1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 2007-2009 Google Inc. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions are 9 * met: 10 * 11 * * Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * * Redistributions in binary form must reproduce the above 14 * copyright notice, this list of conditions and the following disclaimer 15 * in the documentation and/or other materials provided with the 16 * distribution. 17 * * Neither the name of Google Inc. nor the names of its 18 * contributors may be used to endorse or promote products derived from 19 * this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 22 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 23 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 24 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 25 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 26 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 27 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 28 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 29 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 30 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 31 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 * 33 * Copyright (C) 2005 Csaba Henk. 34 * All rights reserved. 35 * 36 * Copyright (c) 2019 The FreeBSD Foundation 37 * 38 * Portions of this software were developed by BFF Storage Systems, LLC under 39 * sponsorship from the FreeBSD Foundation. 40 * 41 * Redistribution and use in source and binary forms, with or without 42 * modification, are permitted provided that the following conditions 43 * are met: 44 * 1. Redistributions of source code must retain the above copyright 45 * notice, this list of conditions and the following disclaimer. 46 * 2. Redistributions in binary form must reproduce the above copyright 47 * notice, this list of conditions and the following disclaimer in the 48 * documentation and/or other materials provided with the distribution. 49 * 50 * THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND 51 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 52 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 53 * ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE 54 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 55 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 56 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 57 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 58 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 59 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 60 * SUCH DAMAGE. 61 */ 62 63 #include <sys/types.h> 64 #include <sys/param.h> 65 #include <sys/module.h> 66 #include <sys/systm.h> 67 #include <sys/errno.h> 68 #include <sys/param.h> 69 #include <sys/kernel.h> 70 #include <sys/conf.h> 71 #include <sys/uio.h> 72 #include <sys/malloc.h> 73 #include <sys/queue.h> 74 #include <sys/lock.h> 75 #include <sys/sx.h> 76 #include <sys/mutex.h> 77 #include <sys/proc.h> 78 #include <sys/mount.h> 79 #include <sys/sdt.h> 80 #include <sys/stat.h> 81 #include <sys/fcntl.h> 82 #include <sys/sysctl.h> 83 #include <sys/poll.h> 84 #include <sys/selinfo.h> 85 86 #include "fuse.h" 87 #include "fuse_internal.h" 88 #include "fuse_ipc.h" 89 90 #include <compat/linux/linux_errno.h> 91 #include <compat/linux/linux_errno.inc> 92 93 SDT_PROVIDER_DECLARE(fusefs); 94 /* 95 * Fuse trace probe: 96 * arg0: verbosity. Higher numbers give more verbose messages 97 * arg1: Textual message 98 */ 99 SDT_PROBE_DEFINE2(fusefs, , device, trace, "int", "char*"); 100 101 static struct cdev *fuse_dev; 102 103 static d_kqfilter_t fuse_device_filter; 104 static d_open_t fuse_device_open; 105 static d_poll_t fuse_device_poll; 106 static d_read_t fuse_device_read; 107 static d_write_t fuse_device_write; 108 109 static struct cdevsw fuse_device_cdevsw = { 110 .d_kqfilter = fuse_device_filter, 111 .d_open = fuse_device_open, 112 .d_name = "fuse", 113 .d_poll = fuse_device_poll, 114 .d_read = fuse_device_read, 115 .d_write = fuse_device_write, 116 .d_version = D_VERSION, 117 }; 118 119 static int fuse_device_filt_read(struct knote *kn, long hint); 120 static int fuse_device_filt_write(struct knote *kn, long hint); 121 static void fuse_device_filt_detach(struct knote *kn); 122 123 struct filterops fuse_device_rfiltops = { 124 .f_isfd = 1, 125 .f_detach = fuse_device_filt_detach, 126 .f_event = fuse_device_filt_read, 127 }; 128 129 struct filterops fuse_device_wfiltops = { 130 .f_isfd = 1, 131 .f_event = fuse_device_filt_write, 132 }; 133 134 /**************************** 135 * 136 * >>> Fuse device op defs 137 * 138 ****************************/ 139 140 static void 141 fdata_dtor(void *arg) 142 { 143 struct fuse_data *fdata; 144 struct fuse_ticket *tick; 145 146 fdata = arg; 147 if (fdata == NULL) 148 return; 149 150 fdata_set_dead(fdata); 151 152 FUSE_LOCK(); 153 fuse_lck_mtx_lock(fdata->aw_mtx); 154 /* wakup poll()ers */ 155 selwakeuppri(&fdata->ks_rsel, PZERO + 1); 156 /* Don't let syscall handlers wait in vain */ 157 while ((tick = fuse_aw_pop(fdata))) { 158 fuse_lck_mtx_lock(tick->tk_aw_mtx); 159 fticket_set_answered(tick); 160 tick->tk_aw_errno = ENOTCONN; 161 wakeup(tick); 162 fuse_lck_mtx_unlock(tick->tk_aw_mtx); 163 FUSE_ASSERT_AW_DONE(tick); 164 fuse_ticket_drop(tick); 165 } 166 fuse_lck_mtx_unlock(fdata->aw_mtx); 167 168 /* Cleanup unsent operations */ 169 fuse_lck_mtx_lock(fdata->ms_mtx); 170 while ((tick = fuse_ms_pop(fdata))) { 171 fuse_ticket_drop(tick); 172 } 173 fuse_lck_mtx_unlock(fdata->ms_mtx); 174 FUSE_UNLOCK(); 175 176 fdata_trydestroy(fdata); 177 } 178 179 static int 180 fuse_device_filter(struct cdev *dev, struct knote *kn) 181 { 182 struct fuse_data *data; 183 int error; 184 185 error = devfs_get_cdevpriv((void **)&data); 186 187 if (error == 0 && kn->kn_filter == EVFILT_READ) { 188 kn->kn_fop = &fuse_device_rfiltops; 189 kn->kn_hook = data; 190 knlist_add(&data->ks_rsel.si_note, kn, 0); 191 error = 0; 192 } else if (error == 0 && kn->kn_filter == EVFILT_WRITE) { 193 kn->kn_fop = &fuse_device_wfiltops; 194 error = 0; 195 } else if (error == 0) { 196 error = EINVAL; 197 kn->kn_data = error; 198 } 199 200 return (error); 201 } 202 203 static void 204 fuse_device_filt_detach(struct knote *kn) 205 { 206 struct fuse_data *data; 207 208 data = (struct fuse_data*)kn->kn_hook; 209 MPASS(data != NULL); 210 knlist_remove(&data->ks_rsel.si_note, kn, 0); 211 kn->kn_hook = NULL; 212 } 213 214 static int 215 fuse_device_filt_read(struct knote *kn, long hint) 216 { 217 struct fuse_data *data; 218 int ready; 219 220 data = (struct fuse_data*)kn->kn_hook; 221 MPASS(data != NULL); 222 223 mtx_assert(&data->ms_mtx, MA_OWNED); 224 if (fdata_get_dead(data)) { 225 kn->kn_flags |= EV_EOF; 226 kn->kn_fflags = ENODEV; 227 kn->kn_data = 1; 228 ready = 1; 229 } else if (STAILQ_FIRST(&data->ms_head)) { 230 MPASS(data->ms_count >= 1); 231 kn->kn_data = data->ms_count; 232 ready = 1; 233 } else { 234 ready = 0; 235 } 236 237 return (ready); 238 } 239 240 static int 241 fuse_device_filt_write(struct knote *kn, long hint) 242 { 243 244 kn->kn_data = 0; 245 246 /* The device is always ready to write, so we return 1*/ 247 return (1); 248 } 249 250 /* 251 * Resources are set up on a per-open basis 252 */ 253 static int 254 fuse_device_open(struct cdev *dev, int oflags, int devtype, struct thread *td) 255 { 256 struct fuse_data *fdata; 257 int error; 258 259 SDT_PROBE2(fusefs, , device, trace, 1, "device open"); 260 261 fdata = fdata_alloc(dev, td->td_ucred); 262 error = devfs_set_cdevpriv(fdata, fdata_dtor); 263 if (error != 0) 264 fdata_trydestroy(fdata); 265 else 266 SDT_PROBE2(fusefs, , device, trace, 1, "device open success"); 267 return (error); 268 } 269 270 int 271 fuse_device_poll(struct cdev *dev, int events, struct thread *td) 272 { 273 struct fuse_data *data; 274 int error, revents = 0; 275 276 error = devfs_get_cdevpriv((void **)&data); 277 if (error != 0) 278 return (events & 279 (POLLHUP|POLLIN|POLLRDNORM|POLLOUT|POLLWRNORM)); 280 281 if (events & (POLLIN | POLLRDNORM)) { 282 fuse_lck_mtx_lock(data->ms_mtx); 283 if (fdata_get_dead(data) || STAILQ_FIRST(&data->ms_head)) 284 revents |= events & (POLLIN | POLLRDNORM); 285 else 286 selrecord(td, &data->ks_rsel); 287 fuse_lck_mtx_unlock(data->ms_mtx); 288 } 289 if (events & (POLLOUT | POLLWRNORM)) { 290 revents |= events & (POLLOUT | POLLWRNORM); 291 } 292 return (revents); 293 } 294 295 /* 296 * fuse_device_read hangs on the queue of VFS messages. 297 * When it's notified that there is a new one, it picks that and 298 * passes up to the daemon 299 */ 300 int 301 fuse_device_read(struct cdev *dev, struct uio *uio, int ioflag) 302 { 303 int err; 304 struct fuse_data *data; 305 struct fuse_ticket *tick; 306 void *buf; 307 int buflen; 308 309 SDT_PROBE2(fusefs, , device, trace, 1, "fuse device read"); 310 311 err = devfs_get_cdevpriv((void **)&data); 312 if (err != 0) 313 return (err); 314 315 fuse_lck_mtx_lock(data->ms_mtx); 316 again: 317 if (fdata_get_dead(data)) { 318 SDT_PROBE2(fusefs, , device, trace, 2, 319 "we know early on that reader should be kicked so we " 320 "don't wait for news"); 321 fuse_lck_mtx_unlock(data->ms_mtx); 322 return (ENODEV); 323 } 324 if (!(tick = fuse_ms_pop(data))) { 325 /* check if we may block */ 326 if (ioflag & O_NONBLOCK) { 327 /* get outa here soon */ 328 fuse_lck_mtx_unlock(data->ms_mtx); 329 return (EAGAIN); 330 } else { 331 err = msleep(data, &data->ms_mtx, PCATCH, "fu_msg", 0); 332 if (err != 0) { 333 fuse_lck_mtx_unlock(data->ms_mtx); 334 return (fdata_get_dead(data) ? ENODEV : err); 335 } 336 tick = fuse_ms_pop(data); 337 } 338 } 339 if (!tick) { 340 /* 341 * We can get here if fuse daemon suddenly terminates, 342 * eg, by being hit by a SIGKILL 343 * -- and some other cases, too, tho not totally clear, when 344 * (cv_signal/wakeup_one signals the whole process ?) 345 */ 346 SDT_PROBE2(fusefs, , device, trace, 1, "no message on thread"); 347 goto again; 348 } 349 fuse_lck_mtx_unlock(data->ms_mtx); 350 351 if (fdata_get_dead(data)) { 352 /* 353 * somebody somewhere -- eg., umount routine -- 354 * wants this liaison finished off 355 */ 356 SDT_PROBE2(fusefs, , device, trace, 2, 357 "reader is to be sacked"); 358 if (tick) { 359 SDT_PROBE2(fusefs, , device, trace, 2, "weird -- " 360 "\"kick\" is set tho there is message"); 361 FUSE_ASSERT_MS_DONE(tick); 362 fuse_ticket_drop(tick); 363 } 364 return (ENODEV); /* This should make the daemon get off 365 * of us */ 366 } 367 SDT_PROBE2(fusefs, , device, trace, 1, 368 "fuse device read message successfully"); 369 370 buf = tick->tk_ms_fiov.base; 371 buflen = tick->tk_ms_fiov.len; 372 373 /* 374 * Why not ban mercilessly stupid daemons who can't keep up 375 * with us? (There is no much use of a partial read here...) 376 */ 377 /* 378 * XXX note that in such cases Linux FUSE throws EIO at the 379 * syscall invoker and stands back to the message queue. The 380 * rationale should be made clear (and possibly adopt that 381 * behaviour). Keeping the current scheme at least makes 382 * fallacy as loud as possible... 383 */ 384 if (uio->uio_resid < buflen) { 385 fdata_set_dead(data); 386 SDT_PROBE2(fusefs, , device, trace, 2, 387 "daemon is stupid, kick it off..."); 388 err = ENODEV; 389 } else { 390 err = uiomove(buf, buflen, uio); 391 } 392 393 FUSE_ASSERT_MS_DONE(tick); 394 fuse_ticket_drop(tick); 395 396 return (err); 397 } 398 399 static inline int 400 fuse_ohead_audit(struct fuse_out_header *ohead, struct uio *uio) 401 { 402 if (uio->uio_resid + sizeof(struct fuse_out_header) != ohead->len) { 403 SDT_PROBE2(fusefs, , device, trace, 1, 404 "Format error: body size " 405 "differs from size claimed by header"); 406 return (EINVAL); 407 } 408 if (uio->uio_resid && ohead->unique != 0 && ohead->error) { 409 SDT_PROBE2(fusefs, , device, trace, 1, 410 "Format error: non zero error but message had a body"); 411 return (EINVAL); 412 } 413 414 return (0); 415 } 416 417 SDT_PROBE_DEFINE1(fusefs, , device, fuse_device_write_notify, 418 "struct fuse_out_header*"); 419 SDT_PROBE_DEFINE1(fusefs, , device, fuse_device_write_missing_ticket, 420 "uint64_t"); 421 SDT_PROBE_DEFINE1(fusefs, , device, fuse_device_write_found, 422 "struct fuse_ticket*"); 423 /* 424 * fuse_device_write first reads the header sent by the daemon. 425 * If that's OK, looks up ticket/callback node by the unique id seen in header. 426 * If the callback node contains a handler function, the uio is passed over 427 * that. 428 */ 429 static int 430 fuse_device_write(struct cdev *dev, struct uio *uio, int ioflag) 431 { 432 struct fuse_out_header ohead; 433 int err = 0; 434 struct fuse_data *data; 435 struct mount *mp; 436 struct fuse_ticket *tick, *itick, *x_tick; 437 int found = 0; 438 439 err = devfs_get_cdevpriv((void **)&data); 440 if (err != 0) 441 return (err); 442 mp = data->mp; 443 444 if (uio->uio_resid < sizeof(struct fuse_out_header)) { 445 SDT_PROBE2(fusefs, , device, trace, 1, 446 "fuse_device_write got less than a header!"); 447 fdata_set_dead(data); 448 return (EINVAL); 449 } 450 if ((err = uiomove(&ohead, sizeof(struct fuse_out_header), uio)) != 0) 451 return (err); 452 453 if (data->linux_errnos != 0 && ohead.error != 0) { 454 err = -ohead.error; 455 if (err < 0 || err >= nitems(linux_to_bsd_errtbl)) 456 return (EINVAL); 457 458 /* '-', because it will get flipped again below */ 459 ohead.error = -linux_to_bsd_errtbl[err]; 460 } 461 462 /* 463 * We check header information (which is redundant) and compare it 464 * with what we see. If we see some inconsistency we discard the 465 * whole answer and proceed on as if it had never existed. In 466 * particular, no pretender will be woken up, regardless the 467 * "unique" value in the header. 468 */ 469 if ((err = fuse_ohead_audit(&ohead, uio))) { 470 fdata_set_dead(data); 471 return (err); 472 } 473 /* Pass stuff over to callback if there is one installed */ 474 475 /* Looking for ticket with the unique id of header */ 476 fuse_lck_mtx_lock(data->aw_mtx); 477 TAILQ_FOREACH_SAFE(tick, &data->aw_head, tk_aw_link, 478 x_tick) { 479 if (tick->tk_unique == ohead.unique) { 480 SDT_PROBE1(fusefs, , device, fuse_device_write_found, 481 tick); 482 found = 1; 483 fuse_aw_remove(tick); 484 break; 485 } 486 } 487 if (found && tick->irq_unique > 0) { 488 /* 489 * Discard the FUSE_INTERRUPT ticket that tried to interrupt 490 * this operation 491 */ 492 TAILQ_FOREACH_SAFE(itick, &data->aw_head, tk_aw_link, 493 x_tick) { 494 if (itick->tk_unique == tick->irq_unique) { 495 fuse_aw_remove(itick); 496 fuse_ticket_drop(itick); 497 break; 498 } 499 } 500 tick->irq_unique = 0; 501 } 502 fuse_lck_mtx_unlock(data->aw_mtx); 503 504 if (found) { 505 if (tick->tk_aw_handler) { 506 /* 507 * We found a callback with proper handler. In this 508 * case the out header will be 0wnd by the callback, 509 * so the fun of freeing that is left for her. 510 * (Then, by all chance, she'll just get that's done 511 * via ticket_drop(), so no manual mucking 512 * around...) 513 */ 514 SDT_PROBE2(fusefs, , device, trace, 1, 515 "pass ticket to a callback"); 516 /* Sanitize the linuxism of negative errnos */ 517 ohead.error *= -1; 518 if (ohead.error < 0 || ohead.error > ELAST) { 519 /* Illegal error code */ 520 ohead.error = EIO; 521 memcpy(&tick->tk_aw_ohead, &ohead, 522 sizeof(ohead)); 523 tick->tk_aw_handler(tick, uio); 524 err = EINVAL; 525 } else { 526 memcpy(&tick->tk_aw_ohead, &ohead, 527 sizeof(ohead)); 528 err = tick->tk_aw_handler(tick, uio); 529 } 530 } else { 531 /* pretender doesn't wanna do anything with answer */ 532 SDT_PROBE2(fusefs, , device, trace, 1, 533 "stuff devalidated, so we drop it"); 534 } 535 536 /* 537 * As aw_mtx was not held during the callback execution the 538 * ticket may have been inserted again. However, this is safe 539 * because fuse_ticket_drop() will deal with refcount anyway. 540 */ 541 fuse_ticket_drop(tick); 542 } else if (ohead.unique == 0){ 543 /* unique == 0 means asynchronous notification */ 544 SDT_PROBE1(fusefs, , device, fuse_device_write_notify, &ohead); 545 switch (ohead.error) { 546 case FUSE_NOTIFY_INVAL_ENTRY: 547 err = fuse_internal_invalidate_entry(mp, uio); 548 break; 549 case FUSE_NOTIFY_INVAL_INODE: 550 err = fuse_internal_invalidate_inode(mp, uio); 551 break; 552 case FUSE_NOTIFY_RETRIEVE: 553 case FUSE_NOTIFY_STORE: 554 /* 555 * Unimplemented. I don't know of any file systems 556 * that use them, and the protocol isn't sound anyway, 557 * since the notification messages don't include the 558 * inode's generation number. Without that, it's 559 * possible to manipulate the cache of the wrong vnode. 560 * Finally, it's not defined what this message should 561 * do for a file with dirty cache. 562 */ 563 case FUSE_NOTIFY_POLL: 564 /* Unimplemented. See comments in fuse_vnops */ 565 default: 566 /* Not implemented */ 567 err = ENOSYS; 568 } 569 } else { 570 /* no callback at all! */ 571 SDT_PROBE1(fusefs, , device, fuse_device_write_missing_ticket, 572 ohead.unique); 573 if (ohead.error == -EAGAIN) { 574 /* 575 * This was probably a response to a FUSE_INTERRUPT 576 * operation whose original operation is already 577 * complete. We can't store FUSE_INTERRUPT tickets 578 * indefinitely because their responses are optional. 579 * So we delete them when the original operation 580 * completes. And sadly the fuse_header_out doesn't 581 * identify the opcode, so we have to guess. 582 */ 583 err = 0; 584 } else { 585 err = EINVAL; 586 } 587 } 588 589 return (err); 590 } 591 592 int 593 fuse_device_init(void) 594 { 595 596 fuse_dev = make_dev(&fuse_device_cdevsw, 0, UID_ROOT, GID_OPERATOR, 597 S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH, "fuse"); 598 if (fuse_dev == NULL) 599 return (ENOMEM); 600 return (0); 601 } 602 603 void 604 fuse_device_destroy(void) 605 { 606 607 MPASS(fuse_dev != NULL); 608 destroy_dev(fuse_dev); 609 } 610