1==================== 2Changes since 2.5.0: 3==================== 4 5--- 6 7**recommended** 8 9New helpers: sb_bread(), sb_getblk(), sb_find_get_block(), set_bh(), 10sb_set_blocksize() and sb_min_blocksize(). 11 12Use them. 13 14(sb_find_get_block() replaces 2.4's get_hash_table()) 15 16--- 17 18**recommended** 19 20New methods: ->alloc_inode() and ->destroy_inode(). 21 22Remove inode->u.foo_inode_i 23 24Declare:: 25 26 struct foo_inode_info { 27 /* fs-private stuff */ 28 struct inode vfs_inode; 29 }; 30 static inline struct foo_inode_info *FOO_I(struct inode *inode) 31 { 32 return list_entry(inode, struct foo_inode_info, vfs_inode); 33 } 34 35Use FOO_I(inode) instead of &inode->u.foo_inode_i; 36 37Add foo_alloc_inode() and foo_destroy_inode() - the former should allocate 38foo_inode_info and return the address of ->vfs_inode, the latter should free 39FOO_I(inode) (see in-tree filesystems for examples). 40 41Make them ->alloc_inode and ->destroy_inode in your super_operations. 42 43Keep in mind that now you need explicit initialization of private data 44typically between calling iget_locked() and unlocking the inode. 45 46At some point that will become mandatory. 47 48**mandatory** 49 50The foo_inode_info should always be allocated through alloc_inode_sb() rather 51than kmem_cache_alloc() or kmalloc() related to set up the inode reclaim context 52correctly. 53 54--- 55 56**mandatory** 57 58Change of file_system_type method (->read_super to ->get_sb) 59 60->read_super() is no more. Ditto for DECLARE_FSTYPE and DECLARE_FSTYPE_DEV. 61 62Turn your foo_read_super() into a function that would return 0 in case of 63success and negative number in case of error (-EINVAL unless you have more 64informative error value to report). Call it foo_fill_super(). Now declare:: 65 66 int foo_get_sb(struct file_system_type *fs_type, 67 int flags, const char *dev_name, void *data, struct vfsmount *mnt) 68 { 69 return get_sb_bdev(fs_type, flags, dev_name, data, foo_fill_super, 70 mnt); 71 } 72 73(or similar with s/bdev/nodev/ or s/bdev/single/, depending on the kind of 74filesystem). 75 76Replace DECLARE_FSTYPE... with explicit initializer and have ->get_sb set as 77foo_get_sb. 78 79--- 80 81**mandatory** 82 83Locking change: ->s_vfs_rename_sem is taken only by cross-directory renames. 84Most likely there is no need to change anything, but if you relied on 85global exclusion between renames for some internal purpose - you need to 86change your internal locking. Otherwise exclusion warranties remain the 87same (i.e. parents and victim are locked, etc.). 88 89--- 90 91**informational** 92 93Now we have the exclusion between ->lookup() and directory removal (by 94->rmdir() and ->rename()). If you used to need that exclusion and do 95it by internal locking (most of filesystems couldn't care less) - you 96can relax your locking. 97 98--- 99 100**mandatory** 101 102->lookup(), ->truncate(), ->create(), ->unlink(), ->mknod(), ->mkdir(), 103->rmdir(), ->link(), ->lseek(), ->symlink(), ->rename() 104and ->readdir() are called without BKL now. Grab it on entry, drop upon return 105- that will guarantee the same locking you used to have. If your method or its 106parts do not need BKL - better yet, now you can shift lock_kernel() and 107unlock_kernel() so that they would protect exactly what needs to be 108protected. 109 110--- 111 112**mandatory** 113 114BKL is also moved from around sb operations. BKL should have been shifted into 115individual fs sb_op functions. If you don't need it, remove it. 116 117--- 118 119**informational** 120 121check for ->link() target not being a directory is done by callers. Feel 122free to drop it... 123 124--- 125 126**informational** 127 128->link() callers hold ->i_mutex on the object we are linking to. Some of your 129problems might be over... 130 131--- 132 133**mandatory** 134 135new file_system_type method - kill_sb(superblock). If you are converting 136an existing filesystem, set it according to ->fs_flags:: 137 138 FS_REQUIRES_DEV - kill_block_super 139 FS_LITTER - kill_litter_super 140 neither - kill_anon_super 141 142FS_LITTER is gone - just remove it from fs_flags. 143 144--- 145 146**mandatory** 147 148FS_SINGLE is gone (actually, that had happened back when ->get_sb() 149went in - and hadn't been documented ;-/). Just remove it from fs_flags 150(and see ->get_sb() entry for other actions). 151 152--- 153 154**mandatory** 155 156->setattr() is called without BKL now. Caller _always_ holds ->i_mutex, so 157watch for ->i_mutex-grabbing code that might be used by your ->setattr(). 158Callers of notify_change() need ->i_mutex now. 159 160--- 161 162**recommended** 163 164New super_block field ``struct export_operations *s_export_op`` for 165explicit support for exporting, e.g. via NFS. The structure is fully 166documented at its declaration in include/linux/fs.h, and in 167Documentation/filesystems/nfs/exporting.rst. 168 169Briefly it allows for the definition of decode_fh and encode_fh operations 170to encode and decode filehandles, and allows the filesystem to use 171a standard helper function for decode_fh, and provide file-system specific 172support for this helper, particularly get_parent. 173 174It is planned that this will be required for exporting once the code 175settles down a bit. 176 177**mandatory** 178 179s_export_op is now required for exporting a filesystem. 180isofs, ext2, ext3, reiserfs, fat 181can be used as examples of very different filesystems. 182 183--- 184 185**mandatory** 186 187iget4() and the read_inode2 callback have been superseded by iget5_locked() 188which has the following prototype:: 189 190 struct inode *iget5_locked(struct super_block *sb, unsigned long ino, 191 int (*test)(struct inode *, void *), 192 int (*set)(struct inode *, void *), 193 void *data); 194 195'test' is an additional function that can be used when the inode 196number is not sufficient to identify the actual file object. 'set' 197should be a non-blocking function that initializes those parts of a 198newly created inode to allow the test function to succeed. 'data' is 199passed as an opaque value to both test and set functions. 200 201When the inode has been created by iget5_locked(), it will be returned with the 202I_NEW flag set and will still be locked. The filesystem then needs to finalize 203the initialization. Once the inode is initialized it must be unlocked by 204calling unlock_new_inode(). 205 206The filesystem is responsible for setting (and possibly testing) i_ino 207when appropriate. There is also a simpler iget_locked function that 208just takes the superblock and inode number as arguments and does the 209test and set for you. 210 211e.g.:: 212 213 inode = iget_locked(sb, ino); 214 if (inode->i_state & I_NEW) { 215 err = read_inode_from_disk(inode); 216 if (err < 0) { 217 iget_failed(inode); 218 return err; 219 } 220 unlock_new_inode(inode); 221 } 222 223Note that if the process of setting up a new inode fails, then iget_failed() 224should be called on the inode to render it dead, and an appropriate error 225should be passed back to the caller. 226 227--- 228 229**recommended** 230 231->getattr() finally getting used. See instances in nfs, minix, etc. 232 233--- 234 235**mandatory** 236 237->revalidate() is gone. If your filesystem had it - provide ->getattr() 238and let it call whatever you had as ->revlidate() + (for symlinks that 239had ->revalidate()) add calls in ->follow_link()/->readlink(). 240 241--- 242 243**mandatory** 244 245->d_parent changes are not protected by BKL anymore. Read access is safe 246if at least one of the following is true: 247 248 * filesystem has no cross-directory rename() 249 * we know that parent had been locked (e.g. we are looking at 250 ->d_parent of ->lookup() argument). 251 * we are called from ->rename(). 252 * the child's ->d_lock is held 253 254Audit your code and add locking if needed. Notice that any place that is 255not protected by the conditions above is risky even in the old tree - you 256had been relying on BKL and that's prone to screwups. Old tree had quite 257a few holes of that kind - unprotected access to ->d_parent leading to 258anything from oops to silent memory corruption. 259 260--- 261 262**mandatory** 263 264FS_NOMOUNT is gone. If you use it - just set SB_NOUSER in flags 265(see rootfs for one kind of solution and bdev/socket/pipe for another). 266 267--- 268 269**recommended** 270 271Use bdev_read_only(bdev) instead of is_read_only(kdev). The latter 272is still alive, but only because of the mess in drivers/s390/block/dasd.c. 273As soon as it gets fixed is_read_only() will die. 274 275--- 276 277**mandatory** 278 279->permission() is called without BKL now. Grab it on entry, drop upon 280return - that will guarantee the same locking you used to have. If 281your method or its parts do not need BKL - better yet, now you can 282shift lock_kernel() and unlock_kernel() so that they would protect 283exactly what needs to be protected. 284 285--- 286 287**mandatory** 288 289->statfs() is now called without BKL held. BKL should have been 290shifted into individual fs sb_op functions where it's not clear that 291it's safe to remove it. If you don't need it, remove it. 292 293--- 294 295**mandatory** 296 297is_read_only() is gone; use bdev_read_only() instead. 298 299--- 300 301**mandatory** 302 303destroy_buffers() is gone; use invalidate_bdev(). 304 305--- 306 307**mandatory** 308 309fsync_dev() is gone; use fsync_bdev(). NOTE: lvm breakage is 310deliberate; as soon as struct block_device * is propagated in a reasonable 311way by that code fixing will become trivial; until then nothing can be 312done. 313 314**mandatory** 315 316block truncatation on error exit from ->write_begin, and ->direct_IO 317moved from generic methods (block_write_begin, cont_write_begin, 318nobh_write_begin, blockdev_direct_IO*) to callers. Take a look at 319ext2_write_failed and callers for an example. 320 321**mandatory** 322 323->truncate is gone. The whole truncate sequence needs to be 324implemented in ->setattr, which is now mandatory for filesystems 325implementing on-disk size changes. Start with a copy of the old inode_setattr 326and vmtruncate, and the reorder the vmtruncate + foofs_vmtruncate sequence to 327be in order of zeroing blocks using block_truncate_page or similar helpers, 328size update and on finally on-disk truncation which should not fail. 329setattr_prepare (which used to be inode_change_ok) now includes the size checks 330for ATTR_SIZE and must be called in the beginning of ->setattr unconditionally. 331 332**mandatory** 333 334->clear_inode() and ->delete_inode() are gone; ->evict_inode() should 335be used instead. It gets called whenever the inode is evicted, whether it has 336remaining links or not. Caller does *not* evict the pagecache or inode-associated 337metadata buffers; the method has to use truncate_inode_pages_final() to get rid 338of those. Caller makes sure async writeback cannot be running for the inode while 339(or after) ->evict_inode() is called. 340 341->drop_inode() returns int now; it's called on final iput() with 342inode->i_lock held and it returns true if filesystems wants the inode to be 343dropped. As before, generic_drop_inode() is still the default and it's been 344updated appropriately. generic_delete_inode() is also alive and it consists 345simply of return 1. Note that all actual eviction work is done by caller after 346->drop_inode() returns. 347 348As before, clear_inode() must be called exactly once on each call of 349->evict_inode() (as it used to be for each call of ->delete_inode()). Unlike 350before, if you are using inode-associated metadata buffers (i.e. 351mark_buffer_dirty_inode()), it's your responsibility to call 352invalidate_inode_buffers() before clear_inode(). 353 354NOTE: checking i_nlink in the beginning of ->write_inode() and bailing out 355if it's zero is not *and* *never* *had* *been* enough. Final unlink() and iput() 356may happen while the inode is in the middle of ->write_inode(); e.g. if you blindly 357free the on-disk inode, you may end up doing that while ->write_inode() is writing 358to it. 359 360--- 361 362**mandatory** 363 364.d_delete() now only advises the dcache as to whether or not to cache 365unreferenced dentries, and is now only called when the dentry refcount goes to 3660. Even on 0 refcount transition, it must be able to tolerate being called 0, 3671, or more times (eg. constant, idempotent). 368 369--- 370 371**mandatory** 372 373.d_compare() calling convention and locking rules are significantly 374changed. Read updated documentation in Documentation/filesystems/vfs.rst (and 375look at examples of other filesystems) for guidance. 376 377--- 378 379**mandatory** 380 381.d_hash() calling convention and locking rules are significantly 382changed. Read updated documentation in Documentation/filesystems/vfs.rst (and 383look at examples of other filesystems) for guidance. 384 385--- 386 387**mandatory** 388 389dcache_lock is gone, replaced by fine grained locks. See fs/dcache.c 390for details of what locks to replace dcache_lock with in order to protect 391particular things. Most of the time, a filesystem only needs ->d_lock, which 392protects *all* the dcache state of a given dentry. 393 394--- 395 396**mandatory** 397 398Filesystems must RCU-free their inodes, if they can have been accessed 399via rcu-walk path walk (basically, if the file can have had a path name in the 400vfs namespace). 401 402Even though i_dentry and i_rcu share storage in a union, we will 403initialize the former in inode_init_always(), so just leave it alone in 404the callback. It used to be necessary to clean it there, but not anymore 405(starting at 3.2). 406 407--- 408 409**recommended** 410 411vfs now tries to do path walking in "rcu-walk mode", which avoids 412atomic operations and scalability hazards on dentries and inodes (see 413Documentation/filesystems/path-lookup.txt). d_hash and d_compare changes 414(above) are examples of the changes required to support this. For more complex 415filesystem callbacks, the vfs drops out of rcu-walk mode before the fs call, so 416no changes are required to the filesystem. However, this is costly and loses 417the benefits of rcu-walk mode. We will begin to add filesystem callbacks that 418are rcu-walk aware, shown below. Filesystems should take advantage of this 419where possible. 420 421--- 422 423**mandatory** 424 425d_revalidate is a callback that is made on every path element (if 426the filesystem provides it), which requires dropping out of rcu-walk mode. This 427may now be called in rcu-walk mode (nd->flags & LOOKUP_RCU). -ECHILD should be 428returned if the filesystem cannot handle rcu-walk. See 429Documentation/filesystems/vfs.rst for more details. 430 431permission is an inode permission check that is called on many or all 432directory inodes on the way down a path walk (to check for exec permission). It 433must now be rcu-walk aware (mask & MAY_NOT_BLOCK). See 434Documentation/filesystems/vfs.rst for more details. 435 436--- 437 438**mandatory** 439 440In ->fallocate() you must check the mode option passed in. If your 441filesystem does not support hole punching (deallocating space in the middle of a 442file) you must return -EOPNOTSUPP if FALLOC_FL_PUNCH_HOLE is set in mode. 443Currently you can only have FALLOC_FL_PUNCH_HOLE with FALLOC_FL_KEEP_SIZE set, 444so the i_size should not change when hole punching, even when puching the end of 445a file off. 446 447--- 448 449**mandatory** 450 451->get_sb() is gone. Switch to use of ->mount(). Typically it's just 452a matter of switching from calling ``get_sb_``... to ``mount_``... and changing 453the function type. If you were doing it manually, just switch from setting 454->mnt_root to some pointer to returning that pointer. On errors return 455ERR_PTR(...). 456 457--- 458 459**mandatory** 460 461->permission() and generic_permission()have lost flags 462argument; instead of passing IPERM_FLAG_RCU we add MAY_NOT_BLOCK into mask. 463 464generic_permission() has also lost the check_acl argument; ACL checking 465has been taken to VFS and filesystems need to provide a non-NULL 466->i_op->get_inode_acl to read an ACL from disk. 467 468--- 469 470**mandatory** 471 472If you implement your own ->llseek() you must handle SEEK_HOLE and 473SEEK_DATA. You can handle this by returning -EINVAL, but it would be nicer to 474support it in some way. The generic handler assumes that the entire file is 475data and there is a virtual hole at the end of the file. So if the provided 476offset is less than i_size and SEEK_DATA is specified, return the same offset. 477If the above is true for the offset and you are given SEEK_HOLE, return the end 478of the file. If the offset is i_size or greater return -ENXIO in either case. 479 480**mandatory** 481 482If you have your own ->fsync() you must make sure to call 483filemap_write_and_wait_range() so that all dirty pages are synced out properly. 484You must also keep in mind that ->fsync() is not called with i_mutex held 485anymore, so if you require i_mutex locking you must make sure to take it and 486release it yourself. 487 488--- 489 490**mandatory** 491 492d_alloc_root() is gone, along with a lot of bugs caused by code 493misusing it. Replacement: d_make_root(inode). On success d_make_root(inode) 494allocates and returns a new dentry instantiated with the passed in inode. 495On failure NULL is returned and the passed in inode is dropped so the reference 496to inode is consumed in all cases and failure handling need not do any cleanup 497for the inode. If d_make_root(inode) is passed a NULL inode it returns NULL 498and also requires no further error handling. Typical usage is:: 499 500 inode = foofs_new_inode(....); 501 s->s_root = d_make_root(inode); 502 if (!s->s_root) 503 /* Nothing needed for the inode cleanup */ 504 return -ENOMEM; 505 ... 506 507--- 508 509**mandatory** 510 511The witch is dead! Well, 2/3 of it, anyway. ->d_revalidate() and 512->lookup() do *not* take struct nameidata anymore; just the flags. 513 514--- 515 516**mandatory** 517 518->create() doesn't take ``struct nameidata *``; unlike the previous 519two, it gets "is it an O_EXCL or equivalent?" boolean argument. Note that 520local filesystems can ignore this argument - they are guaranteed that the 521object doesn't exist. It's remote/distributed ones that might care... 522 523--- 524 525**mandatory** 526 527FS_REVAL_DOT is gone; if you used to have it, add ->d_weak_revalidate() 528in your dentry operations instead. 529 530--- 531 532**mandatory** 533 534vfs_readdir() is gone; switch to iterate_dir() instead 535 536--- 537 538**mandatory** 539 540->readdir() is gone now; switch to ->iterate_shared() 541 542**mandatory** 543 544vfs_follow_link has been removed. Filesystems must use nd_set_link 545from ->follow_link for normal symlinks, or nd_jump_link for magic 546/proc/<pid> style links. 547 548--- 549 550**mandatory** 551 552iget5_locked()/ilookup5()/ilookup5_nowait() test() callback used to be 553called with both ->i_lock and inode_hash_lock held; the former is *not* 554taken anymore, so verify that your callbacks do not rely on it (none 555of the in-tree instances did). inode_hash_lock is still held, 556of course, so they are still serialized wrt removal from inode hash, 557as well as wrt set() callback of iget5_locked(). 558 559--- 560 561**mandatory** 562 563d_materialise_unique() is gone; d_splice_alias() does everything you 564need now. Remember that they have opposite orders of arguments ;-/ 565 566--- 567 568**mandatory** 569 570f_dentry is gone; use f_path.dentry, or, better yet, see if you can avoid 571it entirely. 572 573--- 574 575**mandatory** 576 577never call ->read() and ->write() directly; use __vfs_{read,write} or 578wrappers; instead of checking for ->write or ->read being NULL, look for 579FMODE_CAN_{WRITE,READ} in file->f_mode. 580 581--- 582 583**mandatory** 584 585do _not_ use new_sync_{read,write} for ->read/->write; leave it NULL 586instead. 587 588--- 589 590**mandatory** 591 ->aio_read/->aio_write are gone. Use ->read_iter/->write_iter. 592 593--- 594 595**recommended** 596 597for embedded ("fast") symlinks just set inode->i_link to wherever the 598symlink body is and use simple_follow_link() as ->follow_link(). 599 600--- 601 602**mandatory** 603 604calling conventions for ->follow_link() have changed. Instead of returning 605cookie and using nd_set_link() to store the body to traverse, we return 606the body to traverse and store the cookie using explicit void ** argument. 607nameidata isn't passed at all - nd_jump_link() doesn't need it and 608nd_[gs]et_link() is gone. 609 610--- 611 612**mandatory** 613 614calling conventions for ->put_link() have changed. It gets inode instead of 615dentry, it does not get nameidata at all and it gets called only when cookie 616is non-NULL. Note that link body isn't available anymore, so if you need it, 617store it as cookie. 618 619--- 620 621**mandatory** 622 623any symlink that might use page_follow_link_light/page_put_link() must 624have inode_nohighmem(inode) called before anything might start playing with 625its pagecache. No highmem pages should end up in the pagecache of such 626symlinks. That includes any preseeding that might be done during symlink 627creation. page_symlink() will honour the mapping gfp flags, so once 628you've done inode_nohighmem() it's safe to use, but if you allocate and 629insert the page manually, make sure to use the right gfp flags. 630 631--- 632 633**mandatory** 634 635->follow_link() is replaced with ->get_link(); same API, except that 636 637 * ->get_link() gets inode as a separate argument 638 * ->get_link() may be called in RCU mode - in that case NULL 639 dentry is passed 640 641--- 642 643**mandatory** 644 645->get_link() gets struct delayed_call ``*done`` now, and should do 646set_delayed_call() where it used to set ``*cookie``. 647 648->put_link() is gone - just give the destructor to set_delayed_call() 649in ->get_link(). 650 651--- 652 653**mandatory** 654 655->getxattr() and xattr_handler.get() get dentry and inode passed separately. 656dentry might be yet to be attached to inode, so do _not_ use its ->d_inode 657in the instances. Rationale: !@#!@# security_d_instantiate() needs to be 658called before we attach dentry to inode. 659 660--- 661 662**mandatory** 663 664symlinks are no longer the only inodes that do *not* have i_bdev/i_cdev/ 665i_pipe/i_link union zeroed out at inode eviction. As the result, you can't 666assume that non-NULL value in ->i_nlink at ->destroy_inode() implies that 667it's a symlink. Checking ->i_mode is really needed now. In-tree we had 668to fix shmem_destroy_callback() that used to take that kind of shortcut; 669watch out, since that shortcut is no longer valid. 670 671--- 672 673**mandatory** 674 675->i_mutex is replaced with ->i_rwsem now. inode_lock() et.al. work as 676they used to - they just take it exclusive. However, ->lookup() may be 677called with parent locked shared. Its instances must not 678 679 * use d_instantiate) and d_rehash() separately - use d_add() or 680 d_splice_alias() instead. 681 * use d_rehash() alone - call d_add(new_dentry, NULL) instead. 682 * in the unlikely case when (read-only) access to filesystem 683 data structures needs exclusion for some reason, arrange it 684 yourself. None of the in-tree filesystems needed that. 685 * rely on ->d_parent and ->d_name not changing after dentry has 686 been fed to d_add() or d_splice_alias(). Again, none of the 687 in-tree instances relied upon that. 688 689We are guaranteed that lookups of the same name in the same directory 690will not happen in parallel ("same" in the sense of your ->d_compare()). 691Lookups on different names in the same directory can and do happen in 692parallel now. 693 694--- 695 696**mandatory** 697 698->iterate_shared() is added. 699Exclusion on struct file level is still provided (as well as that 700between it and lseek on the same struct file), but if your directory 701has been opened several times, you can get these called in parallel. 702Exclusion between that method and all directory-modifying ones is 703still provided, of course. 704 705If you have any per-inode or per-dentry in-core data structures modified 706by ->iterate_shared(), you might need something to serialize the access 707to them. If you do dcache pre-seeding, you'll need to switch to 708d_alloc_parallel() for that; look for in-tree examples. 709 710--- 711 712**mandatory** 713 714->atomic_open() calls without O_CREAT may happen in parallel. 715 716--- 717 718**mandatory** 719 720->setxattr() and xattr_handler.set() get dentry and inode passed separately. 721The xattr_handler.set() gets passed the user namespace of the mount the inode 722is seen from so filesystems can idmap the i_uid and i_gid accordingly. 723dentry might be yet to be attached to inode, so do _not_ use its ->d_inode 724in the instances. Rationale: !@#!@# security_d_instantiate() needs to be 725called before we attach dentry to inode and !@#!@##!@$!$#!@#$!@$!@$ smack 726->d_instantiate() uses not just ->getxattr() but ->setxattr() as well. 727 728--- 729 730**mandatory** 731 732->d_compare() doesn't get parent as a separate argument anymore. If you 733used it for finding the struct super_block involved, dentry->d_sb will 734work just as well; if it's something more complicated, use dentry->d_parent. 735Just be careful not to assume that fetching it more than once will yield 736the same value - in RCU mode it could change under you. 737 738--- 739 740**mandatory** 741 742->rename() has an added flags argument. Any flags not handled by the 743filesystem should result in EINVAL being returned. 744 745--- 746 747 748**recommended** 749 750->readlink is optional for symlinks. Don't set, unless filesystem needs 751to fake something for readlink(2). 752 753--- 754 755**mandatory** 756 757->getattr() is now passed a struct path rather than a vfsmount and 758dentry separately, and it now has request_mask and query_flags arguments 759to specify the fields and sync type requested by statx. Filesystems not 760supporting any statx-specific features may ignore the new arguments. 761 762--- 763 764**mandatory** 765 766->atomic_open() calling conventions have changed. Gone is ``int *opened``, 767along with FILE_OPENED/FILE_CREATED. In place of those we have 768FMODE_OPENED/FMODE_CREATED, set in file->f_mode. Additionally, return 769value for 'called finish_no_open(), open it yourself' case has become 7700, not 1. Since finish_no_open() itself is returning 0 now, that part 771does not need any changes in ->atomic_open() instances. 772 773--- 774 775**mandatory** 776 777alloc_file() has become static now; two wrappers are to be used instead. 778alloc_file_pseudo(inode, vfsmount, name, flags, ops) is for the cases 779when dentry needs to be created; that's the majority of old alloc_file() 780users. Calling conventions: on success a reference to new struct file 781is returned and callers reference to inode is subsumed by that. On 782failure, ERR_PTR() is returned and no caller's references are affected, 783so the caller needs to drop the inode reference it held. 784alloc_file_clone(file, flags, ops) does not affect any caller's references. 785On success you get a new struct file sharing the mount/dentry with the 786original, on failure - ERR_PTR(). 787 788--- 789 790**mandatory** 791 792->clone_file_range() and ->dedupe_file_range have been replaced with 793->remap_file_range(). See Documentation/filesystems/vfs.rst for more 794information. 795 796--- 797 798**recommended** 799 800->lookup() instances doing an equivalent of:: 801 802 if (IS_ERR(inode)) 803 return ERR_CAST(inode); 804 return d_splice_alias(inode, dentry); 805 806don't need to bother with the check - d_splice_alias() will do the 807right thing when given ERR_PTR(...) as inode. Moreover, passing NULL 808inode to d_splice_alias() will also do the right thing (equivalent of 809d_add(dentry, NULL); return NULL;), so that kind of special cases 810also doesn't need a separate treatment. 811 812--- 813 814**strongly recommended** 815 816take the RCU-delayed parts of ->destroy_inode() into a new method - 817->free_inode(). If ->destroy_inode() becomes empty - all the better, 818just get rid of it. Synchronous work (e.g. the stuff that can't 819be done from an RCU callback, or any WARN_ON() where we want the 820stack trace) *might* be movable to ->evict_inode(); however, 821that goes only for the things that are not needed to balance something 822done by ->alloc_inode(). IOW, if it's cleaning up the stuff that 823might have accumulated over the life of in-core inode, ->evict_inode() 824might be a fit. 825 826Rules for inode destruction: 827 828 * if ->destroy_inode() is non-NULL, it gets called 829 * if ->free_inode() is non-NULL, it gets scheduled by call_rcu() 830 * combination of NULL ->destroy_inode and NULL ->free_inode is 831 treated as NULL/free_inode_nonrcu, to preserve the compatibility. 832 833Note that the callback (be it via ->free_inode() or explicit call_rcu() 834in ->destroy_inode()) is *NOT* ordered wrt superblock destruction; 835as the matter of fact, the superblock and all associated structures 836might be already gone. The filesystem driver is guaranteed to be still 837there, but that's it. Freeing memory in the callback is fine; doing 838more than that is possible, but requires a lot of care and is best 839avoided. 840 841--- 842 843**mandatory** 844 845DCACHE_RCUACCESS is gone; having an RCU delay on dentry freeing is the 846default. DCACHE_NORCU opts out, and only d_alloc_pseudo() has any 847business doing so. 848 849--- 850 851**mandatory** 852 853d_alloc_pseudo() is internal-only; uses outside of alloc_file_pseudo() are 854very suspect (and won't work in modules). Such uses are very likely to 855be misspelled d_alloc_anon(). 856 857--- 858 859**mandatory** 860 861[should've been added in 2016] stale comment in finish_open() nonwithstanding, 862failure exits in ->atomic_open() instances should *NOT* fput() the file, 863no matter what. Everything is handled by the caller. 864 865--- 866 867**mandatory** 868 869clone_private_mount() returns a longterm mount now, so the proper destructor of 870its result is kern_unmount() or kern_unmount_array(). 871 872--- 873 874**mandatory** 875 876zero-length bvec segments are disallowed, they must be filtered out before 877passed on to an iterator. 878 879--- 880 881**mandatory** 882 883For bvec based itererators bio_iov_iter_get_pages() now doesn't copy bvecs but 884uses the one provided. Anyone issuing kiocb-I/O should ensure that the bvec and 885page references stay until I/O has completed, i.e. until ->ki_complete() has 886been called or returned with non -EIOCBQUEUED code. 887 888--- 889 890**mandatory** 891 892mnt_want_write_file() can now only be paired with mnt_drop_write_file(), 893whereas previously it could be paired with mnt_drop_write() as well. 894 895--- 896 897**mandatory** 898 899iov_iter_copy_from_user_atomic() is gone; use copy_page_from_iter_atomic(). 900The difference is copy_page_from_iter_atomic() advances the iterator and 901you don't need iov_iter_advance() after it. However, if you decide to use 902only a part of obtained data, you should do iov_iter_revert(). 903 904--- 905 906**mandatory** 907 908Calling conventions for file_open_root() changed; now it takes struct path * 909instead of passing mount and dentry separately. For callers that used to 910pass <mnt, mnt->mnt_root> pair (i.e. the root of given mount), a new helper 911is provided - file_open_root_mnt(). In-tree users adjusted. 912 913--- 914 915**mandatory** 916 917no_llseek is gone; don't set .llseek to that - just leave it NULL instead. 918Checks for "does that file have llseek(2), or should it fail with ESPIPE" 919should be done by looking at FMODE_LSEEK in file->f_mode. 920 921--- 922 923*mandatory* 924 925filldir_t (readdir callbacks) calling conventions have changed. Instead of 926returning 0 or -E... it returns bool now. false means "no more" (as -E... used 927to) and true - "keep going" (as 0 in old calling conventions). Rationale: 928callers never looked at specific -E... values anyway. -> iterate_shared() 929instances require no changes at all, all filldir_t ones in the tree 930converted. 931 932--- 933 934**mandatory** 935 936Calling conventions for ->tmpfile() have changed. It now takes a struct 937file pointer instead of struct dentry pointer. d_tmpfile() is similarly 938changed to simplify callers. The passed file is in a non-open state and on 939success must be opened before returning (e.g. by calling 940finish_open_simple()). 941 942--- 943 944**mandatory** 945 946Calling convention for ->huge_fault has changed. It now takes a page 947order instead of an enum page_entry_size, and it may be called without the 948mmap_lock held. All in-tree users have been audited and do not seem to 949depend on the mmap_lock being held, but out of tree users should verify 950for themselves. If they do need it, they can return VM_FAULT_RETRY to 951be called with the mmap_lock held. 952 953--- 954 955**mandatory** 956 957The order of opening block devices and matching or creating superblocks has 958changed. 959 960The old logic opened block devices first and then tried to find a 961suitable superblock to reuse based on the block device pointer. 962 963The new logic tries to find a suitable superblock first based on the device 964number, and opening the block device afterwards. 965 966Since opening block devices cannot happen under s_umount because of lock 967ordering requirements s_umount is now dropped while opening block devices and 968reacquired before calling fill_super(). 969 970In the old logic concurrent mounters would find the superblock on the list of 971superblocks for the filesystem type. Since the first opener of the block device 972would hold s_umount they would wait until the superblock became either born or 973was discarded due to initialization failure. 974 975Since the new logic drops s_umount concurrent mounters could grab s_umount and 976would spin. Instead they are now made to wait using an explicit wait-wake 977mechanism without having to hold s_umount. 978 979--- 980 981**mandatory** 982 983The holder of a block device is now the superblock. 984 985The holder of a block device used to be the file_system_type which wasn't 986particularly useful. It wasn't possible to go from block device to owning 987superblock without matching on the device pointer stored in the superblock. 988This mechanism would only work for a single device so the block layer couldn't 989find the owning superblock of any additional devices. 990 991In the old mechanism reusing or creating a superblock for a racing mount(2) and 992umount(2) relied on the file_system_type as the holder. This was severly 993underdocumented however: 994 995(1) Any concurrent mounter that managed to grab an active reference on an 996 existing superblock was made to wait until the superblock either became 997 ready or until the superblock was removed from the list of superblocks of 998 the filesystem type. If the superblock is ready the caller would simple 999 reuse it. 1000 1001(2) If the mounter came after deactivate_locked_super() but before 1002 the superblock had been removed from the list of superblocks of the 1003 filesystem type the mounter would wait until the superblock was shutdown, 1004 reuse the block device and allocate a new superblock. 1005 1006(3) If the mounter came after deactivate_locked_super() and after 1007 the superblock had been removed from the list of superblocks of the 1008 filesystem type the mounter would reuse the block device and allocate a new 1009 superblock (the bd_holder point may still be set to the filesystem type). 1010 1011Because the holder of the block device was the file_system_type any concurrent 1012mounter could open the block devices of any superblock of the same 1013file_system_type without risking seeing EBUSY because the block device was 1014still in use by another superblock. 1015 1016Making the superblock the owner of the block device changes this as the holder 1017is now a unique superblock and thus block devices associated with it cannot be 1018reused by concurrent mounters. So a concurrent mounter in (2) could suddenly 1019see EBUSY when trying to open a block device whose holder was a different 1020superblock. 1021 1022The new logic thus waits until the superblock and the devices are shutdown in 1023->kill_sb(). Removal of the superblock from the list of superblocks of the 1024filesystem type is now moved to a later point when the devices are closed: 1025 1026(1) Any concurrent mounter managing to grab an active reference on an existing 1027 superblock is made to wait until the superblock is either ready or until 1028 the superblock and all devices are shutdown in ->kill_sb(). If the 1029 superblock is ready the caller will simply reuse it. 1030 1031(2) If the mounter comes after deactivate_locked_super() but before 1032 the superblock has been removed from the list of superblocks of the 1033 filesystem type the mounter is made to wait until the superblock and the 1034 devices are shut down in ->kill_sb() and the superblock is removed from the 1035 list of superblocks of the filesystem type. The mounter will allocate a new 1036 superblock and grab ownership of the block device (the bd_holder pointer of 1037 the block device will be set to the newly allocated superblock). 1038 1039(3) This case is now collapsed into (2) as the superblock is left on the list 1040 of superblocks of the filesystem type until all devices are shutdown in 1041 ->kill_sb(). In other words, if the superblock isn't on the list of 1042 superblock of the filesystem type anymore then it has given up ownership of 1043 all associated block devices (the bd_holder pointer is NULL). 1044 1045As this is a VFS level change it has no practical consequences for filesystems 1046other than that all of them must use one of the provided kill_litter_super(), 1047kill_anon_super(), or kill_block_super() helpers. 1048 1049--- 1050 1051**mandatory** 1052 1053Lock ordering has been changed so that s_umount ranks above open_mutex again. 1054All places where s_umount was taken under open_mutex have been fixed up. 1055 1056--- 1057 1058**mandatory** 1059 1060export_operations ->encode_fh() no longer has a default implementation to 1061encode FILEID_INO32_GEN* file handles. 1062Filesystems that used the default implementation may use the generic helper 1063generic_encode_ino32_fh() explicitly. 1064 1065--- 1066 1067**mandatory** 1068 1069If ->rename() update of .. on cross-directory move needs an exclusion with 1070directory modifications, do *not* lock the subdirectory in question in your 1071->rename() - it's done by the caller now [that item should've been added in 107228eceeda130f "fs: Lock moved directories"]. 1073 1074--- 1075 1076**mandatory** 1077 1078On same-directory ->rename() the (tautological) update of .. is not protected 1079by any locks; just don't do it if the old parent is the same as the new one. 1080We really can't lock two subdirectories in same-directory rename - not without 1081deadlocks. 1082 1083--- 1084 1085**mandatory** 1086 1087lock_rename() and lock_rename_child() may fail in cross-directory case, if 1088their arguments do not have a common ancestor. In that case ERR_PTR(-EXDEV) 1089is returned, with no locks taken. In-tree users updated; out-of-tree ones 1090would need to do so. 1091 1092--- 1093 1094**mandatory** 1095 1096The list of children anchored in parent dentry got turned into hlist now. 1097Field names got changed (->d_children/->d_sib instead of ->d_subdirs/->d_child 1098for anchor/entries resp.), so any affected places will be immediately caught 1099by compiler. 1100 1101--- 1102 1103**mandatory** 1104 1105->d_delete() instances are now called for dentries with ->d_lock held 1106and refcount equal to 0. They are not permitted to drop/regain ->d_lock. 1107None of in-tree instances did anything of that sort. Make sure yours do not... 1108 1109--- 1110 1111**mandatory** 1112 1113->d_prune() instances are now called without ->d_lock held on the parent. 1114->d_lock on dentry itself is still held; if you need per-parent exclusions (none 1115of the in-tree instances did), use your own spinlock. 1116 1117->d_iput() and ->d_release() are called with victim dentry still in the 1118list of parent's children. It is still unhashed, marked killed, etc., just not 1119removed from parent's ->d_children yet. 1120 1121Anyone iterating through the list of children needs to be aware of the 1122half-killed dentries that might be seen there; taking ->d_lock on those will 1123see them negative, unhashed and with negative refcount, which means that most 1124of the in-kernel users would've done the right thing anyway without any adjustment. 1125 1126--- 1127 1128**recommended** 1129 1130Block device freezing and thawing have been moved to holder operations. 1131 1132Before this change, get_active_super() would only be able to find the 1133superblock of the main block device, i.e., the one stored in sb->s_bdev. Block 1134device freezing now works for any block device owned by a given superblock, not 1135just the main block device. The get_active_super() helper and bd_fsfreeze_sb 1136pointer are gone. 1137