1 /* 2 FUSE: Filesystem in Userspace 3 Copyright (C) 2001-2006 Miklos Szeredi <miklos@szeredi.hu> 4 5 This program can be distributed under the terms of the GNU GPL. 6 See the file COPYING. 7 */ 8 9 #include "fuse_i.h" 10 11 #include <linux/init.h> 12 #include <linux/module.h> 13 #include <linux/poll.h> 14 #include <linux/uio.h> 15 #include <linux/miscdevice.h> 16 #include <linux/pagemap.h> 17 #include <linux/file.h> 18 #include <linux/slab.h> 19 20 MODULE_ALIAS_MISCDEV(FUSE_MINOR); 21 22 static struct kmem_cache *fuse_req_cachep; 23 24 static struct fuse_conn *fuse_get_conn(struct file *file) 25 { 26 /* 27 * Lockless access is OK, because file->private data is set 28 * once during mount and is valid until the file is released. 29 */ 30 return file->private_data; 31 } 32 33 static void fuse_request_init(struct fuse_req *req) 34 { 35 memset(req, 0, sizeof(*req)); 36 INIT_LIST_HEAD(&req->list); 37 INIT_LIST_HEAD(&req->intr_entry); 38 init_waitqueue_head(&req->waitq); 39 atomic_set(&req->count, 1); 40 } 41 42 struct fuse_req *fuse_request_alloc(void) 43 { 44 struct fuse_req *req = kmem_cache_alloc(fuse_req_cachep, GFP_KERNEL); 45 if (req) 46 fuse_request_init(req); 47 return req; 48 } 49 50 void fuse_request_free(struct fuse_req *req) 51 { 52 kmem_cache_free(fuse_req_cachep, req); 53 } 54 55 static void block_sigs(sigset_t *oldset) 56 { 57 sigset_t mask; 58 59 siginitsetinv(&mask, sigmask(SIGKILL)); 60 sigprocmask(SIG_BLOCK, &mask, oldset); 61 } 62 63 static void restore_sigs(sigset_t *oldset) 64 { 65 sigprocmask(SIG_SETMASK, oldset, NULL); 66 } 67 68 static void __fuse_get_request(struct fuse_req *req) 69 { 70 atomic_inc(&req->count); 71 } 72 73 /* Must be called with > 1 refcount */ 74 static void __fuse_put_request(struct fuse_req *req) 75 { 76 BUG_ON(atomic_read(&req->count) < 2); 77 atomic_dec(&req->count); 78 } 79 80 static void fuse_req_init_context(struct fuse_req *req) 81 { 82 req->in.h.uid = current->fsuid; 83 req->in.h.gid = current->fsgid; 84 req->in.h.pid = current->pid; 85 } 86 87 struct fuse_req *fuse_get_req(struct fuse_conn *fc) 88 { 89 struct fuse_req *req; 90 sigset_t oldset; 91 int intr; 92 int err; 93 94 atomic_inc(&fc->num_waiting); 95 block_sigs(&oldset); 96 intr = wait_event_interruptible(fc->blocked_waitq, !fc->blocked); 97 restore_sigs(&oldset); 98 err = -EINTR; 99 if (intr) 100 goto out; 101 102 err = -ENOTCONN; 103 if (!fc->connected) 104 goto out; 105 106 req = fuse_request_alloc(); 107 err = -ENOMEM; 108 if (!req) 109 goto out; 110 111 fuse_req_init_context(req); 112 req->waiting = 1; 113 return req; 114 115 out: 116 atomic_dec(&fc->num_waiting); 117 return ERR_PTR(err); 118 } 119 120 /* 121 * Return request in fuse_file->reserved_req. However that may 122 * currently be in use. If that is the case, wait for it to become 123 * available. 124 */ 125 static struct fuse_req *get_reserved_req(struct fuse_conn *fc, 126 struct file *file) 127 { 128 struct fuse_req *req = NULL; 129 struct fuse_file *ff = file->private_data; 130 131 do { 132 wait_event(fc->reserved_req_waitq, ff->reserved_req); 133 spin_lock(&fc->lock); 134 if (ff->reserved_req) { 135 req = ff->reserved_req; 136 ff->reserved_req = NULL; 137 get_file(file); 138 req->stolen_file = file; 139 } 140 spin_unlock(&fc->lock); 141 } while (!req); 142 143 return req; 144 } 145 146 /* 147 * Put stolen request back into fuse_file->reserved_req 148 */ 149 static void put_reserved_req(struct fuse_conn *fc, struct fuse_req *req) 150 { 151 struct file *file = req->stolen_file; 152 struct fuse_file *ff = file->private_data; 153 154 spin_lock(&fc->lock); 155 fuse_request_init(req); 156 BUG_ON(ff->reserved_req); 157 ff->reserved_req = req; 158 wake_up_all(&fc->reserved_req_waitq); 159 spin_unlock(&fc->lock); 160 fput(file); 161 } 162 163 /* 164 * Gets a requests for a file operation, always succeeds 165 * 166 * This is used for sending the FLUSH request, which must get to 167 * userspace, due to POSIX locks which may need to be unlocked. 168 * 169 * If allocation fails due to OOM, use the reserved request in 170 * fuse_file. 171 * 172 * This is very unlikely to deadlock accidentally, since the 173 * filesystem should not have it's own file open. If deadlock is 174 * intentional, it can still be broken by "aborting" the filesystem. 175 */ 176 struct fuse_req *fuse_get_req_nofail(struct fuse_conn *fc, struct file *file) 177 { 178 struct fuse_req *req; 179 180 atomic_inc(&fc->num_waiting); 181 wait_event(fc->blocked_waitq, !fc->blocked); 182 req = fuse_request_alloc(); 183 if (!req) 184 req = get_reserved_req(fc, file); 185 186 fuse_req_init_context(req); 187 req->waiting = 1; 188 return req; 189 } 190 191 void fuse_put_request(struct fuse_conn *fc, struct fuse_req *req) 192 { 193 if (atomic_dec_and_test(&req->count)) { 194 if (req->waiting) 195 atomic_dec(&fc->num_waiting); 196 197 if (req->stolen_file) 198 put_reserved_req(fc, req); 199 else 200 fuse_request_free(req); 201 } 202 } 203 204 static unsigned len_args(unsigned numargs, struct fuse_arg *args) 205 { 206 unsigned nbytes = 0; 207 unsigned i; 208 209 for (i = 0; i < numargs; i++) 210 nbytes += args[i].size; 211 212 return nbytes; 213 } 214 215 static u64 fuse_get_unique(struct fuse_conn *fc) 216 { 217 fc->reqctr++; 218 /* zero is special */ 219 if (fc->reqctr == 0) 220 fc->reqctr = 1; 221 222 return fc->reqctr; 223 } 224 225 static void queue_request(struct fuse_conn *fc, struct fuse_req *req) 226 { 227 req->in.h.unique = fuse_get_unique(fc); 228 req->in.h.len = sizeof(struct fuse_in_header) + 229 len_args(req->in.numargs, (struct fuse_arg *) req->in.args); 230 list_add_tail(&req->list, &fc->pending); 231 req->state = FUSE_REQ_PENDING; 232 if (!req->waiting) { 233 req->waiting = 1; 234 atomic_inc(&fc->num_waiting); 235 } 236 wake_up(&fc->waitq); 237 kill_fasync(&fc->fasync, SIGIO, POLL_IN); 238 } 239 240 static void flush_bg_queue(struct fuse_conn *fc) 241 { 242 while (fc->active_background < FUSE_MAX_BACKGROUND && 243 !list_empty(&fc->bg_queue)) { 244 struct fuse_req *req; 245 246 req = list_entry(fc->bg_queue.next, struct fuse_req, list); 247 list_del(&req->list); 248 fc->active_background++; 249 queue_request(fc, req); 250 } 251 } 252 253 /* 254 * This function is called when a request is finished. Either a reply 255 * has arrived or it was aborted (and not yet sent) or some error 256 * occurred during communication with userspace, or the device file 257 * was closed. The requester thread is woken up (if still waiting), 258 * the 'end' callback is called if given, else the reference to the 259 * request is released 260 * 261 * Called with fc->lock, unlocks it 262 */ 263 static void request_end(struct fuse_conn *fc, struct fuse_req *req) 264 __releases(fc->lock) 265 { 266 void (*end) (struct fuse_conn *, struct fuse_req *) = req->end; 267 req->end = NULL; 268 list_del(&req->list); 269 list_del(&req->intr_entry); 270 req->state = FUSE_REQ_FINISHED; 271 if (req->background) { 272 if (fc->num_background == FUSE_MAX_BACKGROUND) { 273 fc->blocked = 0; 274 wake_up_all(&fc->blocked_waitq); 275 } 276 if (fc->num_background == FUSE_CONGESTION_THRESHOLD) { 277 clear_bdi_congested(&fc->bdi, READ); 278 clear_bdi_congested(&fc->bdi, WRITE); 279 } 280 fc->num_background--; 281 fc->active_background--; 282 flush_bg_queue(fc); 283 } 284 spin_unlock(&fc->lock); 285 wake_up(&req->waitq); 286 if (end) 287 end(fc, req); 288 else 289 fuse_put_request(fc, req); 290 } 291 292 static void wait_answer_interruptible(struct fuse_conn *fc, 293 struct fuse_req *req) 294 { 295 if (signal_pending(current)) 296 return; 297 298 spin_unlock(&fc->lock); 299 wait_event_interruptible(req->waitq, req->state == FUSE_REQ_FINISHED); 300 spin_lock(&fc->lock); 301 } 302 303 static void queue_interrupt(struct fuse_conn *fc, struct fuse_req *req) 304 { 305 list_add_tail(&req->intr_entry, &fc->interrupts); 306 wake_up(&fc->waitq); 307 kill_fasync(&fc->fasync, SIGIO, POLL_IN); 308 } 309 310 /* Called with fc->lock held. Releases, and then reacquires it. */ 311 static void request_wait_answer(struct fuse_conn *fc, struct fuse_req *req) 312 { 313 if (!fc->no_interrupt) { 314 /* Any signal may interrupt this */ 315 wait_answer_interruptible(fc, req); 316 317 if (req->aborted) 318 goto aborted; 319 if (req->state == FUSE_REQ_FINISHED) 320 return; 321 322 req->interrupted = 1; 323 if (req->state == FUSE_REQ_SENT) 324 queue_interrupt(fc, req); 325 } 326 327 if (!req->force) { 328 sigset_t oldset; 329 330 /* Only fatal signals may interrupt this */ 331 block_sigs(&oldset); 332 wait_answer_interruptible(fc, req); 333 restore_sigs(&oldset); 334 335 if (req->aborted) 336 goto aborted; 337 if (req->state == FUSE_REQ_FINISHED) 338 return; 339 340 /* Request is not yet in userspace, bail out */ 341 if (req->state == FUSE_REQ_PENDING) { 342 list_del(&req->list); 343 __fuse_put_request(req); 344 req->out.h.error = -EINTR; 345 return; 346 } 347 } 348 349 /* 350 * Either request is already in userspace, or it was forced. 351 * Wait it out. 352 */ 353 spin_unlock(&fc->lock); 354 wait_event(req->waitq, req->state == FUSE_REQ_FINISHED); 355 spin_lock(&fc->lock); 356 357 if (!req->aborted) 358 return; 359 360 aborted: 361 BUG_ON(req->state != FUSE_REQ_FINISHED); 362 if (req->locked) { 363 /* This is uninterruptible sleep, because data is 364 being copied to/from the buffers of req. During 365 locked state, there mustn't be any filesystem 366 operation (e.g. page fault), since that could lead 367 to deadlock */ 368 spin_unlock(&fc->lock); 369 wait_event(req->waitq, !req->locked); 370 spin_lock(&fc->lock); 371 } 372 } 373 374 void request_send(struct fuse_conn *fc, struct fuse_req *req) 375 { 376 req->isreply = 1; 377 spin_lock(&fc->lock); 378 if (!fc->connected) 379 req->out.h.error = -ENOTCONN; 380 else if (fc->conn_error) 381 req->out.h.error = -ECONNREFUSED; 382 else { 383 queue_request(fc, req); 384 /* acquire extra reference, since request is still needed 385 after request_end() */ 386 __fuse_get_request(req); 387 388 request_wait_answer(fc, req); 389 } 390 spin_unlock(&fc->lock); 391 } 392 393 static void request_send_nowait_locked(struct fuse_conn *fc, 394 struct fuse_req *req) 395 { 396 req->background = 1; 397 fc->num_background++; 398 if (fc->num_background == FUSE_MAX_BACKGROUND) 399 fc->blocked = 1; 400 if (fc->num_background == FUSE_CONGESTION_THRESHOLD) { 401 set_bdi_congested(&fc->bdi, READ); 402 set_bdi_congested(&fc->bdi, WRITE); 403 } 404 list_add_tail(&req->list, &fc->bg_queue); 405 flush_bg_queue(fc); 406 } 407 408 static void request_send_nowait(struct fuse_conn *fc, struct fuse_req *req) 409 { 410 spin_lock(&fc->lock); 411 if (fc->connected) { 412 request_send_nowait_locked(fc, req); 413 spin_unlock(&fc->lock); 414 } else { 415 req->out.h.error = -ENOTCONN; 416 request_end(fc, req); 417 } 418 } 419 420 void request_send_noreply(struct fuse_conn *fc, struct fuse_req *req) 421 { 422 req->isreply = 0; 423 request_send_nowait(fc, req); 424 } 425 426 void request_send_background(struct fuse_conn *fc, struct fuse_req *req) 427 { 428 req->isreply = 1; 429 request_send_nowait(fc, req); 430 } 431 432 /* 433 * Lock the request. Up to the next unlock_request() there mustn't be 434 * anything that could cause a page-fault. If the request was already 435 * aborted bail out. 436 */ 437 static int lock_request(struct fuse_conn *fc, struct fuse_req *req) 438 { 439 int err = 0; 440 if (req) { 441 spin_lock(&fc->lock); 442 if (req->aborted) 443 err = -ENOENT; 444 else 445 req->locked = 1; 446 spin_unlock(&fc->lock); 447 } 448 return err; 449 } 450 451 /* 452 * Unlock request. If it was aborted during being locked, the 453 * requester thread is currently waiting for it to be unlocked, so 454 * wake it up. 455 */ 456 static void unlock_request(struct fuse_conn *fc, struct fuse_req *req) 457 { 458 if (req) { 459 spin_lock(&fc->lock); 460 req->locked = 0; 461 if (req->aborted) 462 wake_up(&req->waitq); 463 spin_unlock(&fc->lock); 464 } 465 } 466 467 struct fuse_copy_state { 468 struct fuse_conn *fc; 469 int write; 470 struct fuse_req *req; 471 const struct iovec *iov; 472 unsigned long nr_segs; 473 unsigned long seglen; 474 unsigned long addr; 475 struct page *pg; 476 void *mapaddr; 477 void *buf; 478 unsigned len; 479 }; 480 481 static void fuse_copy_init(struct fuse_copy_state *cs, struct fuse_conn *fc, 482 int write, struct fuse_req *req, 483 const struct iovec *iov, unsigned long nr_segs) 484 { 485 memset(cs, 0, sizeof(*cs)); 486 cs->fc = fc; 487 cs->write = write; 488 cs->req = req; 489 cs->iov = iov; 490 cs->nr_segs = nr_segs; 491 } 492 493 /* Unmap and put previous page of userspace buffer */ 494 static void fuse_copy_finish(struct fuse_copy_state *cs) 495 { 496 if (cs->mapaddr) { 497 kunmap_atomic(cs->mapaddr, KM_USER0); 498 if (cs->write) { 499 flush_dcache_page(cs->pg); 500 set_page_dirty_lock(cs->pg); 501 } 502 put_page(cs->pg); 503 cs->mapaddr = NULL; 504 } 505 } 506 507 /* 508 * Get another pagefull of userspace buffer, and map it to kernel 509 * address space, and lock request 510 */ 511 static int fuse_copy_fill(struct fuse_copy_state *cs) 512 { 513 unsigned long offset; 514 int err; 515 516 unlock_request(cs->fc, cs->req); 517 fuse_copy_finish(cs); 518 if (!cs->seglen) { 519 BUG_ON(!cs->nr_segs); 520 cs->seglen = cs->iov[0].iov_len; 521 cs->addr = (unsigned long) cs->iov[0].iov_base; 522 cs->iov ++; 523 cs->nr_segs --; 524 } 525 down_read(¤t->mm->mmap_sem); 526 err = get_user_pages(current, current->mm, cs->addr, 1, cs->write, 0, 527 &cs->pg, NULL); 528 up_read(¤t->mm->mmap_sem); 529 if (err < 0) 530 return err; 531 BUG_ON(err != 1); 532 offset = cs->addr % PAGE_SIZE; 533 cs->mapaddr = kmap_atomic(cs->pg, KM_USER0); 534 cs->buf = cs->mapaddr + offset; 535 cs->len = min(PAGE_SIZE - offset, cs->seglen); 536 cs->seglen -= cs->len; 537 cs->addr += cs->len; 538 539 return lock_request(cs->fc, cs->req); 540 } 541 542 /* Do as much copy to/from userspace buffer as we can */ 543 static int fuse_copy_do(struct fuse_copy_state *cs, void **val, unsigned *size) 544 { 545 unsigned ncpy = min(*size, cs->len); 546 if (val) { 547 if (cs->write) 548 memcpy(cs->buf, *val, ncpy); 549 else 550 memcpy(*val, cs->buf, ncpy); 551 *val += ncpy; 552 } 553 *size -= ncpy; 554 cs->len -= ncpy; 555 cs->buf += ncpy; 556 return ncpy; 557 } 558 559 /* 560 * Copy a page in the request to/from the userspace buffer. Must be 561 * done atomically 562 */ 563 static int fuse_copy_page(struct fuse_copy_state *cs, struct page *page, 564 unsigned offset, unsigned count, int zeroing) 565 { 566 if (page && zeroing && count < PAGE_SIZE) { 567 void *mapaddr = kmap_atomic(page, KM_USER1); 568 memset(mapaddr, 0, PAGE_SIZE); 569 kunmap_atomic(mapaddr, KM_USER1); 570 } 571 while (count) { 572 int err; 573 if (!cs->len && (err = fuse_copy_fill(cs))) 574 return err; 575 if (page) { 576 void *mapaddr = kmap_atomic(page, KM_USER1); 577 void *buf = mapaddr + offset; 578 offset += fuse_copy_do(cs, &buf, &count); 579 kunmap_atomic(mapaddr, KM_USER1); 580 } else 581 offset += fuse_copy_do(cs, NULL, &count); 582 } 583 if (page && !cs->write) 584 flush_dcache_page(page); 585 return 0; 586 } 587 588 /* Copy pages in the request to/from userspace buffer */ 589 static int fuse_copy_pages(struct fuse_copy_state *cs, unsigned nbytes, 590 int zeroing) 591 { 592 unsigned i; 593 struct fuse_req *req = cs->req; 594 unsigned offset = req->page_offset; 595 unsigned count = min(nbytes, (unsigned) PAGE_SIZE - offset); 596 597 for (i = 0; i < req->num_pages && (nbytes || zeroing); i++) { 598 struct page *page = req->pages[i]; 599 int err = fuse_copy_page(cs, page, offset, count, zeroing); 600 if (err) 601 return err; 602 603 nbytes -= count; 604 count = min(nbytes, (unsigned) PAGE_SIZE); 605 offset = 0; 606 } 607 return 0; 608 } 609 610 /* Copy a single argument in the request to/from userspace buffer */ 611 static int fuse_copy_one(struct fuse_copy_state *cs, void *val, unsigned size) 612 { 613 while (size) { 614 int err; 615 if (!cs->len && (err = fuse_copy_fill(cs))) 616 return err; 617 fuse_copy_do(cs, &val, &size); 618 } 619 return 0; 620 } 621 622 /* Copy request arguments to/from userspace buffer */ 623 static int fuse_copy_args(struct fuse_copy_state *cs, unsigned numargs, 624 unsigned argpages, struct fuse_arg *args, 625 int zeroing) 626 { 627 int err = 0; 628 unsigned i; 629 630 for (i = 0; !err && i < numargs; i++) { 631 struct fuse_arg *arg = &args[i]; 632 if (i == numargs - 1 && argpages) 633 err = fuse_copy_pages(cs, arg->size, zeroing); 634 else 635 err = fuse_copy_one(cs, arg->value, arg->size); 636 } 637 return err; 638 } 639 640 static int request_pending(struct fuse_conn *fc) 641 { 642 return !list_empty(&fc->pending) || !list_empty(&fc->interrupts); 643 } 644 645 /* Wait until a request is available on the pending list */ 646 static void request_wait(struct fuse_conn *fc) 647 { 648 DECLARE_WAITQUEUE(wait, current); 649 650 add_wait_queue_exclusive(&fc->waitq, &wait); 651 while (fc->connected && !request_pending(fc)) { 652 set_current_state(TASK_INTERRUPTIBLE); 653 if (signal_pending(current)) 654 break; 655 656 spin_unlock(&fc->lock); 657 schedule(); 658 spin_lock(&fc->lock); 659 } 660 set_current_state(TASK_RUNNING); 661 remove_wait_queue(&fc->waitq, &wait); 662 } 663 664 /* 665 * Transfer an interrupt request to userspace 666 * 667 * Unlike other requests this is assembled on demand, without a need 668 * to allocate a separate fuse_req structure. 669 * 670 * Called with fc->lock held, releases it 671 */ 672 static int fuse_read_interrupt(struct fuse_conn *fc, struct fuse_req *req, 673 const struct iovec *iov, unsigned long nr_segs) 674 __releases(fc->lock) 675 { 676 struct fuse_copy_state cs; 677 struct fuse_in_header ih; 678 struct fuse_interrupt_in arg; 679 unsigned reqsize = sizeof(ih) + sizeof(arg); 680 int err; 681 682 list_del_init(&req->intr_entry); 683 req->intr_unique = fuse_get_unique(fc); 684 memset(&ih, 0, sizeof(ih)); 685 memset(&arg, 0, sizeof(arg)); 686 ih.len = reqsize; 687 ih.opcode = FUSE_INTERRUPT; 688 ih.unique = req->intr_unique; 689 arg.unique = req->in.h.unique; 690 691 spin_unlock(&fc->lock); 692 if (iov_length(iov, nr_segs) < reqsize) 693 return -EINVAL; 694 695 fuse_copy_init(&cs, fc, 1, NULL, iov, nr_segs); 696 err = fuse_copy_one(&cs, &ih, sizeof(ih)); 697 if (!err) 698 err = fuse_copy_one(&cs, &arg, sizeof(arg)); 699 fuse_copy_finish(&cs); 700 701 return err ? err : reqsize; 702 } 703 704 /* 705 * Read a single request into the userspace filesystem's buffer. This 706 * function waits until a request is available, then removes it from 707 * the pending list and copies request data to userspace buffer. If 708 * no reply is needed (FORGET) or request has been aborted or there 709 * was an error during the copying then it's finished by calling 710 * request_end(). Otherwise add it to the processing list, and set 711 * the 'sent' flag. 712 */ 713 static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov, 714 unsigned long nr_segs, loff_t pos) 715 { 716 int err; 717 struct fuse_req *req; 718 struct fuse_in *in; 719 struct fuse_copy_state cs; 720 unsigned reqsize; 721 struct file *file = iocb->ki_filp; 722 struct fuse_conn *fc = fuse_get_conn(file); 723 if (!fc) 724 return -EPERM; 725 726 restart: 727 spin_lock(&fc->lock); 728 err = -EAGAIN; 729 if ((file->f_flags & O_NONBLOCK) && fc->connected && 730 !request_pending(fc)) 731 goto err_unlock; 732 733 request_wait(fc); 734 err = -ENODEV; 735 if (!fc->connected) 736 goto err_unlock; 737 err = -ERESTARTSYS; 738 if (!request_pending(fc)) 739 goto err_unlock; 740 741 if (!list_empty(&fc->interrupts)) { 742 req = list_entry(fc->interrupts.next, struct fuse_req, 743 intr_entry); 744 return fuse_read_interrupt(fc, req, iov, nr_segs); 745 } 746 747 req = list_entry(fc->pending.next, struct fuse_req, list); 748 req->state = FUSE_REQ_READING; 749 list_move(&req->list, &fc->io); 750 751 in = &req->in; 752 reqsize = in->h.len; 753 /* If request is too large, reply with an error and restart the read */ 754 if (iov_length(iov, nr_segs) < reqsize) { 755 req->out.h.error = -EIO; 756 /* SETXATTR is special, since it may contain too large data */ 757 if (in->h.opcode == FUSE_SETXATTR) 758 req->out.h.error = -E2BIG; 759 request_end(fc, req); 760 goto restart; 761 } 762 spin_unlock(&fc->lock); 763 fuse_copy_init(&cs, fc, 1, req, iov, nr_segs); 764 err = fuse_copy_one(&cs, &in->h, sizeof(in->h)); 765 if (!err) 766 err = fuse_copy_args(&cs, in->numargs, in->argpages, 767 (struct fuse_arg *) in->args, 0); 768 fuse_copy_finish(&cs); 769 spin_lock(&fc->lock); 770 req->locked = 0; 771 if (req->aborted) { 772 request_end(fc, req); 773 return -ENODEV; 774 } 775 if (err) { 776 req->out.h.error = -EIO; 777 request_end(fc, req); 778 return err; 779 } 780 if (!req->isreply) 781 request_end(fc, req); 782 else { 783 req->state = FUSE_REQ_SENT; 784 list_move_tail(&req->list, &fc->processing); 785 if (req->interrupted) 786 queue_interrupt(fc, req); 787 spin_unlock(&fc->lock); 788 } 789 return reqsize; 790 791 err_unlock: 792 spin_unlock(&fc->lock); 793 return err; 794 } 795 796 /* Look up request on processing list by unique ID */ 797 static struct fuse_req *request_find(struct fuse_conn *fc, u64 unique) 798 { 799 struct list_head *entry; 800 801 list_for_each(entry, &fc->processing) { 802 struct fuse_req *req; 803 req = list_entry(entry, struct fuse_req, list); 804 if (req->in.h.unique == unique || req->intr_unique == unique) 805 return req; 806 } 807 return NULL; 808 } 809 810 static int copy_out_args(struct fuse_copy_state *cs, struct fuse_out *out, 811 unsigned nbytes) 812 { 813 unsigned reqsize = sizeof(struct fuse_out_header); 814 815 if (out->h.error) 816 return nbytes != reqsize ? -EINVAL : 0; 817 818 reqsize += len_args(out->numargs, out->args); 819 820 if (reqsize < nbytes || (reqsize > nbytes && !out->argvar)) 821 return -EINVAL; 822 else if (reqsize > nbytes) { 823 struct fuse_arg *lastarg = &out->args[out->numargs-1]; 824 unsigned diffsize = reqsize - nbytes; 825 if (diffsize > lastarg->size) 826 return -EINVAL; 827 lastarg->size -= diffsize; 828 } 829 return fuse_copy_args(cs, out->numargs, out->argpages, out->args, 830 out->page_zeroing); 831 } 832 833 /* 834 * Write a single reply to a request. First the header is copied from 835 * the write buffer. The request is then searched on the processing 836 * list by the unique ID found in the header. If found, then remove 837 * it from the list and copy the rest of the buffer to the request. 838 * The request is finished by calling request_end() 839 */ 840 static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov, 841 unsigned long nr_segs, loff_t pos) 842 { 843 int err; 844 unsigned nbytes = iov_length(iov, nr_segs); 845 struct fuse_req *req; 846 struct fuse_out_header oh; 847 struct fuse_copy_state cs; 848 struct fuse_conn *fc = fuse_get_conn(iocb->ki_filp); 849 if (!fc) 850 return -EPERM; 851 852 fuse_copy_init(&cs, fc, 0, NULL, iov, nr_segs); 853 if (nbytes < sizeof(struct fuse_out_header)) 854 return -EINVAL; 855 856 err = fuse_copy_one(&cs, &oh, sizeof(oh)); 857 if (err) 858 goto err_finish; 859 err = -EINVAL; 860 if (!oh.unique || oh.error <= -1000 || oh.error > 0 || 861 oh.len != nbytes) 862 goto err_finish; 863 864 spin_lock(&fc->lock); 865 err = -ENOENT; 866 if (!fc->connected) 867 goto err_unlock; 868 869 req = request_find(fc, oh.unique); 870 if (!req) 871 goto err_unlock; 872 873 if (req->aborted) { 874 spin_unlock(&fc->lock); 875 fuse_copy_finish(&cs); 876 spin_lock(&fc->lock); 877 request_end(fc, req); 878 return -ENOENT; 879 } 880 /* Is it an interrupt reply? */ 881 if (req->intr_unique == oh.unique) { 882 err = -EINVAL; 883 if (nbytes != sizeof(struct fuse_out_header)) 884 goto err_unlock; 885 886 if (oh.error == -ENOSYS) 887 fc->no_interrupt = 1; 888 else if (oh.error == -EAGAIN) 889 queue_interrupt(fc, req); 890 891 spin_unlock(&fc->lock); 892 fuse_copy_finish(&cs); 893 return nbytes; 894 } 895 896 req->state = FUSE_REQ_WRITING; 897 list_move(&req->list, &fc->io); 898 req->out.h = oh; 899 req->locked = 1; 900 cs.req = req; 901 spin_unlock(&fc->lock); 902 903 err = copy_out_args(&cs, &req->out, nbytes); 904 fuse_copy_finish(&cs); 905 906 spin_lock(&fc->lock); 907 req->locked = 0; 908 if (!err) { 909 if (req->aborted) 910 err = -ENOENT; 911 } else if (!req->aborted) 912 req->out.h.error = -EIO; 913 request_end(fc, req); 914 915 return err ? err : nbytes; 916 917 err_unlock: 918 spin_unlock(&fc->lock); 919 err_finish: 920 fuse_copy_finish(&cs); 921 return err; 922 } 923 924 static unsigned fuse_dev_poll(struct file *file, poll_table *wait) 925 { 926 unsigned mask = POLLOUT | POLLWRNORM; 927 struct fuse_conn *fc = fuse_get_conn(file); 928 if (!fc) 929 return POLLERR; 930 931 poll_wait(file, &fc->waitq, wait); 932 933 spin_lock(&fc->lock); 934 if (!fc->connected) 935 mask = POLLERR; 936 else if (request_pending(fc)) 937 mask |= POLLIN | POLLRDNORM; 938 spin_unlock(&fc->lock); 939 940 return mask; 941 } 942 943 /* 944 * Abort all requests on the given list (pending or processing) 945 * 946 * This function releases and reacquires fc->lock 947 */ 948 static void end_requests(struct fuse_conn *fc, struct list_head *head) 949 { 950 while (!list_empty(head)) { 951 struct fuse_req *req; 952 req = list_entry(head->next, struct fuse_req, list); 953 req->out.h.error = -ECONNABORTED; 954 request_end(fc, req); 955 spin_lock(&fc->lock); 956 } 957 } 958 959 /* 960 * Abort requests under I/O 961 * 962 * The requests are set to aborted and finished, and the request 963 * waiter is woken up. This will make request_wait_answer() wait 964 * until the request is unlocked and then return. 965 * 966 * If the request is asynchronous, then the end function needs to be 967 * called after waiting for the request to be unlocked (if it was 968 * locked). 969 */ 970 static void end_io_requests(struct fuse_conn *fc) 971 { 972 while (!list_empty(&fc->io)) { 973 struct fuse_req *req = 974 list_entry(fc->io.next, struct fuse_req, list); 975 void (*end) (struct fuse_conn *, struct fuse_req *) = req->end; 976 977 req->aborted = 1; 978 req->out.h.error = -ECONNABORTED; 979 req->state = FUSE_REQ_FINISHED; 980 list_del_init(&req->list); 981 wake_up(&req->waitq); 982 if (end) { 983 req->end = NULL; 984 /* The end function will consume this reference */ 985 __fuse_get_request(req); 986 spin_unlock(&fc->lock); 987 wait_event(req->waitq, !req->locked); 988 end(fc, req); 989 spin_lock(&fc->lock); 990 } 991 } 992 } 993 994 /* 995 * Abort all requests. 996 * 997 * Emergency exit in case of a malicious or accidental deadlock, or 998 * just a hung filesystem. 999 * 1000 * The same effect is usually achievable through killing the 1001 * filesystem daemon and all users of the filesystem. The exception 1002 * is the combination of an asynchronous request and the tricky 1003 * deadlock (see Documentation/filesystems/fuse.txt). 1004 * 1005 * During the aborting, progression of requests from the pending and 1006 * processing lists onto the io list, and progression of new requests 1007 * onto the pending list is prevented by req->connected being false. 1008 * 1009 * Progression of requests under I/O to the processing list is 1010 * prevented by the req->aborted flag being true for these requests. 1011 * For this reason requests on the io list must be aborted first. 1012 */ 1013 void fuse_abort_conn(struct fuse_conn *fc) 1014 { 1015 spin_lock(&fc->lock); 1016 if (fc->connected) { 1017 fc->connected = 0; 1018 fc->blocked = 0; 1019 end_io_requests(fc); 1020 end_requests(fc, &fc->pending); 1021 end_requests(fc, &fc->processing); 1022 wake_up_all(&fc->waitq); 1023 wake_up_all(&fc->blocked_waitq); 1024 kill_fasync(&fc->fasync, SIGIO, POLL_IN); 1025 } 1026 spin_unlock(&fc->lock); 1027 } 1028 1029 static int fuse_dev_release(struct inode *inode, struct file *file) 1030 { 1031 struct fuse_conn *fc = fuse_get_conn(file); 1032 if (fc) { 1033 spin_lock(&fc->lock); 1034 fc->connected = 0; 1035 end_requests(fc, &fc->pending); 1036 end_requests(fc, &fc->processing); 1037 spin_unlock(&fc->lock); 1038 fasync_helper(-1, file, 0, &fc->fasync); 1039 fuse_conn_put(fc); 1040 } 1041 1042 return 0; 1043 } 1044 1045 static int fuse_dev_fasync(int fd, struct file *file, int on) 1046 { 1047 struct fuse_conn *fc = fuse_get_conn(file); 1048 if (!fc) 1049 return -EPERM; 1050 1051 /* No locking - fasync_helper does its own locking */ 1052 return fasync_helper(fd, file, on, &fc->fasync); 1053 } 1054 1055 const struct file_operations fuse_dev_operations = { 1056 .owner = THIS_MODULE, 1057 .llseek = no_llseek, 1058 .read = do_sync_read, 1059 .aio_read = fuse_dev_read, 1060 .write = do_sync_write, 1061 .aio_write = fuse_dev_write, 1062 .poll = fuse_dev_poll, 1063 .release = fuse_dev_release, 1064 .fasync = fuse_dev_fasync, 1065 }; 1066 1067 static struct miscdevice fuse_miscdevice = { 1068 .minor = FUSE_MINOR, 1069 .name = "fuse", 1070 .fops = &fuse_dev_operations, 1071 }; 1072 1073 int __init fuse_dev_init(void) 1074 { 1075 int err = -ENOMEM; 1076 fuse_req_cachep = kmem_cache_create("fuse_request", 1077 sizeof(struct fuse_req), 1078 0, 0, NULL); 1079 if (!fuse_req_cachep) 1080 goto out; 1081 1082 err = misc_register(&fuse_miscdevice); 1083 if (err) 1084 goto out_cache_clean; 1085 1086 return 0; 1087 1088 out_cache_clean: 1089 kmem_cache_destroy(fuse_req_cachep); 1090 out: 1091 return err; 1092 } 1093 1094 void fuse_dev_cleanup(void) 1095 { 1096 misc_deregister(&fuse_miscdevice); 1097 kmem_cache_destroy(fuse_req_cachep); 1098 } 1099