if (req) 46 fuse_request_init(req); 47 return req; 48 } 49 50 struct fuse_req *fuse_request_alloc_nofs(void) 51 { 52 struct fuse_req *req = kmem_cache_alloc(fuse_req_cachep, GFP_NOFS); 53 if (req) 54 fuse_request_init(req); 55 return req; 56 } 57 58 void fuse_request_free(struct fuse_req *req) 59 { 60 kmem_cache_free(fuse_req_cachep, req); 61 } 62 63 static void block_sigs(sigset_t *oldset) 64 { 65 sigset_t mask; 66 67 siginitsetinv(&mask, sigmask(SIGKILL)); 68 sigprocmask(SIG_BLOCK, &mask, oldset); 69 } 70 71 static void restore_sigs(sigset_t *oldset) 72 { 73 sigprocmask(SIG_SETMASK, oldset, NULL); 74 } 75 76 static void __fuse_get_request(struct fuse_req *req) 77 { 78 atomic_inc(&req->count); 79 } 80 81 /* Must be called with > 1 refcount */ 82 static void __fuse_put_request(struct fuse_req *req) 83 { 84 BUG_ON(atomic_read(&req->count) < 2); 85 atomic_dec(&req->count); 86 } 87 88 static void fuse_req_init_context(struct fuse_req *req) 89 { 90 req->in.h.uid = current_fsuid(); 91 req->in.h.gid = current_fsgid(); 92 req->in.h.pid = current->pid; 93 } 94 95 struct fuse_req *fuse_get_req(struct fuse_conn *fc) 96 { 97 struct fuse_req *req; 98 sigset_t oldset; 99 int intr; 100 int err; 101 102 atomic_inc(&fc->num_waiting); 103 block_sigs(&oldset); 104 intr = wait_event_interruptible(fc->blocked_waitq, !fc->blocked); 105 restore_sigs(&oldset); 106 err = -EINTR; 107 if (intr) 108 goto out; 109 110 err = -ENOTCONN; 111 if (!fc->connected) 112 goto out; 113 114 req = fuse_request_alloc(); 115 err = -ENOMEM; 116 if (!req) 117 goto out; 118 119 fuse_req_init_context(req); 120 req->waiting = 1; 121 return req; 122 123 out: 124 atomic_dec(&fc->num_waiting); 125 return ERR_PTR(err); 126 } 127 128 /* 129 * Return request in fuse_file->reserved_req. However that may 130 * currently be in use. If that is the case, wait for it to become 131 * available. 132 */ 133 static struct fuse_req *get_reserved_req(struct fuse_conn *fc, 134 struct file *file) 135 { 136 struct fuse_req *req = NULL; 137 struct fuse_file *ff = file->private_data; 138 139 do { 140 wait_event(fc->reserved_req_waitq, ff->reserved_req); 141 spin_lock(&fc->lock); 142 if (ff->reserved_req) { 143 req = ff->reserved_req; 144 ff->reserved_req = NULL; 145 get_file(file); 146 req->stolen_file = file; 147 } 148 spin_unlock(&fc->lock); 149 } while (!req); 150 151 return req; 152 } 153 154 /* 155 * Put stolen request back into fuse_file->reserved_req 156 */ 157 static void put_reserved_req(struct fuse_conn *fc, struct fuse_req *req) 158 { 159 struct file *file = req->stolen_file; 160 struct fuse_file *ff = file->private_data; 161 162 spin_lock(&fc->lock); 163 fuse_request_init(req); 164 BUG_ON(ff->reserved_req); 165 ff->reserved_req = req; 166 wake_up_all(&fc->reserved_req_waitq); 167 spin_unlock(&fc->lock); 168 fput(file); 169 } 170 171 /* 172 * Gets a requests for a file operation, always succeeds 173 * 174 * This is used for sending the FLUSH request, which must get to 175 * userspace, due to POSIX locks which may need to be unlocked. 176 * 177 * If allocation fails due to OOM, use the reserved request in 178 * fuse_file. 179 * 180 * This is very unlikely to deadlock accidentally, since the 181 * filesystem should not have it's own file open. If deadlock is 182 * intentional, it can still be broken by "aborting" the filesystem. 183 */ 184 struct fuse_req *fuse_get_req_nofail(struct fuse_conn *fc, struct file *file) 185 { 186 struct fuse_req *req; 187 188 atomic_inc(&fc->num_waiting); 189 wait_event(fc->blocked_waitq, !fc->blocked); 190 req = fuse_request_alloc(); 191 if (!req) 192 req = get_reserved_req(fc, file); 193 194 fuse_req_init_context(req); 195 req->waiting = 1; 196 return req; 197 } 198 199 void fuse_put_request(struct fuse_conn *fc, struct fuse_req *req) 200 { 201 if (atomic_dec_and_test(&req->count)) { 202 if (req->waiting) 203 atomic_dec(&fc->num_waiting); 204 205 if (req->stolen_file) 206 put_reserved_req(fc, req); 207 else 208 fuse_request_free(req); 209 } 210 } 211 212 static unsigned len_args(unsigned numargs, struct fuse_arg *args) 213 { 214 unsigned nbytes = 0; 215 unsigned i; 216 217 for (i = 0; i < numargs; i++) 218 nbytes += args[i].size; 219 220 return nbytes; 221 } 222 223 static u64 fuse_get_unique(struct fuse_conn *fc) 224 { 225 fc->reqctr++; 226 /* zero is special */ 227 if (fc->reqctr == 0) 228 fc->reqctr = 1; 229 230 return fc->reqctr; 231 } 232 233 static void queue_request(struct fuse_conn *fc, struct fuse_req *req) 234 { 235 req->in.h.unique = fuse_get_unique(fc); 236 req->in.h.len = sizeof(struct fuse_in_header) + 237 len_args(req->in.numargs, (struct fuse_arg *) req->in.args); 238 list_add_tail(&req->list, &fc->pending); 239 req->state = FUSE_REQ_PENDING; 240 if (!req->waiting) { 241 req->waiting = 1; 242 atomic_inc(&fc->num_waiting); 243 } 244 wake_up(&fc->waitq); 245 kill_fasync(&fc->fasync, SIGIO, POLL_IN); 246 } 247 248 static void flush_bg_queue(struct fuse_conn *fc) 249 { 250 while (fc->active_background < FUSE_MAX_BACKGROUND && 251 !list_empty(&fc->bg_queue)) { 252 struct fuse_req *req; 253 254 req = list_entry(fc->bg_queue.next, struct fuse_req, list); 255 list_del(&req->list); 256 fc->active_background++; 257 queue_request(fc, req); 258 } 259 } 260 261 /* 262 * This function is called when a request is finished. Either a reply 263 * has arrived or it was aborted (and not yet sent) or some error 264 * occurred during communication with userspace, or the device file 265 * was closed. The requester thread is woken up (if still waiting), 266 * the 'end' callback is called if given, else the reference to the 267 * request is released 268 * 269 * Called with fc->lock, unlocks it 270 */ 271 static void request_end(struct fuse_conn *fc, struct fuse_req *req) 272 __releases(&fc->lock) 273 { 274 void (*end) (struct fuse_conn *, struct fuse_req *) = req->end; 275 req->end = NULL; 276 list_del(&req->list); 277 list_del(&req->intr_entry); 278 req->state = FUSE_REQ_FINISHED; 279 if (req->background) { 280 if (fc->num_background == FUSE_MAX_BACKGROUND) { 281 fc->blocked = 0; 282 wake_up_all(&fc->blocked_waitq); 283 } 284 if (fc->num_background == FUSE_CONGESTION_THRESHOLD && 285 fc->connected) { 286 clear_bdi_congested(&fc->bdi, READ); 287 clear_bdi_congested(&fc->bdi, WRITE); 288 } 289 fc->num_background--; 290 fc->active_background--; 291 flush_bg_queue(fc); 292 } 293 spin_unlock(&fc->lock); 294 wake_up(&req->waitq); 295 if (end) 296 end(fc, req); 297 fuse_put_request(fc, req); 298 } 299 300 static void wait_answer_interruptible(struct fuse_conn *fc, 301 struct fuse_req *req) 302 __releases(&fc->lock) 303 __acquires(&fc->lock) 304 { 305 if (signal_pending(current)) 306 return; 307 308 spin_unlock(&fc->lock); 309 wait_event_interruptible(req->waitq, req->state == FUSE_REQ_FINISHED); 310 spin_lock(&fc->lock); 311 } 312 313 static void queue_interrupt(struct fuse_conn *fc, struct fuse_req *req) 314 { 315 list_add_tail(&req->intr_entry, &fc->interrupts); 316 wake_up(&fc->waitq); 317 kill_fasync(&fc->fasync, SIGIO, POLL_IN); 318 } 319 320 static void request_wait_answer(struct fuse_conn *fc, struct fuse_req *req) 321 __releases(&fc->lock) 322 __acquires(&fc->lock) 323 { 324 if (!fc->no_interrupt) { 325 /* Any signal may interrupt this */ 326 wait_answer_interruptible(fc, req); 327 328 if (req->aborted) 329 goto aborted; 330 if (req->state == FUSE_REQ_FINISHED) 331 return; 332 333 req->interrupted = 1; 334 if (req->state == FUSE_REQ_SENT) 335 queue_interrupt(fc, req); 336 } 337 338 if (!req->force) { 339 sigset_t oldset; 340 341 /* Only fatal signals may interrupt this */ 342 block_sigs(&oldset); 343 wait_answer_interruptible(fc, req); 344 restore_sigs(&oldset); 345 346 if (req->aborted) 347 goto aborted; 348 if (req->state == FUSE_REQ_FINISHED) 349 return; 350 351 /* Request is not yet in userspace, bail out */ 352 if (req->state == FUSE_REQ_PENDING) { 353 list_del(&req->list); 354 __fuse_put_request(req); 355 req->out.h.error = -EINTR; 356 return; 357 } 358 } 359 360 /* 361 * Either request is already in userspace, or it was forced. 362 * Wait it out. 363 */ 364 spin_unlock(&fc->lock); 365 wait_event(req->waitq, req->state == FUSE_REQ_FINISHED); 366 spin_lock(&fc->lock); 367 368 if (!req->aborted) 369 return; 370 371 aborted: 372 BUG_ON(req->state != FUSE_REQ_FINISHED); 373 if (req->locked) { 374 /* This is uninterruptible sleep, because data is 375 being copied to/from the buffers of req. During 376 locked state, there mustn't be any filesystem 377 operation (e.g. page fault), since that could lead 378 to deadlock */ 379 spin_unlock(&fc->lock); 380 wait_event(req->waitq, !req->locked); 381 spin_lock(&fc->lock); 382 } 383 } 384 385 void fuse_request_send(struct fuse_conn *fc, struct fuse_req *req) 386 { 387 req->isreply = 1; 388 spin_lock(&fc->lock); 389 if (!fc->connected) 390 req->out.h.error = -ENOTCONN; 391 else if (fc->conn_error) 392 req->out.h.error = -ECONNREFUSED; 393 else { 394 queue_request(fc, req); 395 /* acquire extra reference, since request is still needed 396 after request_end() */ 397 __fuse_get_request(req); 398 399 request_wait_answer(fc, req); 400 } 401 spin_unlock(&fc->lock); 402 } 403 404 static void fuse_request_send_nowait_locked(struct fuse_conn *fc, 405 struct fuse_req *req) 406 { 407 req->background = 1; 408 fc->num_background++; 409 if (fc->num_background == FUSE_MAX_BACKGROUND) 410 fc->blocked = 1; 411 if (fc->num_background == FUSE_CONGESTION_THRESHOLD) { 412 set_bdi_congested(&fc->bdi, READ); 413 set_bdi_congested(&fc->bdi, WRITE); 414 } 415 list_add_tail(&req->list, &fc->bg_queue); 416 flush_bg_queue(fc); 417 } 418 419 static void fuse_request_send_nowait(struct fuse_conn *fc, struct fuse_req *req) 420 { 421 spin_lock(&fc->lock); 422 if (fc->connected) { 423 fuse_request_send_nowait_locked(fc, req); 424 spin_unlock(&fc->lock); 425 } else { 426 req->out.h.error = -ENOTCONN; 427 request_end(fc, req); 428 } 429 } 430 431 void fuse_request_send_noreply(struct fuse_conn *fc, struct fuse_req *req) 432 { 433 req->isreply = 0; 434 fuse_request_send_nowait(fc, req); 435 } 436 437 void fuse_request_send_background(struct fuse_conn *fc, struct fuse_req *req) 438 { 439 req->isreply = 1; 440 fuse_request_send_nowait(fc, req); 441 } 442 443 /* 444 * Called under fc->lock 445 * 446 * fc->connected must have been checked previously 447 */ 448 void fuse_request_send_background_locked(struct fuse_conn *fc, 449 struct fuse_req *req) 450 { 451 req->isreply = 1; 452 fuse_request_send_nowait_locked(fc, req); 453 } 454 455 /* 456 * Lock the request. Up to the next unlock_request() there mustn't be 457 * anything that could cause a page-fault. If the request was already 458 * aborted bail out. 459 */ 460 static int lock_request(struct fuse_conn *fc, struct fuse_req *req) 461 { 462 int err = 0; 463 if (req) { 464 spin_lock(&fc->lock); 465 if (req->aborted) 466 err = -ENOENT; 467 else 468 req->locked = 1; 469 spin_unlock(&fc->lock); 470 } 471 return err; 472 } 473 474 /* 475 * Unlock request. If it was aborted during being locked, the 476 * requester thread is currently waiting for it to be unlocked, so 477 * wake it up. 478 */ 479 static void unlock_request(struct fuse_conn *fc, struct fuse_req *req) 480 { 481 if (req) { 482 spin_lock(&fc->lock); 483 req->locked = 0; 484 if (req->aborted) 485 wake_up(&req->waitq); 486 spin_unlock(&fc->lock); 487 } 488 } 489 490 struct fuse_copy_state { 491 struct fuse_conn *fc; 492 int write; 493 struct fuse_req *req; 494 const struct iovec *iov; 495 unsigned long nr_segs; 496 unsigned long seglen; 497 unsigned long addr; 498 struct page *pg; 499 void *mapaddr; 500 void *buf; 501 unsigned len; 502 }; 503 504 static void fuse_copy_init(struct fuse_copy_state *cs, struct fuse_conn *fc, 505 int write, struct fuse_req *req, 506 const struct iovec *iov, unsigned long nr_segs) 507 { 508 memset(cs, 0, sizeof(*cs)); 509 cs->fc = fc; 510 cs->write = write; 511 cs->req = req; 512 cs->iov = iov; 513 cs->nr_segs = nr_segs; 514 } 515 516 /* Unmap and put previous page of userspace buffer */ 517 static void fuse_copy_finish(struct fuse_copy_state *cs) 518 { 519 if (cs->mapaddr) { 520 kunmap_atomic(cs->mapaddr, KM_USER0); 521 if (cs->write) { 522 flush_dcache_page(cs->pg); 523 set_page_dirty_lock(cs->pg); 524 } 525 put_page(cs->pg); 526 cs->mapaddr = NULL; 527 } 528 } 529 530 /* 531 * Get another pagefull of userspace buffer, and map it to kernel 532 * address space, and lock request 533 */ 534 static int fuse_copy_fill(struct fuse_copy_state *cs) 535 { 536 unsigned long offset; 537 int err; 538 539 unlock_request(cs->fc, cs->req); 540 fuse_copy_finish(cs); 541 if (!cs->seglen) { 542 BUG_ON(!cs->nr_segs); 543 cs->seglen = cs->iov[0].iov_len; 544 cs->addr = (unsigned long) cs->iov[0].iov_base; 545 cs->iov++; 546 cs->nr_segs--; 547 } 548 down_read(¤t->mm->mmap_sem); 549 err = get_user_pages(current, current->mm, cs->addr, 1, cs->write, 0, 550 &cs->pg, NULL); 551 up_read(¤t->mm->mmap_sem); 552 if (err < 0) 553 return err; 554 BUG_ON(err != 1); 555 offset = cs->addr % PAGE_SIZE; 556 cs->mapaddr = kmap_atomic(cs->pg, KM_USER0); 557 cs->buf = cs->mapaddr + offset; 558 cs->len = min(PAGE_SIZE - offset, cs->seglen); 559 cs->seglen -= cs->len; 560 cs->addr += cs->len; 561 562 return lock_request(cs->fc, cs->req); 563 } 564 565 /* Do as much copy to/from userspace buffer as we can */ 566 static int fuse_copy_do(struct fuse_copy_state *cs, void **val, unsigned *size) 567 { 568 unsigned ncpy = min(*size, cs->len); 569 if (val) { 570 if (cs->write) 571 memcpy(cs->buf, *val, ncpy); 572 else 573 memcpy(*val, cs->buf, ncpy); 574 *val += ncpy; 575 } 576 *size -= ncpy; 577 cs->len -= ncpy; 578 cs->buf += ncpy; 579 return ncpy; 580 } 581 582 /* 583 * Copy a page in the request to/from the userspace buffer. Must be 584 * done atomically 585 */ 586 static int fuse_copy_page(struct fuse_copy_state *cs, struct page *page, 587 unsigned offset, unsigned count, int zeroing) 588 { 589 if (page && zeroing && count < PAGE_SIZE) { 590 void *mapaddr = kmap_atomic(page, KM_USER1); 591 memset(mapaddr, 0, PAGE_SIZE); 592 kunmap_atomic(mapaddr, KM_USER1); 593 } 594 while (count) { 595 if (!cs->len) { 596 int err = fuse_copy_fill(cs); 597 if (err) 598 return err; 599 } 600 if (page) { 601 void *mapaddr = kmap_atomic(page, KM_USER1); 602 void *buf = mapaddr + offset; 603 offset += fuse_copy_do(cs, &buf, &count); 604 kunmap_atomic(mapaddr, KM_USER1); 605 } else 606 offset += fuse_copy_do(cs, NULL, &count); 607 } 608 if (page && !cs->write) 609 flush_dcache_page(page); 610 return 0; 611 } 612 613 /* Copy pages in the request to/from userspace buffer */ 614 static int fuse_copy_pages(struct fuse_copy_state *cs, unsigned nbytes, 615 int zeroing) 616 { 617 unsigned i; 618 struct fuse_req *req = cs->req; 619 unsigned offset = req->page_offset; 620 unsigned count = min(nbytes, (unsigned) PAGE_SIZE - offset); 621 622 for (i = 0; i < req->num_pages && (nbytes || zeroing); i++) { 623 struct page *page = req->pages[i]; 624 int err = fuse_copy_page(cs, page, offset, count, zeroing); 625 if (err) 626 return err; 627 628 nbytes -= count; 629 count = min(nbytes, (unsigned) PAGE_SIZE); 630 offset = 0; 631 } 632 return 0; 633 } 634 635 /* Copy a single argument in the request to/from userspace buffer */ 636 static int fuse_copy_one(struct fuse_copy_state *cs, void *val, unsigned size) 637 { 638 while (size) { 639 if (!cs->len) { 640 int err = fuse_copy_fill(cs); 641 if (err) 642 return err; 643 } 644 fuse_copy_do(cs, &val, &size); 645 } 646 return 0; 647 } 648 649 /* Copy request arguments to/from userspace buffer */ 650 static int fuse_copy_args(struct fuse_copy_state *cs, unsigned numargs, 651 unsigned argpages, struct fuse_arg *args, 652 int zeroing) 653 { 654 int err = 0; 655 unsigned i; 656 657 for (i = 0; !err && i < numargs; i++) { 658 struct fuse_arg *arg = &args[i]; 659 if (i == numargs - 1 && argpages) 660 err = fuse_copy_pages(cs, arg->size, zeroing); 661 else 662 err = fuse_copy_one(cs, arg->value, arg->size); 663 } 664 return err; 665 } 666 667 static int request_pending(struct fuse_conn *fc) 668 { 669 return !list_empty(&fc->pending) || !list_empty(&fc->interrupts); 670 } 671 672 /* Wait until a request is available on the pending list */ 673 static void request_wait(struct fuse_conn *fc) 674 __releases(&fc->lock) 675 __acquires(&fc->lock) 676 { 677 DECLARE_WAITQUEUE(wait, current); 678 679 add_wait_queue_exclusive(&fc->waitq, &wait); 680 while (fc->connected && !request_pending(fc)) { 681 set_current_state(TASK_INTERRUPTIBLE); 682 if (signal_pending(current)) 683 break; 684 685 spin_unlock(&fc->lock); 686 schedule(); 687 spin_lock(&fc->lock); 688 } 689 set_current_state(TASK_RUNNING); 690 remove_wait_queue(&fc->waitq, &wait); 691 } 692 693 /* 694 * Transfer an interrupt request to userspace 695 * 696 * Unlike other requests this is assembled on demand, without a need 697 * to allocate a separate fuse_req structure. 698 * 699 * Called with fc->lock held, releases it 700 */ 701 static int fuse_read_interrupt(struct fuse_conn *fc, struct fuse_req *req, 702 const struct iovec *iov, unsigned long nr_segs) 703 __releases(&fc->lock) 704 { 705 struct fuse_copy_state cs; 706 struct fuse_in_header ih; 707 struct fuse_interrupt_in arg; 708 unsigned reqsize = sizeof(ih) + sizeof(arg); 709 int err; 710 711 list_del_init(&req->intr_entry); 712 req->intr_unique = fuse_get_unique(fc); 713 memset(&ih, 0, sizeof(ih)); 714 memset(&arg, 0, sizeof(arg)); 715 ih.len = reqsize; 716 ih.opcode = FUSE_INTERRUPT; 717 ih.unique = req->intr_unique; 718 arg.unique = req->in.h.unique; 719 720 spin_unlock(&fc->lock); 721 if (iov_length(iov, nr_segs) < reqsize) 722 return -EINVAL; 723 724 fuse_copy_init(&cs, fc, 1, NULL, iov, nr_segs); 725 err = fuse_copy_one(&cs, &ih, sizeof(ih)); 726 if (!err) 727 err = fuse_copy_one(&cs, &arg, sizeof(arg)); 728 fuse_copy_finish(&cs); 729 730 return err ? err : reqsize; 731 } 732 733 /* 734 * Read a single request into the userspace filesystem's buffer. This 735 * function waits until a request is available, then removes it from 736 * the pending list and copies request data to userspace buffer. If 737 * no reply is needed (FORGET) or request has been aborted or there 738 * was an error during the copying then it's finished by calling 739 * request_end(). Otherwise add it to the processing list, and set 740 * the 'sent' flag. 741 */ 742 static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov, 743 unsigned long nr_segs, loff_t pos) 744 { 745 int err; 746 struct fuse_req *req; 747 struct fuse_in *in; 748 struct fuse_copy_state cs; 749 unsigned reqsize; 750 struct file *file = iocb->ki_filp; 751 struct fuse_conn *fc = fuse_get_conn(file); 752 if (!fc) 753 return -EPERM; 754 755 restart: 756 spin_lock(&fc->lock); 757 err = -EAGAIN; 758 if ((file->f_flags & O_NONBLOCK) && fc->connected && 759 !request_pending(fc)) 760 goto err_unlock; 761 762 request_wait(fc); 763 err = -ENODEV; 764 if (!fc->connected) 765 goto err_unlock; 766 err = -ERESTARTSYS; 767 if (!request_pending(fc)) 768 goto err_unlock; 769 770 if (!list_empty(&fc->interrupts)) { 771 req = list_entry(fc->interrupts.next, struct fuse_req, 772 intr_entry); 773 return fuse_read_interrupt(fc, req, iov, nr_segs); 774 } 775 776 req = list_entry(fc->pending.next, struct fuse_req, list); 777 req->state = FUSE_REQ_READING; 778 list_move(&req->list, &fc->io); 779 780 in = &req->in; 781 reqsize = in->h.len; 782 /* If request is too large, reply with an error and restart the read */ 783 if (iov_length(iov, nr_segs) < reqsize) { 784 req->out.h.error = -EIO; 785 /* SETXATTR is special, since it may contain too large data */ 786 if (in->h.opcode == FUSE_SETXATTR) 787 req->out.h.error = -E2BIG; 788 request_end(fc, req); 789 goto restart; 790 } 791 spin_unlock(&fc->lock); 792 fuse_copy_init(&cs, fc, 1, req, iov, nr_segs); 793 err = fuse_copy_one(&cs, &in->h, sizeof(in->h)); 794 if (!err) 795 err = fuse_copy_args(&cs, in->numargs, in->argpages, 796 (struct fuse_arg *) in->args, 0); 797 fuse_copy_finish(&cs); 798 spin_lock(&fc->lock); 799 req->locked = 0; 800 if (req->aborted) { 801 request_end(fc, req); 802 return -ENODEV; 803 } 804 if (err) { 805 req->out.h.error = -EIO; 806 request_end(fc, req); 807 return err; 808 } 809 if (!req->isreply) 810 request_end(fc, req); 811 else { 812 req->state = FUSE_REQ_SENT; 813 list_move_tail(&req->list, &fc->processing); 814 if (req->interrupted) 815 queue_interrupt(fc, req); 816 spin_unlock(&fc->lock); 817 } 818 return reqsize; 819 820 err_unlock: 821 spin_unlock(&fc->lock); 822 return err; 823 } 824 825 static int fuse_notify_poll(struct fuse_conn *fc, unsigned int size, 826 struct fuse_copy_state *cs) 827 { 828 struct fuse_notify_poll_wakeup_out outarg; 829 int err = -EINVAL; 830 831 if (size != sizeof(outarg)) 832 goto err; 833 834 err = fuse_copy_one(cs, &outarg, sizeof(outarg)); 835 if (err) 836 goto err; 837 838 fuse_copy_finish(cs); 839 return fuse_notify_poll_wakeup(fc, &outarg); 840 841 err: 842 fuse_copy_finish(cs); 843 return err; 844 } 845 846 static int fuse_notify(struct fuse_conn *fc, enum fuse_notify_code code, 847 unsigned int size, struct fuse_copy_state *cs) 848 { 849 switch (code) { 850 case FUSE_NOTIFY_POLL: 851 return fuse_notify_poll(fc, size, cs); 852 853 default: 854 fuse_copy_finish(cs); 855 return -EINVAL; 856 } 857 } 858 859 /* Look up request on processing list by unique ID */ 860 static struct fuse_req *request_find(struct fuse_conn *fc, u64 unique) 861 { 862 struct list_head *entry; 863 864 list_for_each(entry, &fc->processing) { 865 struct fuse_req *req; 866 req = list_entry(entry, struct fuse_req, list); 867 if (req->in.h.unique == unique || req->intr_unique == unique) 868 return req; 869 } 870 return NULL; 871 } 872 873 static int copy_out_args(struct fuse_copy_state *cs, struct fuse_out *out, 874 unsigned nbytes) 875 { 876 unsigned reqsize = sizeof(struct fuse_out_header); 877 878 if (out->h.error) 879 return nbytes != reqsize ? -EINVAL : 0; 880 881 reqsize += len_args(out->numargs, out->args); 882 883 if (reqsize < nbytes || (reqsize > nbytes && !out->argvar)) 884 return -EINVAL; 885 else if (reqsize > nbytes) { 886 struct fuse_arg *lastarg = &out->args[out->numargs-1]; 887 unsigned diffsize = reqsize - nbytes; 888 if (diffsize > lastarg->size) 889 return -EINVAL; 890 lastarg->size -= diffsize; 891 } 892 return fuse_copy_args(cs, out->numargs, out->argpages, out->args, 893 out->page_zeroing); 894 } 895 896 /* 897 * Write a single reply to a request. First the header is copied from 898 * the write buffer. The request is then searched on the processing 899 * list by the unique ID found in the header. If found, then remove 900 * it from the list and copy the rest of the buffer to the request. 901 * The request is finished by calling request_end() 902 */ 903 static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov, 904 unsigned long nr_segs, loff_t pos) 905 { 906 int err; 907 unsigned nbytes = iov_length(iov, nr_segs); 908 struct fuse_req *req; 909 struct fuse_out_header oh; 910 struct fuse_copy_state cs; 911 struct fuse_conn *fc = fuse_get_conn(iocb->ki_filp); 912 if (!fc) 913 return -EPERM; 914 915 fuse_copy_init(&cs, fc, 0, NULL, iov, nr_segs); 916 if (nbytes < sizeof(struct fuse_out_header)) 917 return -EINVAL; 918 919 err = fuse_copy_one(&cs, &oh, sizeof(oh)); 920 if (err) 921 goto err_finish; 922 923 err = -EINVAL; 924 if (oh.len != nbytes) 925 goto err_finish; 926 927 /* 928 * Zero oh.unique indicates unsolicited notification message 929 * and error contains notification code. 930 */ 931 if (!oh.unique) { 932 err = fuse_notify(fc, oh.error, nbytes - sizeof(oh), &cs); 933 return err ? err : nbytes; 934 } 935 936 err = -EINVAL; 937 if (oh.error <= -1000 || oh.error > 0) 938 goto err_finish; 939 940 spin_lock(&fc->lock); 941 err = -ENOENT; 942 if (!fc->connected) 943 goto err_unlock; 944 945 req = request_find(fc, oh.unique); 946 if (!req) 947 goto err_unlock; 948 949 if (req->aborted) { 950 spin_unlock(&fc->lock); 951 fuse_copy_finish(&cs); 952 spin_lock(&fc->lock); 953 request_end(fc, req); 954 return -ENOENT; 955 } 956 /* Is it an interrupt reply? */ 957 if (req->intr_unique == oh.unique) { 958 err = -EINVAL; 959 if (nbytes != sizeof(struct fuse_out_header)) 960 goto err_unlock; 961 962 if (oh.error == -ENOSYS) 963 fc->no_interrupt = 1; 964 else if (oh.error == -EAGAIN) 965 queue_interrupt(fc, req); 966 967 spin_unlock(&fc->lock); 968 fuse_copy_finish(&cs); 969 return nbytes; 970 } 971 972 req->state = FUSE_REQ_WRITING; 973 list_move(&req->list, &fc->io); 974 req->out.h = oh; 975 req->locked = 1; 976 cs.req = req; 977 spin_unlock(&fc->lock); 978 979 err = copy_out_args(&cs, &req->out, nbytes); 980 fuse_copy_finish(&cs); 981 982 spin_lock(&fc->lock); 983 req->locked = 0; 984 if (!err) { 985 if (req->aborted) 986 err = -ENOENT; 987 } else if (!req->aborted) 988 req->out.h.error = -EIO; 989 request_end(fc, req); 990 991 return err ? err : nbytes; 992 993 err_unlock: 994 spin_unlock(&fc->lock); 995 err_finish: 996 fuse_copy_finish(&cs); 997 return err; 998 } 999 1000 static unsigned fuse_dev_poll(struct file *file, poll_table *wait) 1001 { 1002 unsigned mask = POLLOUT | POLLWRNORM; 1003 struct fuse_conn *fc = fuse_get_conn(file); 1004 if (!fc) 1005 return POLLERR; 1006 1007 poll_wait(file, &fc->waitq, wait); 1008 1009 spin_lock(&fc->lock); 1010 if (!fc->connected) 1011 mask = POLLERR; 1012 else if (request_pending(fc)) 1013 mask |= POLLIN | POLLRDNORM; 1014 spin_unlock(&fc->lock); 1015 1016 return mask; 1017 } 1018 1019 /* 1020 * Abort all requests on the given list (pending or processing) 1021 * 1022 * This function releases and reacquires fc->lock 1023 */ 1024 static void end_requests(struct fuse_conn *fc, struct list_head *head) 1025 __releases(&fc->lock) 1026 __acquires(&fc->lock) 1027 { 1028 while (!list_empty(head)) { 1029 struct fuse_req *req; 1030 req = list_entry(head->next, struct fuse_req, list); 1031 req->out.h.error = -ECONNABORTED; 1032 request_end(fc, req); 1033 spin_lock(&fc->lock); 1034 } 1035 } 1036 1037 /* 1038 * Abort requests under I/O 1039 * 1040 * The requests are set to aborted and finished, and the request 1041 * waiter is woken up. This will make request_wait_answer() wait 1042 * until the request is unlocked and then return. 1043 * 1044 * If the request is asynchronous, then the end function needs to be 1045 * called after waiting for the request to be unlocked (if it was 1046 * locked). 1047 */ 1048 static void end_io_requests(struct fuse_conn *fc) 1049 __releases(&fc->lock) 1050 __acquires(&fc->lock) 1051 { 1052 while (!list_empty(&fc->io)) { 1053 struct fuse_req *req = 1054 list_entry(fc->io.next, struct fuse_req, list); 1055 void (*end) (struct fuse_conn *, struct fuse_req *) = req->end; 1056 1057 req->aborted = 1; 1058 req->out.h.error = -ECONNABORTED; 1059 req->state = FUSE_REQ_FINISHED; 1060 list_del_init(&req->list); 1061 wake_up(&req->waitq); 1062 if (end) { 1063 req->end = NULL; 1064 __fuse_get_request(req); 1065 spin_unlock(&fc->lock); 1066 wait_event(req->waitq, !req->locked); 1067 end(fc, req); 1068 fuse_put_request(fc, req); 1069 spin_lock(&fc->lock); 1070 } 1071 } 1072 } 1073 1074 /* 1075 * Abort all requests. 1076 * 1077 * Emergency exit in case of a malicious or accidental deadlock, or 1078 * just a hung filesystem. 1079 * 1080 * The same effect is usually achievable through killing the 1081 * filesystem daemon and all users of the filesystem. The exception 1082 * is the combination of an asynchronous request and the tricky 1083 * deadlock (see Documentation/filesystems/fuse.txt). 1084 * 1085 * During the aborting, progression of requests from the pending and 1086 * processing lists onto the io list, and progression of new requests 1087 * onto the pending list is prevented by req->connected being false. 1088 * 1089 * Progression of requests under I/O to the processing list is 1090 * prevented by the req->aborted flag being true for these requests. 1091 * For this reason requests on the io list must be aborted first. 1092 */ 1093 void fuse_abort_conn(struct fuse_conn *fc) 1094 { 1095 spin_lock(&fc->lock); 1096 if (fc->connected) { 1097 fc->connected = 0; 1098 fc->blocked = 0; 1099 end_io_requests(fc); 1100 end_requests(fc, &fc->pending); 1101 end_requests(fc, &fc->processing); 1102 wake_up_all(&fc->waitq); 1103 wake_up_all(&fc->blocked_waitq); 1104 kill_fasync(&fc->fasync, SIGIO, POLL_IN); 1105 } 1106 spin_unlock(&fc->lock); 1107 } 1108 1109 static int fuse_dev_release(struct inode *inode, struct file *file) 1110 { 1111 struct fuse_conn *fc = fuse_get_conn(file); 1112 if (fc) { 1113 spin_lock(&fc->lock); 1114 fc->connected = 0; 1115 end_requests(fc, &fc->pending); 1116 end_requests(fc, &fc->processing); 1117 spin_unlock(&fc->lock); 1118 fuse_conn_put(fc); 1119 } 1120 1121 return 0; 1122 } 1123 1124 static int fuse_dev_fasync(int fd, struct file *file, int on) 1125 { 1126 struct fuse_conn *fc = fuse_get_conn(file); 1127 if (!fc) 1128 return -EPERM; 1129 1130 /* No locking - fasync_helper does its own locking */ 1131 return fasync_helper(fd, file, on, &fc->fasync); 1132 } 1133 1134 const struct file_operations fuse_dev_operations = { 1135 .owner = THIS_MODULE, 1136 .llseek = no_llseek, 1137 .read = do_sync_read, 1138 .aio_read = fuse_dev_read, 1139 .write = do_sync_write, 1140 .aio_write = fuse_dev_write, 1141 .poll = fuse_dev_poll, 1142 .release = fuse_dev_release, 1143 .fasync = fuse_dev_fasync, 1144 }; 1145 1146 static struct miscdevice fuse_miscdevice = { 1147 .minor = FUSE_MINOR, 1148 .name = "fuse", 1149 .fops = &fuse_dev_operations, 1150 }; 1151 1152 int __init fuse_dev_init(void) 1153 { 1154 int err = -ENOMEM; 1155 fuse_req_cachep = kmem_cache_create("fuse_request", 1156 sizeof(struct fuse_req), 1157 0, 0, NULL); 1158 if (!fuse_req_cachep) 1159 goto out; 1160 1161 err = misc_register(&fuse_miscdevice); 1162 if (err) 1163 goto out_cache_clean; 1164 1165 return 0; 1166 1167 out_cache_clean: 1168 kmem_cache_destroy(fuse_req_cachep); 1169 out: 1170 return err; 1171 } 1172 1173 void fuse_dev_cleanup(void) 1174 { 1175 misc_deregister(&fuse_miscdevice); 1176 kmem_cache_destroy(fuse_req_cachep); 1177 } 1178