1 /* 2 FUSE: Filesystem in Userspace 3 Copyright (C) 2001-2006 Miklos Szeredi <miklos@szeredi.hu> 4 5 This program can be distributed under the terms of the GNU GPL. 6 See the file COPYING. 7 */ 8 9 #include "fuse_i.h" 10 11 #include <linux/init.h> 12 #include <linux/module.h> 13 #include <linux/poll.h> 14 #include <linux/uio.h> 15 #include <linux/miscdevice.h> 16 #include <linux/pagemap.h> 17 #include <linux/file.h> 18 #include <linux/slab.h> 19 20 MODULE_ALIAS_MISCDEV(FUSE_MINOR); 21 22 static kmem_cache_t *fuse_req_cachep; 23 24 static struct fuse_conn *fuse_get_conn(struct file *file) 25 { 26 /* 27 * Lockless access is OK, because file->private data is set 28 * once during mount and is valid until the file is released. 29 */ 30 return file->private_data; 31 } 32 33 static void fuse_request_init(struct fuse_req *req) 34 { 35 memset(req, 0, sizeof(*req)); 36 INIT_LIST_HEAD(&req->list); 37 INIT_LIST_HEAD(&req->intr_entry); 38 init_waitqueue_head(&req->waitq); 39 atomic_set(&req->count, 1); 40 } 41 42 struct fuse_req *fuse_request_alloc(void) 43 { 44 struct fuse_req *req = kmem_cache_alloc(fuse_req_cachep, SLAB_KERNEL); 45 if (req) 46 fuse_request_init(req); 47 return req; 48 } 49 50 void fuse_request_free(struct fuse_req *req) 51 { 52 kmem_cache_free(fuse_req_cachep, req); 53 } 54 55 static void block_sigs(sigset_t *oldset) 56 { 57 sigset_t mask; 58 59 siginitsetinv(&mask, sigmask(SIGKILL)); 60 sigprocmask(SIG_BLOCK, &mask, oldset); 61 } 62 63 static void restore_sigs(sigset_t *oldset) 64 { 65 sigprocmask(SIG_SETMASK, oldset, NULL); 66 } 67 68 static void __fuse_get_request(struct fuse_req *req) 69 { 70 atomic_inc(&req->count); 71 } 72 73 /* Must be called with > 1 refcount */ 74 static void __fuse_put_request(struct fuse_req *req) 75 { 76 BUG_ON(atomic_read(&req->count) < 2); 77 atomic_dec(&req->count); 78 } 79 80 static void fuse_req_init_context(struct fuse_req *req) 81 { 82 req->in.h.uid = current->fsuid; 83 req->in.h.gid = current->fsgid; 84 req->in.h.pid = current->pid; 85 } 86 87 struct fuse_req *fuse_get_req(struct fuse_conn *fc) 88 { 89 struct fuse_req *req; 90 sigset_t oldset; 91 int intr; 92 int err; 93 94 atomic_inc(&fc->num_waiting); 95 block_sigs(&oldset); 96 intr = wait_event_interruptible(fc->blocked_waitq, !fc->blocked); 97 restore_sigs(&oldset); 98 err = -EINTR; 99 if (intr) 100 goto out; 101 102 err = -ENOTCONN; 103 if (!fc->connected) 104 goto out; 105 106 req = fuse_request_alloc(); 107 err = -ENOMEM; 108 if (!req) 109 goto out; 110 111 fuse_req_init_context(req); 112 req->waiting = 1; 113 return req; 114 115 out: 116 atomic_dec(&fc->num_waiting); 117 return ERR_PTR(err); 118 } 119 120 /* 121 * Return request in fuse_file->reserved_req. However that may 122 * currently be in use. If that is the case, wait for it to become 123 * available. 124 */ 125 static struct fuse_req *get_reserved_req(struct fuse_conn *fc, 126 struct file *file) 127 { 128 struct fuse_req *req = NULL; 129 struct fuse_file *ff = file->private_data; 130 131 do { 132 wait_event(fc->blocked_waitq, ff->reserved_req); 133 spin_lock(&fc->lock); 134 if (ff->reserved_req) { 135 req = ff->reserved_req; 136 ff->reserved_req = NULL; 137 get_file(file); 138 req->stolen_file = file; 139 } 140 spin_unlock(&fc->lock); 141 } while (!req); 142 143 return req; 144 } 145 146 /* 147 * Put stolen request back into fuse_file->reserved_req 148 */ 149 static void put_reserved_req(struct fuse_conn *fc, struct fuse_req *req) 150 { 151 struct file *file = req->stolen_file; 152 struct fuse_file *ff = file->private_data; 153 154 spin_lock(&fc->lock); 155 fuse_request_init(req); 156 BUG_ON(ff->reserved_req); 157 ff->reserved_req = req; 158 wake_up(&fc->blocked_waitq); 159 spin_unlock(&fc->lock); 160 fput(file); 161 } 162 163 /* 164 * Gets a requests for a file operation, always succeeds 165 * 166 * This is used for sending the FLUSH request, which must get to 167 * userspace, due to POSIX locks which may need to be unlocked. 168 * 169 * If allocation fails due to OOM, use the reserved request in 170 * fuse_file. 171 * 172 * This is very unlikely to deadlock accidentally, since the 173 * filesystem should not have it's own file open. If deadlock is 174 * intentional, it can still be broken by "aborting" the filesystem. 175 */ 176 struct fuse_req *fuse_get_req_nofail(struct fuse_conn *fc, struct file *file) 177 { 178 struct fuse_req *req; 179 180 atomic_inc(&fc->num_waiting); 181 wait_event(fc->blocked_waitq, !fc->blocked); 182 req = fuse_request_alloc(); 183 if (!req) 184 req = get_reserved_req(fc, file); 185 186 fuse_req_init_context(req); 187 req->waiting = 1; 188 return req; 189 } 190 191 void fuse_put_request(struct fuse_conn *fc, struct fuse_req *req) 192 { 193 if (atomic_dec_and_test(&req->count)) { 194 if (req->waiting) 195 atomic_dec(&fc->num_waiting); 196 197 if (req->stolen_file) 198 put_reserved_req(fc, req); 199 else 200 fuse_request_free(req); 201 } 202 } 203 204 /* 205 * This function is called when a request is finished. Either a reply 206 * has arrived or it was aborted (and not yet sent) or some error 207 * occurred during communication with userspace, or the device file 208 * was closed. The requester thread is woken up (if still waiting), 209 * the 'end' callback is called if given, else the reference to the 210 * request is released 211 * 212 * Called with fc->lock, unlocks it 213 */ 214 static void request_end(struct fuse_conn *fc, struct fuse_req *req) 215 { 216 void (*end) (struct fuse_conn *, struct fuse_req *) = req->end; 217 req->end = NULL; 218 list_del(&req->list); 219 list_del(&req->intr_entry); 220 req->state = FUSE_REQ_FINISHED; 221 if (req->background) { 222 if (fc->num_background == FUSE_MAX_BACKGROUND) { 223 fc->blocked = 0; 224 wake_up_all(&fc->blocked_waitq); 225 } 226 fc->num_background--; 227 } 228 spin_unlock(&fc->lock); 229 dput(req->dentry); 230 mntput(req->vfsmount); 231 if (req->file) 232 fput(req->file); 233 wake_up(&req->waitq); 234 if (end) 235 end(fc, req); 236 else 237 fuse_put_request(fc, req); 238 } 239 240 static void wait_answer_interruptible(struct fuse_conn *fc, 241 struct fuse_req *req) 242 { 243 if (signal_pending(current)) 244 return; 245 246 spin_unlock(&fc->lock); 247 wait_event_interruptible(req->waitq, req->state == FUSE_REQ_FINISHED); 248 spin_lock(&fc->lock); 249 } 250 251 static void queue_interrupt(struct fuse_conn *fc, struct fuse_req *req) 252 { 253 list_add_tail(&req->intr_entry, &fc->interrupts); 254 wake_up(&fc->waitq); 255 kill_fasync(&fc->fasync, SIGIO, POLL_IN); 256 } 257 258 /* Called with fc->lock held. Releases, and then reacquires it. */ 259 static void request_wait_answer(struct fuse_conn *fc, struct fuse_req *req) 260 { 261 if (!fc->no_interrupt) { 262 /* Any signal may interrupt this */ 263 wait_answer_interruptible(fc, req); 264 265 if (req->aborted) 266 goto aborted; 267 if (req->state == FUSE_REQ_FINISHED) 268 return; 269 270 req->interrupted = 1; 271 if (req->state == FUSE_REQ_SENT) 272 queue_interrupt(fc, req); 273 } 274 275 if (req->force) { 276 spin_unlock(&fc->lock); 277 wait_event(req->waitq, req->state == FUSE_REQ_FINISHED); 278 spin_lock(&fc->lock); 279 } else { 280 sigset_t oldset; 281 282 /* Only fatal signals may interrupt this */ 283 block_sigs(&oldset); 284 wait_answer_interruptible(fc, req); 285 restore_sigs(&oldset); 286 } 287 288 if (req->aborted) 289 goto aborted; 290 if (req->state == FUSE_REQ_FINISHED) 291 return; 292 293 req->out.h.error = -EINTR; 294 req->aborted = 1; 295 296 aborted: 297 if (req->locked) { 298 /* This is uninterruptible sleep, because data is 299 being copied to/from the buffers of req. During 300 locked state, there mustn't be any filesystem 301 operation (e.g. page fault), since that could lead 302 to deadlock */ 303 spin_unlock(&fc->lock); 304 wait_event(req->waitq, !req->locked); 305 spin_lock(&fc->lock); 306 } 307 if (req->state == FUSE_REQ_PENDING) { 308 list_del(&req->list); 309 __fuse_put_request(req); 310 } else if (req->state == FUSE_REQ_SENT) { 311 spin_unlock(&fc->lock); 312 wait_event(req->waitq, req->state == FUSE_REQ_FINISHED); 313 spin_lock(&fc->lock); 314 } 315 } 316 317 static unsigned len_args(unsigned numargs, struct fuse_arg *args) 318 { 319 unsigned nbytes = 0; 320 unsigned i; 321 322 for (i = 0; i < numargs; i++) 323 nbytes += args[i].size; 324 325 return nbytes; 326 } 327 328 static u64 fuse_get_unique(struct fuse_conn *fc) 329 { 330 fc->reqctr++; 331 /* zero is special */ 332 if (fc->reqctr == 0) 333 fc->reqctr = 1; 334 335 return fc->reqctr; 336 } 337 338 static void queue_request(struct fuse_conn *fc, struct fuse_req *req) 339 { 340 req->in.h.unique = fuse_get_unique(fc); 341 req->in.h.len = sizeof(struct fuse_in_header) + 342 len_args(req->in.numargs, (struct fuse_arg *) req->in.args); 343 list_add_tail(&req->list, &fc->pending); 344 req->state = FUSE_REQ_PENDING; 345 if (!req->waiting) { 346 req->waiting = 1; 347 atomic_inc(&fc->num_waiting); 348 } 349 wake_up(&fc->waitq); 350 kill_fasync(&fc->fasync, SIGIO, POLL_IN); 351 } 352 353 void request_send(struct fuse_conn *fc, struct fuse_req *req) 354 { 355 req->isreply = 1; 356 spin_lock(&fc->lock); 357 if (!fc->connected) 358 req->out.h.error = -ENOTCONN; 359 else if (fc->conn_error) 360 req->out.h.error = -ECONNREFUSED; 361 else { 362 queue_request(fc, req); 363 /* acquire extra reference, since request is still needed 364 after request_end() */ 365 __fuse_get_request(req); 366 367 request_wait_answer(fc, req); 368 } 369 spin_unlock(&fc->lock); 370 } 371 372 static void request_send_nowait(struct fuse_conn *fc, struct fuse_req *req) 373 { 374 spin_lock(&fc->lock); 375 if (fc->connected) { 376 req->background = 1; 377 fc->num_background++; 378 if (fc->num_background == FUSE_MAX_BACKGROUND) 379 fc->blocked = 1; 380 381 queue_request(fc, req); 382 spin_unlock(&fc->lock); 383 } else { 384 req->out.h.error = -ENOTCONN; 385 request_end(fc, req); 386 } 387 } 388 389 void request_send_noreply(struct fuse_conn *fc, struct fuse_req *req) 390 { 391 req->isreply = 0; 392 request_send_nowait(fc, req); 393 } 394 395 void request_send_background(struct fuse_conn *fc, struct fuse_req *req) 396 { 397 req->isreply = 1; 398 request_send_nowait(fc, req); 399 } 400 401 /* 402 * Lock the request. Up to the next unlock_request() there mustn't be 403 * anything that could cause a page-fault. If the request was already 404 * aborted bail out. 405 */ 406 static int lock_request(struct fuse_conn *fc, struct fuse_req *req) 407 { 408 int err = 0; 409 if (req) { 410 spin_lock(&fc->lock); 411 if (req->aborted) 412 err = -ENOENT; 413 else 414 req->locked = 1; 415 spin_unlock(&fc->lock); 416 } 417 return err; 418 } 419 420 /* 421 * Unlock request. If it was aborted during being locked, the 422 * requester thread is currently waiting for it to be unlocked, so 423 * wake it up. 424 */ 425 static void unlock_request(struct fuse_conn *fc, struct fuse_req *req) 426 { 427 if (req) { 428 spin_lock(&fc->lock); 429 req->locked = 0; 430 if (req->aborted) 431 wake_up(&req->waitq); 432 spin_unlock(&fc->lock); 433 } 434 } 435 436 struct fuse_copy_state { 437 struct fuse_conn *fc; 438 int write; 439 struct fuse_req *req; 440 const struct iovec *iov; 441 unsigned long nr_segs; 442 unsigned long seglen; 443 unsigned long addr; 444 struct page *pg; 445 void *mapaddr; 446 void *buf; 447 unsigned len; 448 }; 449 450 static void fuse_copy_init(struct fuse_copy_state *cs, struct fuse_conn *fc, 451 int write, struct fuse_req *req, 452 const struct iovec *iov, unsigned long nr_segs) 453 { 454 memset(cs, 0, sizeof(*cs)); 455 cs->fc = fc; 456 cs->write = write; 457 cs->req = req; 458 cs->iov = iov; 459 cs->nr_segs = nr_segs; 460 } 461 462 /* Unmap and put previous page of userspace buffer */ 463 static void fuse_copy_finish(struct fuse_copy_state *cs) 464 { 465 if (cs->mapaddr) { 466 kunmap_atomic(cs->mapaddr, KM_USER0); 467 if (cs->write) { 468 flush_dcache_page(cs->pg); 469 set_page_dirty_lock(cs->pg); 470 } 471 put_page(cs->pg); 472 cs->mapaddr = NULL; 473 } 474 } 475 476 /* 477 * Get another pagefull of userspace buffer, and map it to kernel 478 * address space, and lock request 479 */ 480 static int fuse_copy_fill(struct fuse_copy_state *cs) 481 { 482 unsigned long offset; 483 int err; 484 485 unlock_request(cs->fc, cs->req); 486 fuse_copy_finish(cs); 487 if (!cs->seglen) { 488 BUG_ON(!cs->nr_segs); 489 cs->seglen = cs->iov[0].iov_len; 490 cs->addr = (unsigned long) cs->iov[0].iov_base; 491 cs->iov ++; 492 cs->nr_segs --; 493 } 494 down_read(¤t->mm->mmap_sem); 495 err = get_user_pages(current, current->mm, cs->addr, 1, cs->write, 0, 496 &cs->pg, NULL); 497 up_read(¤t->mm->mmap_sem); 498 if (err < 0) 499 return err; 500 BUG_ON(err != 1); 501 offset = cs->addr % PAGE_SIZE; 502 cs->mapaddr = kmap_atomic(cs->pg, KM_USER0); 503 cs->buf = cs->mapaddr + offset; 504 cs->len = min(PAGE_SIZE - offset, cs->seglen); 505 cs->seglen -= cs->len; 506 cs->addr += cs->len; 507 508 return lock_request(cs->fc, cs->req); 509 } 510 511 /* Do as much copy to/from userspace buffer as we can */ 512 static int fuse_copy_do(struct fuse_copy_state *cs, void **val, unsigned *size) 513 { 514 unsigned ncpy = min(*size, cs->len); 515 if (val) { 516 if (cs->write) 517 memcpy(cs->buf, *val, ncpy); 518 else 519 memcpy(*val, cs->buf, ncpy); 520 *val += ncpy; 521 } 522 *size -= ncpy; 523 cs->len -= ncpy; 524 cs->buf += ncpy; 525 return ncpy; 526 } 527 528 /* 529 * Copy a page in the request to/from the userspace buffer. Must be 530 * done atomically 531 */ 532 static int fuse_copy_page(struct fuse_copy_state *cs, struct page *page, 533 unsigned offset, unsigned count, int zeroing) 534 { 535 if (page && zeroing && count < PAGE_SIZE) { 536 void *mapaddr = kmap_atomic(page, KM_USER1); 537 memset(mapaddr, 0, PAGE_SIZE); 538 kunmap_atomic(mapaddr, KM_USER1); 539 } 540 while (count) { 541 int err; 542 if (!cs->len && (err = fuse_copy_fill(cs))) 543 return err; 544 if (page) { 545 void *mapaddr = kmap_atomic(page, KM_USER1); 546 void *buf = mapaddr + offset; 547 offset += fuse_copy_do(cs, &buf, &count); 548 kunmap_atomic(mapaddr, KM_USER1); 549 } else 550 offset += fuse_copy_do(cs, NULL, &count); 551 } 552 if (page && !cs->write) 553 flush_dcache_page(page); 554 return 0; 555 } 556 557 /* Copy pages in the request to/from userspace buffer */ 558 static int fuse_copy_pages(struct fuse_copy_state *cs, unsigned nbytes, 559 int zeroing) 560 { 561 unsigned i; 562 struct fuse_req *req = cs->req; 563 unsigned offset = req->page_offset; 564 unsigned count = min(nbytes, (unsigned) PAGE_SIZE - offset); 565 566 for (i = 0; i < req->num_pages && (nbytes || zeroing); i++) { 567 struct page *page = req->pages[i]; 568 int err = fuse_copy_page(cs, page, offset, count, zeroing); 569 if (err) 570 return err; 571 572 nbytes -= count; 573 count = min(nbytes, (unsigned) PAGE_SIZE); 574 offset = 0; 575 } 576 return 0; 577 } 578 579 /* Copy a single argument in the request to/from userspace buffer */ 580 static int fuse_copy_one(struct fuse_copy_state *cs, void *val, unsigned size) 581 { 582 while (size) { 583 int err; 584 if (!cs->len && (err = fuse_copy_fill(cs))) 585 return err; 586 fuse_copy_do(cs, &val, &size); 587 } 588 return 0; 589 } 590 591 /* Copy request arguments to/from userspace buffer */ 592 static int fuse_copy_args(struct fuse_copy_state *cs, unsigned numargs, 593 unsigned argpages, struct fuse_arg *args, 594 int zeroing) 595 { 596 int err = 0; 597 unsigned i; 598 599 for (i = 0; !err && i < numargs; i++) { 600 struct fuse_arg *arg = &args[i]; 601 if (i == numargs - 1 && argpages) 602 err = fuse_copy_pages(cs, arg->size, zeroing); 603 else 604 err = fuse_copy_one(cs, arg->value, arg->size); 605 } 606 return err; 607 } 608 609 static int request_pending(struct fuse_conn *fc) 610 { 611 return !list_empty(&fc->pending) || !list_empty(&fc->interrupts); 612 } 613 614 /* Wait until a request is available on the pending list */ 615 static void request_wait(struct fuse_conn *fc) 616 { 617 DECLARE_WAITQUEUE(wait, current); 618 619 add_wait_queue_exclusive(&fc->waitq, &wait); 620 while (fc->connected && !request_pending(fc)) { 621 set_current_state(TASK_INTERRUPTIBLE); 622 if (signal_pending(current)) 623 break; 624 625 spin_unlock(&fc->lock); 626 schedule(); 627 spin_lock(&fc->lock); 628 } 629 set_current_state(TASK_RUNNING); 630 remove_wait_queue(&fc->waitq, &wait); 631 } 632 633 /* 634 * Transfer an interrupt request to userspace 635 * 636 * Unlike other requests this is assembled on demand, without a need 637 * to allocate a separate fuse_req structure. 638 * 639 * Called with fc->lock held, releases it 640 */ 641 static int fuse_read_interrupt(struct fuse_conn *fc, struct fuse_req *req, 642 const struct iovec *iov, unsigned long nr_segs) 643 { 644 struct fuse_copy_state cs; 645 struct fuse_in_header ih; 646 struct fuse_interrupt_in arg; 647 unsigned reqsize = sizeof(ih) + sizeof(arg); 648 int err; 649 650 list_del_init(&req->intr_entry); 651 req->intr_unique = fuse_get_unique(fc); 652 memset(&ih, 0, sizeof(ih)); 653 memset(&arg, 0, sizeof(arg)); 654 ih.len = reqsize; 655 ih.opcode = FUSE_INTERRUPT; 656 ih.unique = req->intr_unique; 657 arg.unique = req->in.h.unique; 658 659 spin_unlock(&fc->lock); 660 if (iov_length(iov, nr_segs) < reqsize) 661 return -EINVAL; 662 663 fuse_copy_init(&cs, fc, 1, NULL, iov, nr_segs); 664 err = fuse_copy_one(&cs, &ih, sizeof(ih)); 665 if (!err) 666 err = fuse_copy_one(&cs, &arg, sizeof(arg)); 667 fuse_copy_finish(&cs); 668 669 return err ? err : reqsize; 670 } 671 672 /* 673 * Read a single request into the userspace filesystem's buffer. This 674 * function waits until a request is available, then removes it from 675 * the pending list and copies request data to userspace buffer. If 676 * no reply is needed (FORGET) or request has been aborted or there 677 * was an error during the copying then it's finished by calling 678 * request_end(). Otherwise add it to the processing list, and set 679 * the 'sent' flag. 680 */ 681 static ssize_t fuse_dev_readv(struct file *file, const struct iovec *iov, 682 unsigned long nr_segs, loff_t *off) 683 { 684 int err; 685 struct fuse_req *req; 686 struct fuse_in *in; 687 struct fuse_copy_state cs; 688 unsigned reqsize; 689 struct fuse_conn *fc = fuse_get_conn(file); 690 if (!fc) 691 return -EPERM; 692 693 restart: 694 spin_lock(&fc->lock); 695 err = -EAGAIN; 696 if ((file->f_flags & O_NONBLOCK) && fc->connected && 697 !request_pending(fc)) 698 goto err_unlock; 699 700 request_wait(fc); 701 err = -ENODEV; 702 if (!fc->connected) 703 goto err_unlock; 704 err = -ERESTARTSYS; 705 if (!request_pending(fc)) 706 goto err_unlock; 707 708 if (!list_empty(&fc->interrupts)) { 709 req = list_entry(fc->interrupts.next, struct fuse_req, 710 intr_entry); 711 return fuse_read_interrupt(fc, req, iov, nr_segs); 712 } 713 714 req = list_entry(fc->pending.next, struct fuse_req, list); 715 req->state = FUSE_REQ_READING; 716 list_move(&req->list, &fc->io); 717 718 in = &req->in; 719 reqsize = in->h.len; 720 /* If request is too large, reply with an error and restart the read */ 721 if (iov_length(iov, nr_segs) < reqsize) { 722 req->out.h.error = -EIO; 723 /* SETXATTR is special, since it may contain too large data */ 724 if (in->h.opcode == FUSE_SETXATTR) 725 req->out.h.error = -E2BIG; 726 request_end(fc, req); 727 goto restart; 728 } 729 spin_unlock(&fc->lock); 730 fuse_copy_init(&cs, fc, 1, req, iov, nr_segs); 731 err = fuse_copy_one(&cs, &in->h, sizeof(in->h)); 732 if (!err) 733 err = fuse_copy_args(&cs, in->numargs, in->argpages, 734 (struct fuse_arg *) in->args, 0); 735 fuse_copy_finish(&cs); 736 spin_lock(&fc->lock); 737 req->locked = 0; 738 if (!err && req->aborted) 739 err = -ENOENT; 740 if (err) { 741 if (!req->aborted) 742 req->out.h.error = -EIO; 743 request_end(fc, req); 744 return err; 745 } 746 if (!req->isreply) 747 request_end(fc, req); 748 else { 749 req->state = FUSE_REQ_SENT; 750 list_move_tail(&req->list, &fc->processing); 751 if (req->interrupted) 752 queue_interrupt(fc, req); 753 spin_unlock(&fc->lock); 754 } 755 return reqsize; 756 757 err_unlock: 758 spin_unlock(&fc->lock); 759 return err; 760 } 761 762 static ssize_t fuse_dev_read(struct file *file, char __user *buf, 763 size_t nbytes, loff_t *off) 764 { 765 struct iovec iov; 766 iov.iov_len = nbytes; 767 iov.iov_base = buf; 768 return fuse_dev_readv(file, &iov, 1, off); 769 } 770 771 /* Look up request on processing list by unique ID */ 772 static struct fuse_req *request_find(struct fuse_conn *fc, u64 unique) 773 { 774 struct list_head *entry; 775 776 list_for_each(entry, &fc->processing) { 777 struct fuse_req *req; 778 req = list_entry(entry, struct fuse_req, list); 779 if (req->in.h.unique == unique || req->intr_unique == unique) 780 return req; 781 } 782 return NULL; 783 } 784 785 static int copy_out_args(struct fuse_copy_state *cs, struct fuse_out *out, 786 unsigned nbytes) 787 { 788 unsigned reqsize = sizeof(struct fuse_out_header); 789 790 if (out->h.error) 791 return nbytes != reqsize ? -EINVAL : 0; 792 793 reqsize += len_args(out->numargs, out->args); 794 795 if (reqsize < nbytes || (reqsize > nbytes && !out->argvar)) 796 return -EINVAL; 797 else if (reqsize > nbytes) { 798 struct fuse_arg *lastarg = &out->args[out->numargs-1]; 799 unsigned diffsize = reqsize - nbytes; 800 if (diffsize > lastarg->size) 801 return -EINVAL; 802 lastarg->size -= diffsize; 803 } 804 return fuse_copy_args(cs, out->numargs, out->argpages, out->args, 805 out->page_zeroing); 806 } 807 808 /* 809 * Write a single reply to a request. First the header is copied from 810 * the write buffer. The request is then searched on the processing 811 * list by the unique ID found in the header. If found, then remove 812 * it from the list and copy the rest of the buffer to the request. 813 * The request is finished by calling request_end() 814 */ 815 static ssize_t fuse_dev_writev(struct file *file, const struct iovec *iov, 816 unsigned long nr_segs, loff_t *off) 817 { 818 int err; 819 unsigned nbytes = iov_length(iov, nr_segs); 820 struct fuse_req *req; 821 struct fuse_out_header oh; 822 struct fuse_copy_state cs; 823 struct fuse_conn *fc = fuse_get_conn(file); 824 if (!fc) 825 return -EPERM; 826 827 fuse_copy_init(&cs, fc, 0, NULL, iov, nr_segs); 828 if (nbytes < sizeof(struct fuse_out_header)) 829 return -EINVAL; 830 831 err = fuse_copy_one(&cs, &oh, sizeof(oh)); 832 if (err) 833 goto err_finish; 834 err = -EINVAL; 835 if (!oh.unique || oh.error <= -1000 || oh.error > 0 || 836 oh.len != nbytes) 837 goto err_finish; 838 839 spin_lock(&fc->lock); 840 err = -ENOENT; 841 if (!fc->connected) 842 goto err_unlock; 843 844 req = request_find(fc, oh.unique); 845 if (!req) 846 goto err_unlock; 847 848 if (req->aborted) { 849 spin_unlock(&fc->lock); 850 fuse_copy_finish(&cs); 851 spin_lock(&fc->lock); 852 request_end(fc, req); 853 return -ENOENT; 854 } 855 /* Is it an interrupt reply? */ 856 if (req->intr_unique == oh.unique) { 857 err = -EINVAL; 858 if (nbytes != sizeof(struct fuse_out_header)) 859 goto err_unlock; 860 861 if (oh.error == -ENOSYS) 862 fc->no_interrupt = 1; 863 else if (oh.error == -EAGAIN) 864 queue_interrupt(fc, req); 865 866 spin_unlock(&fc->lock); 867 fuse_copy_finish(&cs); 868 return nbytes; 869 } 870 871 req->state = FUSE_REQ_WRITING; 872 list_move(&req->list, &fc->io); 873 req->out.h = oh; 874 req->locked = 1; 875 cs.req = req; 876 spin_unlock(&fc->lock); 877 878 err = copy_out_args(&cs, &req->out, nbytes); 879 fuse_copy_finish(&cs); 880 881 spin_lock(&fc->lock); 882 req->locked = 0; 883 if (!err) { 884 if (req->aborted) 885 err = -ENOENT; 886 } else if (!req->aborted) 887 req->out.h.error = -EIO; 888 request_end(fc, req); 889 890 return err ? err : nbytes; 891 892 err_unlock: 893 spin_unlock(&fc->lock); 894 err_finish: 895 fuse_copy_finish(&cs); 896 return err; 897 } 898 899 static ssize_t fuse_dev_write(struct file *file, const char __user *buf, 900 size_t nbytes, loff_t *off) 901 { 902 struct iovec iov; 903 iov.iov_len = nbytes; 904 iov.iov_base = (char __user *) buf; 905 return fuse_dev_writev(file, &iov, 1, off); 906 } 907 908 static unsigned fuse_dev_poll(struct file *file, poll_table *wait) 909 { 910 unsigned mask = POLLOUT | POLLWRNORM; 911 struct fuse_conn *fc = fuse_get_conn(file); 912 if (!fc) 913 return POLLERR; 914 915 poll_wait(file, &fc->waitq, wait); 916 917 spin_lock(&fc->lock); 918 if (!fc->connected) 919 mask = POLLERR; 920 else if (request_pending(fc)) 921 mask |= POLLIN | POLLRDNORM; 922 spin_unlock(&fc->lock); 923 924 return mask; 925 } 926 927 /* 928 * Abort all requests on the given list (pending or processing) 929 * 930 * This function releases and reacquires fc->lock 931 */ 932 static void end_requests(struct fuse_conn *fc, struct list_head *head) 933 { 934 while (!list_empty(head)) { 935 struct fuse_req *req; 936 req = list_entry(head->next, struct fuse_req, list); 937 req->out.h.error = -ECONNABORTED; 938 request_end(fc, req); 939 spin_lock(&fc->lock); 940 } 941 } 942 943 /* 944 * Abort requests under I/O 945 * 946 * The requests are set to aborted and finished, and the request 947 * waiter is woken up. This will make request_wait_answer() wait 948 * until the request is unlocked and then return. 949 * 950 * If the request is asynchronous, then the end function needs to be 951 * called after waiting for the request to be unlocked (if it was 952 * locked). 953 */ 954 static void end_io_requests(struct fuse_conn *fc) 955 { 956 while (!list_empty(&fc->io)) { 957 struct fuse_req *req = 958 list_entry(fc->io.next, struct fuse_req, list); 959 void (*end) (struct fuse_conn *, struct fuse_req *) = req->end; 960 961 req->aborted = 1; 962 req->out.h.error = -ECONNABORTED; 963 req->state = FUSE_REQ_FINISHED; 964 list_del_init(&req->list); 965 wake_up(&req->waitq); 966 if (end) { 967 req->end = NULL; 968 /* The end function will consume this reference */ 969 __fuse_get_request(req); 970 spin_unlock(&fc->lock); 971 wait_event(req->waitq, !req->locked); 972 end(fc, req); 973 spin_lock(&fc->lock); 974 } 975 } 976 } 977 978 /* 979 * Abort all requests. 980 * 981 * Emergency exit in case of a malicious or accidental deadlock, or 982 * just a hung filesystem. 983 * 984 * The same effect is usually achievable through killing the 985 * filesystem daemon and all users of the filesystem. The exception 986 * is the combination of an asynchronous request and the tricky 987 * deadlock (see Documentation/filesystems/fuse.txt). 988 * 989 * During the aborting, progression of requests from the pending and 990 * processing lists onto the io list, and progression of new requests 991 * onto the pending list is prevented by req->connected being false. 992 * 993 * Progression of requests under I/O to the processing list is 994 * prevented by the req->aborted flag being true for these requests. 995 * For this reason requests on the io list must be aborted first. 996 */ 997 void fuse_abort_conn(struct fuse_conn *fc) 998 { 999 spin_lock(&fc->lock); 1000 if (fc->connected) { 1001 fc->connected = 0; 1002 fc->blocked = 0; 1003 end_io_requests(fc); 1004 end_requests(fc, &fc->pending); 1005 end_requests(fc, &fc->processing); 1006 wake_up_all(&fc->waitq); 1007 wake_up_all(&fc->blocked_waitq); 1008 kill_fasync(&fc->fasync, SIGIO, POLL_IN); 1009 } 1010 spin_unlock(&fc->lock); 1011 } 1012 1013 static int fuse_dev_release(struct inode *inode, struct file *file) 1014 { 1015 struct fuse_conn *fc = fuse_get_conn(file); 1016 if (fc) { 1017 spin_lock(&fc->lock); 1018 fc->connected = 0; 1019 end_requests(fc, &fc->pending); 1020 end_requests(fc, &fc->processing); 1021 spin_unlock(&fc->lock); 1022 fasync_helper(-1, file, 0, &fc->fasync); 1023 fuse_conn_put(fc); 1024 } 1025 1026 return 0; 1027 } 1028 1029 static int fuse_dev_fasync(int fd, struct file *file, int on) 1030 { 1031 struct fuse_conn *fc = fuse_get_conn(file); 1032 if (!fc) 1033 return -EPERM; 1034 1035 /* No locking - fasync_helper does its own locking */ 1036 return fasync_helper(fd, file, on, &fc->fasync); 1037 } 1038 1039 const struct file_operations fuse_dev_operations = { 1040 .owner = THIS_MODULE, 1041 .llseek = no_llseek, 1042 .read = fuse_dev_read, 1043 .readv = fuse_dev_readv, 1044 .write = fuse_dev_write, 1045 .writev = fuse_dev_writev, 1046 .poll = fuse_dev_poll, 1047 .release = fuse_dev_release, 1048 .fasync = fuse_dev_fasync, 1049 }; 1050 1051 static struct miscdevice fuse_miscdevice = { 1052 .minor = FUSE_MINOR, 1053 .name = "fuse", 1054 .fops = &fuse_dev_operations, 1055 }; 1056 1057 int __init fuse_dev_init(void) 1058 { 1059 int err = -ENOMEM; 1060 fuse_req_cachep = kmem_cache_create("fuse_request", 1061 sizeof(struct fuse_req), 1062 0, 0, NULL, NULL); 1063 if (!fuse_req_cachep) 1064 goto out; 1065 1066 err = misc_register(&fuse_miscdevice); 1067 if (err) 1068 goto out_cache_clean; 1069 1070 return 0; 1071 1072 out_cache_clean: 1073 kmem_cache_destroy(fuse_req_cachep); 1074 out: 1075 return err; 1076 } 1077 1078 void fuse_dev_cleanup(void) 1079 { 1080 misc_deregister(&fuse_miscdevice); 1081 kmem_cache_destroy(fuse_req_cachep); 1082 } 1083