Gitiles
Code Review Sign In
192.168.1.100 / T103 / 1f884588077ad3476b9c91cbb0ee9ee0332bbb68 / . / src / kernel / linux / v4.14 / fs / fuse / dev.c
blob: ec782178b2c29c2176d5bece3519e84032ac4ea1 [file] [log] [blame]
rjw1f884582022-01-06 17:20:42 +0800[diff] [blame^]1/*
2 FUSE: Filesystem in Userspace
3 Copyright (C) 2001-2008 Miklos Szeredi <miklos@szeredi.hu>
4
5 This program can be distributed under the terms of the GNU GPL.
6 See the file COPYING.
7*/
8
9#include "fuse_i.h"
10
11#include <linux/init.h>
12#include <linux/module.h>
13#include <linux/poll.h>
14#include <linux/sched/signal.h>
15#include <linux/uio.h>
16#include <linux/miscdevice.h>
17#include <linux/namei.h>
18#include <linux/pagemap.h>
19#include <linux/file.h>
20#include <linux/slab.h>
21#include <linux/pipe_fs_i.h>
22#include <linux/swap.h>
23#include <linux/splice.h>
24#include <linux/sched.h>
25#include <linux/freezer.h>
26
27MODULE_ALIAS_MISCDEV(FUSE_MINOR);
28MODULE_ALIAS("devname:fuse");
29
30static struct kmem_cache *fuse_req_cachep;
31
32static struct fuse_dev *fuse_get_dev(struct file *file)
33{
34 /*
35 * Lockless access is OK, because file->private data is set
36 * once during mount and is valid until the file is released.
37 */
38 return ACCESS_ONCE(file->private_data);
39}
40
41static void fuse_request_init(struct fuse_req *req, struct page **pages,
42 struct fuse_page_desc *page_descs,
43 unsigned npages)
44{
45 memset(req, 0, sizeof(*req));
46 memset(pages, 0, sizeof(*pages) * npages);
47 memset(page_descs, 0, sizeof(*page_descs) * npages);
48 INIT_LIST_HEAD(&req->list);
49 INIT_LIST_HEAD(&req->intr_entry);
50 init_waitqueue_head(&req->waitq);
51 refcount_set(&req->count, 1);
52 req->pages = pages;
53 req->page_descs = page_descs;
54 req->max_pages = npages;
55 __set_bit(FR_PENDING, &req->flags);
56}
57
58static struct fuse_req *__fuse_request_alloc(unsigned npages, gfp_t flags)
59{
60 struct fuse_req *req = kmem_cache_alloc(fuse_req_cachep, flags);
61 if (req) {
62 struct page **pages;
63 struct fuse_page_desc *page_descs;
64
65 if (npages <= FUSE_REQ_INLINE_PAGES) {
66 pages = req->inline_pages;
67 page_descs = req->inline_page_descs;
68 } else {
69 pages = kmalloc(sizeof(struct page *) * npages, flags);
70 page_descs = kmalloc(sizeof(struct fuse_page_desc) *
71 npages, flags);
72 }
73
74 if (!pages || !page_descs) {
75 kfree(pages);
76 kfree(page_descs);
77 kmem_cache_free(fuse_req_cachep, req);
78 return NULL;
79 }
80
81 fuse_request_init(req, pages, page_descs, npages);
82 }
83 return req;
84}
85
86struct fuse_req *fuse_request_alloc(unsigned npages)
87{
88 return __fuse_request_alloc(npages, GFP_KERNEL);
89}
90EXPORT_SYMBOL_GPL(fuse_request_alloc);
91
92struct fuse_req *fuse_request_alloc_nofs(unsigned npages)
93{
94 return __fuse_request_alloc(npages, GFP_NOFS);
95}
96
97void fuse_request_free(struct fuse_req *req)
98{
99 if (req->pages != req->inline_pages) {
100 kfree(req->pages);
101 kfree(req->page_descs);
102 }
103 kmem_cache_free(fuse_req_cachep, req);
104}
105
106void __fuse_get_request(struct fuse_req *req)
107{
108 refcount_inc(&req->count);
109}
110
111/* Must be called with > 1 refcount */
112static void __fuse_put_request(struct fuse_req *req)
113{
114 refcount_dec(&req->count);
115}
116
117static void fuse_req_init_context(struct fuse_conn *fc, struct fuse_req *req)
118{
119 req->in.h.uid = from_kuid_munged(&init_user_ns, current_fsuid());
120 req->in.h.gid = from_kgid_munged(&init_user_ns, current_fsgid());
121 req->in.h.pid = pid_nr_ns(task_pid(current), fc->pid_ns);
122}
123
124void fuse_set_initialized(struct fuse_conn *fc)
125{
126 /* Make sure stores before this are seen on another CPU */
127 smp_wmb();
128 fc->initialized = 1;
129}
130
131static bool fuse_block_alloc(struct fuse_conn *fc, bool for_background)
132{
133 return !fc->initialized || (for_background && fc->blocked);
134}
135
136static void fuse_drop_waiting(struct fuse_conn *fc)
137{
138 /*
139 * lockess check of fc->connected is okay, because atomic_dec_and_test()
140 * provides a memory barrier mached with the one in fuse_wait_aborted()
141 * to ensure no wake-up is missed.
142 */
143 if (atomic_dec_and_test(&fc->num_waiting) &&
144 !READ_ONCE(fc->connected)) {
145 /* wake up aborters */
146 wake_up_all(&fc->blocked_waitq);
147 }
148}
149
150static struct fuse_req *__fuse_get_req(struct fuse_conn *fc, unsigned npages,
151 bool for_background)
152{
153 struct fuse_req *req;
154 int err;
155 atomic_inc(&fc->num_waiting);
156
157 if (fuse_block_alloc(fc, for_background)) {
158 err = -EINTR;
159 if (wait_event_killable_exclusive(fc->blocked_waitq,
160 !fuse_block_alloc(fc, for_background)))
161 goto out;
162 }
163 /* Matches smp_wmb() in fuse_set_initialized() */
164 smp_rmb();
165
166 err = -ENOTCONN;
167 if (!fc->connected)
168 goto out;
169
170 err = -ECONNREFUSED;
171 if (fc->conn_error)
172 goto out;
173
174 req = fuse_request_alloc(npages);
175 err = -ENOMEM;
176 if (!req) {
177 if (for_background)
178 wake_up(&fc->blocked_waitq);
179 goto out;
180 }
181
182 fuse_req_init_context(fc, req);
183 __set_bit(FR_WAITING, &req->flags);
184 if (for_background)
185 __set_bit(FR_BACKGROUND, &req->flags);
186
187 return req;
188
189 out:
190 fuse_drop_waiting(fc);
191 return ERR_PTR(err);
192}
193
194struct fuse_req *fuse_get_req(struct fuse_conn *fc, unsigned npages)
195{
196 return __fuse_get_req(fc, npages, false);
197}
198EXPORT_SYMBOL_GPL(fuse_get_req);
199
200struct fuse_req *fuse_get_req_for_background(struct fuse_conn *fc,
201 unsigned npages)
202{
203 return __fuse_get_req(fc, npages, true);
204}
205EXPORT_SYMBOL_GPL(fuse_get_req_for_background);
206
207/*
208 * Return request in fuse_file->reserved_req. However that may
209 * currently be in use. If that is the case, wait for it to become
210 * available.
211 */
212static struct fuse_req *get_reserved_req(struct fuse_conn *fc,
213 struct file *file)
214{
215 struct fuse_req *req = NULL;
216 struct fuse_file *ff = file->private_data;
217
218 do {
219 wait_event(fc->reserved_req_waitq, ff->reserved_req);
220 spin_lock(&fc->lock);
221 if (ff->reserved_req) {
222 req = ff->reserved_req;
223 ff->reserved_req = NULL;
224 req->stolen_file = get_file(file);
225 }
226 spin_unlock(&fc->lock);
227 } while (!req);
228
229 return req;
230}
231
232/*
233 * Put stolen request back into fuse_file->reserved_req
234 */
235static void put_reserved_req(struct fuse_conn *fc, struct fuse_req *req)
236{
237 struct file *file = req->stolen_file;
238 struct fuse_file *ff = file->private_data;
239
240 spin_lock(&fc->lock);
241 fuse_request_init(req, req->pages, req->page_descs, req->max_pages);
242 BUG_ON(ff->reserved_req);
243 ff->reserved_req = req;
244 wake_up_all(&fc->reserved_req_waitq);
245 spin_unlock(&fc->lock);
246 fput(file);
247}
248
249/*
250 * Gets a requests for a file operation, always succeeds
251 *
252 * This is used for sending the FLUSH request, which must get to
253 * userspace, due to POSIX locks which may need to be unlocked.
254 *
255 * If allocation fails due to OOM, use the reserved request in
256 * fuse_file.
257 *
258 * This is very unlikely to deadlock accidentally, since the
259 * filesystem should not have it's own file open. If deadlock is
260 * intentional, it can still be broken by "aborting" the filesystem.
261 */
262struct fuse_req *fuse_get_req_nofail_nopages(struct fuse_conn *fc,
263 struct file *file)
264{
265 struct fuse_req *req;
266
267 atomic_inc(&fc->num_waiting);
268 wait_event(fc->blocked_waitq, fc->initialized);
269 /* Matches smp_wmb() in fuse_set_initialized() */
270 smp_rmb();
271 req = fuse_request_alloc(0);
272 if (!req)
273 req = get_reserved_req(fc, file);
274
275 fuse_req_init_context(fc, req);
276 __set_bit(FR_WAITING, &req->flags);
277 __clear_bit(FR_BACKGROUND, &req->flags);
278 return req;
279}
280
281void fuse_put_request(struct fuse_conn *fc, struct fuse_req *req)
282{
283 if (refcount_dec_and_test(&req->count)) {
284 if (test_bit(FR_BACKGROUND, &req->flags)) {
285 /*
286 * We get here in the unlikely case that a background
287 * request was allocated but not sent
288 */
289 spin_lock(&fc->lock);
290 if (!fc->blocked)
291 wake_up(&fc->blocked_waitq);
292 spin_unlock(&fc->lock);
293 }
294
295 if (test_bit(FR_WAITING, &req->flags)) {
296 __clear_bit(FR_WAITING, &req->flags);
297 fuse_drop_waiting(fc);
298 }
299
300 if (req->stolen_file)
301 put_reserved_req(fc, req);
302 else
303 fuse_request_free(req);
304 }
305}
306EXPORT_SYMBOL_GPL(fuse_put_request);
307
308static unsigned len_args(unsigned numargs, struct fuse_arg *args)
309{
310 unsigned nbytes = 0;
311 unsigned i;
312
313 for (i = 0; i < numargs; i++)
314 nbytes += args[i].size;
315
316 return nbytes;
317}
318
319static u64 fuse_get_unique(struct fuse_iqueue *fiq)
320{
321 return ++fiq->reqctr;
322}
323
324static void queue_request(struct fuse_iqueue *fiq, struct fuse_req *req)
325{
326 req->in.h.len = sizeof(struct fuse_in_header) +
327 len_args(req->in.numargs, (struct fuse_arg *) req->in.args);
328 list_add_tail(&req->list, &fiq->pending);
329 wake_up_locked(&fiq->waitq);
330 kill_fasync(&fiq->fasync, SIGIO, POLL_IN);
331}
332
333void fuse_queue_forget(struct fuse_conn *fc, struct fuse_forget_link *forget,
334 u64 nodeid, u64 nlookup)
335{
336 struct fuse_iqueue *fiq = &fc->iq;
337
338 forget->forget_one.nodeid = nodeid;
339 forget->forget_one.nlookup = nlookup;
340
341 spin_lock(&fiq->waitq.lock);
342 if (fiq->connected) {
343 fiq->forget_list_tail->next = forget;
344 fiq->forget_list_tail = forget;
345 wake_up_locked(&fiq->waitq);
346 kill_fasync(&fiq->fasync, SIGIO, POLL_IN);
347 } else {
348 kfree(forget);
349 }
350 spin_unlock(&fiq->waitq.lock);
351}
352
353static void flush_bg_queue(struct fuse_conn *fc)
354{
355 while (fc->active_background < fc->max_background &&
356 !list_empty(&fc->bg_queue)) {
357 struct fuse_req *req;
358 struct fuse_iqueue *fiq = &fc->iq;
359
360 req = list_entry(fc->bg_queue.next, struct fuse_req, list);
361 list_del(&req->list);
362 fc->active_background++;
363 spin_lock(&fiq->waitq.lock);
364 req->in.h.unique = fuse_get_unique(fiq);
365 queue_request(fiq, req);
366 spin_unlock(&fiq->waitq.lock);
367 }
368}
369
370/*
371 * This function is called when a request is finished. Either a reply
372 * has arrived or it was aborted (and not yet sent) or some error
373 * occurred during communication with userspace, or the device file
374 * was closed. The requester thread is woken up (if still waiting),
375 * the 'end' callback is called if given, else the reference to the
376 * request is released
377 */
378static void request_end(struct fuse_conn *fc, struct fuse_req *req)
379{
380 struct fuse_iqueue *fiq = &fc->iq;
381
382 if (test_and_set_bit(FR_FINISHED, &req->flags))
383 goto put_request;
384
385 spin_lock(&fiq->waitq.lock);
386 list_del_init(&req->intr_entry);
387 spin_unlock(&fiq->waitq.lock);
388 WARN_ON(test_bit(FR_PENDING, &req->flags));
389 WARN_ON(test_bit(FR_SENT, &req->flags));
390 if (test_bit(FR_BACKGROUND, &req->flags)) {
391 spin_lock(&fc->lock);
392 clear_bit(FR_BACKGROUND, &req->flags);
393 if (fc->num_background == fc->max_background) {
394 fc->blocked = 0;
395 wake_up(&fc->blocked_waitq);
396 } else if (!fc->blocked) {
397 /*
398 * Wake up next waiter, if any. It's okay to use
399 * waitqueue_active(), as we've already synced up
400 * fc->blocked with waiters with the wake_up() call
401 * above.
402 */
403 if (waitqueue_active(&fc->blocked_waitq))
404 wake_up(&fc->blocked_waitq);
405 }
406
407 if (fc->num_background == fc->congestion_threshold && fc->sb) {
408 clear_bdi_congested(fc->sb->s_bdi, BLK_RW_SYNC);
409 clear_bdi_congested(fc->sb->s_bdi, BLK_RW_ASYNC);
410 }
411 fc->num_background--;
412 fc->active_background--;
413 flush_bg_queue(fc);
414 spin_unlock(&fc->lock);
415 }
416 wake_up(&req->waitq);
417 if (req->end)
418 req->end(fc, req);
419put_request:
420 fuse_put_request(fc, req);
421}
422
423static void queue_interrupt(struct fuse_iqueue *fiq, struct fuse_req *req)
424{
425 spin_lock(&fiq->waitq.lock);
426 if (test_bit(FR_FINISHED, &req->flags)) {
427 spin_unlock(&fiq->waitq.lock);
428 return;
429 }
430 if (list_empty(&req->intr_entry)) {
431 list_add_tail(&req->intr_entry, &fiq->interrupts);
432 wake_up_locked(&fiq->waitq);
433 }
434 spin_unlock(&fiq->waitq.lock);
435 kill_fasync(&fiq->fasync, SIGIO, POLL_IN);
436}
437
438static void request_wait_answer(struct fuse_conn *fc, struct fuse_req *req)
439{
440 struct fuse_iqueue *fiq = &fc->iq;
441 int err;
442
443 if (!fc->no_interrupt) {
444 /* Any signal may interrupt this */
445 err = wait_event_interruptible(req->waitq,
446 test_bit(FR_FINISHED, &req->flags));
447 if (!err)
448 return;
449
450 set_bit(FR_INTERRUPTED, &req->flags);
451 /* matches barrier in fuse_dev_do_read() */
452 smp_mb__after_atomic();
453 if (test_bit(FR_SENT, &req->flags))
454 queue_interrupt(fiq, req);
455 }
456
457 if (!test_bit(FR_FORCE, &req->flags)) {
458 /* Only fatal signals may interrupt this */
459 err = wait_event_killable(req->waitq,
460 test_bit(FR_FINISHED, &req->flags));
461 if (!err)
462 return;
463
464 spin_lock(&fiq->waitq.lock);
465 /* Request is not yet in userspace, bail out */
466 if (test_bit(FR_PENDING, &req->flags)) {
467 list_del(&req->list);
468 spin_unlock(&fiq->waitq.lock);
469 __fuse_put_request(req);
470 req->out.h.error = -EINTR;
471 return;
472 }
473 spin_unlock(&fiq->waitq.lock);
474 }
475
476 /*
477 * Either request is already in userspace, or it was forced.
478 * Wait it out.
479 */
480 while (!test_bit(FR_FINISHED, &req->flags))
481 wait_event_freezable(req->waitq,
482 test_bit(FR_FINISHED, &req->flags));
483}
484
485static void __fuse_request_send(struct fuse_conn *fc, struct fuse_req *req)
486{
487 struct fuse_iqueue *fiq = &fc->iq;
488
489 BUG_ON(test_bit(FR_BACKGROUND, &req->flags));
490 spin_lock(&fiq->waitq.lock);
491 if (!fiq->connected) {
492 spin_unlock(&fiq->waitq.lock);
493 req->out.h.error = -ENOTCONN;
494 } else {
495 req->in.h.unique = fuse_get_unique(fiq);
496 queue_request(fiq, req);
497 /* acquire extra reference, since request is still needed
498 after request_end() */
499 __fuse_get_request(req);
500 spin_unlock(&fiq->waitq.lock);
501
502 request_wait_answer(fc, req);
503 /* Pairs with smp_wmb() in request_end() */
504 smp_rmb();
505 }
506}
507
508void fuse_request_send(struct fuse_conn *fc, struct fuse_req *req)
509{
510 __set_bit(FR_ISREPLY, &req->flags);
511 if (!test_bit(FR_WAITING, &req->flags)) {
512 __set_bit(FR_WAITING, &req->flags);
513 atomic_inc(&fc->num_waiting);
514 }
515 __fuse_request_send(fc, req);
516}
517EXPORT_SYMBOL_GPL(fuse_request_send);
518
519static void fuse_adjust_compat(struct fuse_conn *fc, struct fuse_args *args)
520{
521 if (fc->minor < 4 && args->in.h.opcode == FUSE_STATFS)
522 args->out.args[0].size = FUSE_COMPAT_STATFS_SIZE;
523
524 if (fc->minor < 9) {
525 switch (args->in.h.opcode) {
526 case FUSE_LOOKUP:
527 case FUSE_CREATE:
528 case FUSE_MKNOD:
529 case FUSE_MKDIR:
530 case FUSE_SYMLINK:
531 case FUSE_LINK:
532 args->out.args[0].size = FUSE_COMPAT_ENTRY_OUT_SIZE;
533 break;
534 case FUSE_GETATTR:
535 case FUSE_SETATTR:
536 args->out.args[0].size = FUSE_COMPAT_ATTR_OUT_SIZE;
537 break;
538 }
539 }
540 if (fc->minor < 12) {
541 switch (args->in.h.opcode) {
542 case FUSE_CREATE:
543 args->in.args[0].size = sizeof(struct fuse_open_in);
544 break;
545 case FUSE_MKNOD:
546 args->in.args[0].size = FUSE_COMPAT_MKNOD_IN_SIZE;
547 break;
548 }
549 }
550}
551
552ssize_t fuse_simple_request(struct fuse_conn *fc, struct fuse_args *args)
553{
554 struct fuse_req *req;
555 ssize_t ret;
556
557 req = fuse_get_req(fc, 0);
558 if (IS_ERR(req))
559 return PTR_ERR(req);
560
561 /* Needs to be done after fuse_get_req() so that fc->minor is valid */
562 fuse_adjust_compat(fc, args);
563
564 req->in.h.opcode = args->in.h.opcode;
565 req->in.h.nodeid = args->in.h.nodeid;
566 req->in.numargs = args->in.numargs;
567 memcpy(req->in.args, args->in.args,
568 args->in.numargs * sizeof(struct fuse_in_arg));
569 req->out.argvar = args->out.argvar;
570 req->out.numargs = args->out.numargs;
571 memcpy(req->out.args, args->out.args,
572 args->out.numargs * sizeof(struct fuse_arg));
573 fuse_request_send(fc, req);
574 ret = req->out.h.error;
575 if (!ret && args->out.argvar) {
576 BUG_ON(args->out.numargs != 1);
577 ret = req->out.args[0].size;
578 }
579 fuse_put_request(fc, req);
580
581 return ret;
582}
583
584/*
585 * Called under fc->lock
586 *
587 * fc->connected must have been checked previously
588 */
589void fuse_request_send_background_locked(struct fuse_conn *fc,
590 struct fuse_req *req)
591{
592 BUG_ON(!test_bit(FR_BACKGROUND, &req->flags));
593 if (!test_bit(FR_WAITING, &req->flags)) {
594 __set_bit(FR_WAITING, &req->flags);
595 atomic_inc(&fc->num_waiting);
596 }
597 __set_bit(FR_ISREPLY, &req->flags);
598 fc->num_background++;
599 if (fc->num_background == fc->max_background)
600 fc->blocked = 1;
601 if (fc->num_background == fc->congestion_threshold && fc->sb) {
602 set_bdi_congested(fc->sb->s_bdi, BLK_RW_SYNC);
603 set_bdi_congested(fc->sb->s_bdi, BLK_RW_ASYNC);
604 }
605 list_add_tail(&req->list, &fc->bg_queue);
606 flush_bg_queue(fc);
607}
608
609void fuse_request_send_background(struct fuse_conn *fc, struct fuse_req *req)
610{
611 BUG_ON(!req->end);
612 spin_lock(&fc->lock);
613 if (fc->connected) {
614 fuse_request_send_background_locked(fc, req);
615 spin_unlock(&fc->lock);
616 } else {
617 spin_unlock(&fc->lock);
618 req->out.h.error = -ENOTCONN;
619 req->end(fc, req);
620 fuse_put_request(fc, req);
621 }
622}
623EXPORT_SYMBOL_GPL(fuse_request_send_background);
624
625static int fuse_request_send_notify_reply(struct fuse_conn *fc,
626 struct fuse_req *req, u64 unique)
627{
628 int err = -ENODEV;
629 struct fuse_iqueue *fiq = &fc->iq;
630
631 __clear_bit(FR_ISREPLY, &req->flags);
632 req->in.h.unique = unique;
633 spin_lock(&fiq->waitq.lock);
634 if (fiq->connected) {
635 queue_request(fiq, req);
636 err = 0;
637 }
638 spin_unlock(&fiq->waitq.lock);
639
640 return err;
641}
642
643void fuse_force_forget(struct file *file, u64 nodeid)
644{
645 struct inode *inode = file_inode(file);
646 struct fuse_conn *fc = get_fuse_conn(inode);
647 struct fuse_req *req;
648 struct fuse_forget_in inarg;
649
650 memset(&inarg, 0, sizeof(inarg));
651 inarg.nlookup = 1;
652 req = fuse_get_req_nofail_nopages(fc, file);
653 req->in.h.opcode = FUSE_FORGET;
654 req->in.h.nodeid = nodeid;
655 req->in.numargs = 1;
656 req->in.args[0].size = sizeof(inarg);
657 req->in.args[0].value = &inarg;
658 __clear_bit(FR_ISREPLY, &req->flags);
659 __fuse_request_send(fc, req);
660 /* ignore errors */
661 fuse_put_request(fc, req);
662}
663
664/*
665 * Lock the request. Up to the next unlock_request() there mustn't be
666 * anything that could cause a page-fault. If the request was already
667 * aborted bail out.
668 */
669static int lock_request(struct fuse_req *req)
670{
671 int err = 0;
672 if (req) {
673 spin_lock(&req->waitq.lock);
674 if (test_bit(FR_ABORTED, &req->flags))
675 err = -ENOENT;
676 else
677 set_bit(FR_LOCKED, &req->flags);
678 spin_unlock(&req->waitq.lock);
679 }
680 return err;
681}
682
683/*
684 * Unlock request. If it was aborted while locked, caller is responsible
685 * for unlocking and ending the request.
686 */
687static int unlock_request(struct fuse_req *req)
688{
689 int err = 0;
690 if (req) {
691 spin_lock(&req->waitq.lock);
692 if (test_bit(FR_ABORTED, &req->flags))
693 err = -ENOENT;
694 else
695 clear_bit(FR_LOCKED, &req->flags);
696 spin_unlock(&req->waitq.lock);
697 }
698 return err;
699}
700
701struct fuse_copy_state {
702 int write;
703 struct fuse_req *req;
704 struct iov_iter *iter;
705 struct pipe_buffer *pipebufs;
706 struct pipe_buffer *currbuf;
707 struct pipe_inode_info *pipe;
708 unsigned long nr_segs;
709 struct page *pg;
710 unsigned len;
711 unsigned offset;
712 unsigned move_pages:1;
713};
714
715static void fuse_copy_init(struct fuse_copy_state *cs, int write,
716 struct iov_iter *iter)
717{
718 memset(cs, 0, sizeof(*cs));
719 cs->write = write;
720 cs->iter = iter;
721}
722
723/* Unmap and put previous page of userspace buffer */
724static void fuse_copy_finish(struct fuse_copy_state *cs)
725{
726 if (cs->currbuf) {
727 struct pipe_buffer *buf = cs->currbuf;
728
729 if (cs->write)
730 buf->len = PAGE_SIZE - cs->len;
731 cs->currbuf = NULL;
732 } else if (cs->pg) {
733 if (cs->write) {
734 flush_dcache_page(cs->pg);
735 set_page_dirty_lock(cs->pg);
736 }
737 put_page(cs->pg);
738 }
739 cs->pg = NULL;
740}
741
742/*
743 * Get another pagefull of userspace buffer, and map it to kernel
744 * address space, and lock request
745 */
746static int fuse_copy_fill(struct fuse_copy_state *cs)
747{
748 struct page *page;
749 int err;
750
751 err = unlock_request(cs->req);
752 if (err)
753 return err;
754
755 fuse_copy_finish(cs);
756 if (cs->pipebufs) {
757 struct pipe_buffer *buf = cs->pipebufs;
758
759 if (!cs->write) {
760 err = pipe_buf_confirm(cs->pipe, buf);
761 if (err)
762 return err;
763
764 BUG_ON(!cs->nr_segs);
765 cs->currbuf = buf;
766 cs->pg = buf->page;
767 cs->offset = buf->offset;
768 cs->len = buf->len;
769 cs->pipebufs++;
770 cs->nr_segs--;
771 } else {
772 if (cs->nr_segs == cs->pipe->buffers)
773 return -EIO;
774
775 page = alloc_page(GFP_HIGHUSER);
776 if (!page)
777 return -ENOMEM;
778
779 buf->page = page;
780 buf->offset = 0;
781 buf->len = 0;
782
783 cs->currbuf = buf;
784 cs->pg = page;
785 cs->offset = 0;
786 cs->len = PAGE_SIZE;
787 cs->pipebufs++;
788 cs->nr_segs++;
789 }
790 } else {
791 size_t off;
792 err = iov_iter_get_pages(cs->iter, &page, PAGE_SIZE, 1, &off);
793 if (err < 0)
794 return err;
795 BUG_ON(!err);
796 cs->len = err;
797 cs->offset = off;
798 cs->pg = page;
799 iov_iter_advance(cs->iter, err);
800 }
801
802 return lock_request(cs->req);
803}
804
805/* Do as much copy to/from userspace buffer as we can */
806static int fuse_copy_do(struct fuse_copy_state *cs, void **val, unsigned *size)
807{
808 unsigned ncpy = min(*size, cs->len);
809 if (val) {
810 void *pgaddr = kmap_atomic(cs->pg);
811 void *buf = pgaddr + cs->offset;
812
813 if (cs->write)
814 memcpy(buf, *val, ncpy);
815 else
816 memcpy(*val, buf, ncpy);
817
818 kunmap_atomic(pgaddr);
819 *val += ncpy;
820 }
821 *size -= ncpy;
822 cs->len -= ncpy;
823 cs->offset += ncpy;
824 return ncpy;
825}
826
827static int fuse_check_page(struct page *page)
828{
829 if (page_mapcount(page) ||
830 page->mapping != NULL ||
831 (page->flags & PAGE_FLAGS_CHECK_AT_PREP &
832 ~(1 << PG_locked |
833 1 << PG_referenced |
834 1 << PG_uptodate |
835 1 << PG_lru |
836 1 << PG_active |
837 1 << PG_reclaim))) {
838 printk(KERN_WARNING "fuse: trying to steal weird page\n");
839 printk(KERN_WARNING " page=%p index=%li flags=%08lx, count=%i, mapcount=%i, mapping=%p\n", page, page->index, page->flags, page_count(page), page_mapcount(page), page->mapping);
840 return 1;
841 }
842 return 0;
843}
844
845static int fuse_try_move_page(struct fuse_copy_state *cs, struct page **pagep)
846{
847 int err;
848 struct page *oldpage = *pagep;
849 struct page *newpage;
850 struct pipe_buffer *buf = cs->pipebufs;
851
852 err = unlock_request(cs->req);
853 if (err)
854 return err;
855
856 fuse_copy_finish(cs);
857
858 err = pipe_buf_confirm(cs->pipe, buf);
859 if (err)
860 return err;
861
862 BUG_ON(!cs->nr_segs);
863 cs->currbuf = buf;
864 cs->len = buf->len;
865 cs->pipebufs++;
866 cs->nr_segs--;
867
868 if (cs->len != PAGE_SIZE)
869 goto out_fallback;
870
871 if (pipe_buf_steal(cs->pipe, buf) != 0)
872 goto out_fallback;
873
874 newpage = buf->page;
875
876 if (!PageUptodate(newpage))
877 SetPageUptodate(newpage);
878
879 ClearPageMappedToDisk(newpage);
880
881 if (fuse_check_page(newpage) != 0)
882 goto out_fallback_unlock;
883
884 /*
885 * This is a new and locked page, it shouldn't be mapped or
886 * have any special flags on it
887 */
888 if (WARN_ON(page_mapped(oldpage)))
889 goto out_fallback_unlock;
890 if (WARN_ON(page_has_private(oldpage)))
891 goto out_fallback_unlock;
892 if (WARN_ON(PageDirty(oldpage) || PageWriteback(oldpage)))
893 goto out_fallback_unlock;
894 if (WARN_ON(PageMlocked(oldpage)))
895 goto out_fallback_unlock;
896
897 err = replace_page_cache_page(oldpage, newpage, GFP_KERNEL);
898 if (err) {
899 unlock_page(newpage);
900 return err;
901 }
902
903 get_page(newpage);
904
905 if (!(buf->flags & PIPE_BUF_FLAG_LRU))
906 lru_cache_add_file(newpage);
907
908 err = 0;
909 spin_lock(&cs->req->waitq.lock);
910 if (test_bit(FR_ABORTED, &cs->req->flags))
911 err = -ENOENT;
912 else
913 *pagep = newpage;
914 spin_unlock(&cs->req->waitq.lock);
915
916 if (err) {
917 unlock_page(newpage);
918 put_page(newpage);
919 return err;
920 }
921
922 unlock_page(oldpage);
923 put_page(oldpage);
924 cs->len = 0;
925
926 return 0;
927
928out_fallback_unlock:
929 unlock_page(newpage);
930out_fallback:
931 cs->pg = buf->page;
932 cs->offset = buf->offset;
933
934 err = lock_request(cs->req);
935 if (err)
936 return err;
937
938 return 1;
939}
940
941static int fuse_ref_page(struct fuse_copy_state *cs, struct page *page,
942 unsigned offset, unsigned count)
943{
944 struct pipe_buffer *buf;
945 int err;
946
947 if (cs->nr_segs == cs->pipe->buffers)
948 return -EIO;
949
950 err = unlock_request(cs->req);
951 if (err)
952 return err;
953
954 fuse_copy_finish(cs);
955
956 buf = cs->pipebufs;
957 get_page(page);
958 buf->page = page;
959 buf->offset = offset;
960 buf->len = count;
961
962 cs->pipebufs++;
963 cs->nr_segs++;
964 cs->len = 0;
965
966 return 0;
967}
968
969/*
970 * Copy a page in the request to/from the userspace buffer. Must be
971 * done atomically
972 */
973static int fuse_copy_page(struct fuse_copy_state *cs, struct page **pagep,
974 unsigned offset, unsigned count, int zeroing)
975{
976 int err;
977 struct page *page = *pagep;
978
979 if (page && zeroing && count < PAGE_SIZE)
980 clear_highpage(page);
981
982 while (count) {
983 if (cs->write && cs->pipebufs && page) {
984 return fuse_ref_page(cs, page, offset, count);
985 } else if (!cs->len) {
986 if (cs->move_pages && page &&
987 offset == 0 && count == PAGE_SIZE) {
988 err = fuse_try_move_page(cs, pagep);
989 if (err <= 0)
990 return err;
991 } else {
992 err = fuse_copy_fill(cs);
993 if (err)
994 return err;
995 }
996 }
997 if (page) {
998 void *mapaddr = kmap_atomic(page);
999 void *buf = mapaddr + offset;
1000 offset += fuse_copy_do(cs, &buf, &count);
1001 kunmap_atomic(mapaddr);
1002 } else
1003 offset += fuse_copy_do(cs, NULL, &count);
1004 }
1005 if (page && !cs->write)
1006 flush_dcache_page(page);
1007 return 0;
1008}
1009
1010/* Copy pages in the request to/from userspace buffer */
1011static int fuse_copy_pages(struct fuse_copy_state *cs, unsigned nbytes,
1012 int zeroing)
1013{
1014 unsigned i;
1015 struct fuse_req *req = cs->req;
1016
1017 for (i = 0; i < req->num_pages && (nbytes || zeroing); i++) {
1018 int err;
1019 unsigned offset = req->page_descs[i].offset;
1020 unsigned count = min(nbytes, req->page_descs[i].length);
1021
1022 err = fuse_copy_page(cs, &req->pages[i], offset, count,
1023 zeroing);
1024 if (err)
1025 return err;
1026
1027 nbytes -= count;
1028 }
1029 return 0;
1030}
1031
1032/* Copy a single argument in the request to/from userspace buffer */
1033static int fuse_copy_one(struct fuse_copy_state *cs, void *val, unsigned size)
1034{
1035 while (size) {
1036 if (!cs->len) {
1037 int err = fuse_copy_fill(cs);
1038 if (err)
1039 return err;
1040 }
1041 fuse_copy_do(cs, &val, &size);
1042 }
1043 return 0;
1044}
1045
1046/* Copy request arguments to/from userspace buffer */
1047static int fuse_copy_args(struct fuse_copy_state *cs, unsigned numargs,
1048 unsigned argpages, struct fuse_arg *args,
1049 int zeroing)
1050{
1051 int err = 0;
1052 unsigned i;
1053
1054 for (i = 0; !err && i < numargs; i++) {
1055 struct fuse_arg *arg = &args[i];
1056 if (i == numargs - 1 && argpages)
1057 err = fuse_copy_pages(cs, arg->size, zeroing);
1058 else
1059 err = fuse_copy_one(cs, arg->value, arg->size);
1060 }
1061 return err;
1062}
1063
1064static int forget_pending(struct fuse_iqueue *fiq)
1065{
1066 return fiq->forget_list_head.next != NULL;
1067}
1068
1069static int request_pending(struct fuse_iqueue *fiq)
1070{
1071 return !list_empty(&fiq->pending) || !list_empty(&fiq->interrupts) ||
1072 forget_pending(fiq);
1073}
1074
1075/*
1076 * Transfer an interrupt request to userspace
1077 *
1078 * Unlike other requests this is assembled on demand, without a need
1079 * to allocate a separate fuse_req structure.
1080 *
1081 * Called with fiq->waitq.lock held, releases it
1082 */
1083static int fuse_read_interrupt(struct fuse_iqueue *fiq,
1084 struct fuse_copy_state *cs,
1085 size_t nbytes, struct fuse_req *req)
1086__releases(fiq->waitq.lock)
1087{
1088 struct fuse_in_header ih;
1089 struct fuse_interrupt_in arg;
1090 unsigned reqsize = sizeof(ih) + sizeof(arg);
1091 int err;
1092
1093 list_del_init(&req->intr_entry);
1094 req->intr_unique = fuse_get_unique(fiq);
1095 memset(&ih, 0, sizeof(ih));
1096 memset(&arg, 0, sizeof(arg));
1097 ih.len = reqsize;
1098 ih.opcode = FUSE_INTERRUPT;
1099 ih.unique = req->intr_unique;
1100 arg.unique = req->in.h.unique;
1101
1102 spin_unlock(&fiq->waitq.lock);
1103 if (nbytes < reqsize)
1104 return -EINVAL;
1105
1106 err = fuse_copy_one(cs, &ih, sizeof(ih));
1107 if (!err)
1108 err = fuse_copy_one(cs, &arg, sizeof(arg));
1109 fuse_copy_finish(cs);
1110
1111 return err ? err : reqsize;
1112}
1113
1114static struct fuse_forget_link *dequeue_forget(struct fuse_iqueue *fiq,
1115 unsigned max,
1116 unsigned *countp)
1117{
1118 struct fuse_forget_link *head = fiq->forget_list_head.next;
1119 struct fuse_forget_link **newhead = &head;
1120 unsigned count;
1121
1122 for (count = 0; *newhead != NULL && count < max; count++)
1123 newhead = &(*newhead)->next;
1124
1125 fiq->forget_list_head.next = *newhead;
1126 *newhead = NULL;
1127 if (fiq->forget_list_head.next == NULL)
1128 fiq->forget_list_tail = &fiq->forget_list_head;
1129
1130 if (countp != NULL)
1131 *countp = count;
1132
1133 return head;
1134}
1135
1136static int fuse_read_single_forget(struct fuse_iqueue *fiq,
1137 struct fuse_copy_state *cs,
1138 size_t nbytes)
1139__releases(fiq->waitq.lock)
1140{
1141 int err;
1142 struct fuse_forget_link *forget = dequeue_forget(fiq, 1, NULL);
1143 struct fuse_forget_in arg = {
1144 .nlookup = forget->forget_one.nlookup,
1145 };
1146 struct fuse_in_header ih = {
1147 .opcode = FUSE_FORGET,
1148 .nodeid = forget->forget_one.nodeid,
1149 .unique = fuse_get_unique(fiq),
1150 .len = sizeof(ih) + sizeof(arg),
1151 };
1152
1153 spin_unlock(&fiq->waitq.lock);
1154 kfree(forget);
1155 if (nbytes < ih.len)
1156 return -EINVAL;
1157
1158 err = fuse_copy_one(cs, &ih, sizeof(ih));
1159 if (!err)
1160 err = fuse_copy_one(cs, &arg, sizeof(arg));
1161 fuse_copy_finish(cs);
1162
1163 if (err)
1164 return err;
1165
1166 return ih.len;
1167}
1168
1169static int fuse_read_batch_forget(struct fuse_iqueue *fiq,
1170 struct fuse_copy_state *cs, size_t nbytes)
1171__releases(fiq->waitq.lock)
1172{
1173 int err;
1174 unsigned max_forgets;
1175 unsigned count;
1176 struct fuse_forget_link *head;
1177 struct fuse_batch_forget_in arg = { .count = 0 };
1178 struct fuse_in_header ih = {
1179 .opcode = FUSE_BATCH_FORGET,
1180 .unique = fuse_get_unique(fiq),
1181 .len = sizeof(ih) + sizeof(arg),
1182 };
1183
1184 if (nbytes < ih.len) {
1185 spin_unlock(&fiq->waitq.lock);
1186 return -EINVAL;
1187 }
1188
1189 max_forgets = (nbytes - ih.len) / sizeof(struct fuse_forget_one);
1190 head = dequeue_forget(fiq, max_forgets, &count);
1191 spin_unlock(&fiq->waitq.lock);
1192
1193 arg.count = count;
1194 ih.len += count * sizeof(struct fuse_forget_one);
1195 err = fuse_copy_one(cs, &ih, sizeof(ih));
1196 if (!err)
1197 err = fuse_copy_one(cs, &arg, sizeof(arg));
1198
1199 while (head) {
1200 struct fuse_forget_link *forget = head;
1201
1202 if (!err) {
1203 err = fuse_copy_one(cs, &forget->forget_one,
1204 sizeof(forget->forget_one));
1205 }
1206 head = forget->next;
1207 kfree(forget);
1208 }
1209
1210 fuse_copy_finish(cs);
1211
1212 if (err)
1213 return err;
1214
1215 return ih.len;
1216}
1217
1218static int fuse_read_forget(struct fuse_conn *fc, struct fuse_iqueue *fiq,
1219 struct fuse_copy_state *cs,
1220 size_t nbytes)
1221__releases(fiq->waitq.lock)
1222{
1223 if (fc->minor < 16 || fiq->forget_list_head.next->next == NULL)
1224 return fuse_read_single_forget(fiq, cs, nbytes);
1225 else
1226 return fuse_read_batch_forget(fiq, cs, nbytes);
1227}
1228
1229/*
1230 * Read a single request into the userspace filesystem's buffer. This
1231 * function waits until a request is available, then removes it from
1232 * the pending list and copies request data to userspace buffer. If
1233 * no reply is needed (FORGET) or request has been aborted or there
1234 * was an error during the copying then it's finished by calling
1235 * request_end(). Otherwise add it to the processing list, and set
1236 * the 'sent' flag.
1237 */
1238static ssize_t fuse_dev_do_read(struct fuse_dev *fud, struct file *file,
1239 struct fuse_copy_state *cs, size_t nbytes)
1240{
1241 ssize_t err;
1242 struct fuse_conn *fc = fud->fc;
1243 struct fuse_iqueue *fiq = &fc->iq;
1244 struct fuse_pqueue *fpq = &fud->pq;
1245 struct fuse_req *req;
1246 struct fuse_in *in;
1247 unsigned reqsize;
1248
1249 restart:
1250 spin_lock(&fiq->waitq.lock);
1251 err = -EAGAIN;
1252 if ((file->f_flags & O_NONBLOCK) && fiq->connected &&
1253 !request_pending(fiq))
1254 goto err_unlock;
1255
1256 err = wait_event_interruptible_exclusive_locked(fiq->waitq,
1257 !fiq->connected || request_pending(fiq));
1258 if (err)
1259 goto err_unlock;
1260
1261 err = -ENODEV;
1262 if (!fiq->connected)
1263 goto err_unlock;
1264
1265 if (!list_empty(&fiq->interrupts)) {
1266 req = list_entry(fiq->interrupts.next, struct fuse_req,
1267 intr_entry);
1268 return fuse_read_interrupt(fiq, cs, nbytes, req);
1269 }
1270
1271 if (forget_pending(fiq)) {
1272 if (list_empty(&fiq->pending) || fiq->forget_batch-- > 0)
1273 return fuse_read_forget(fc, fiq, cs, nbytes);
1274
1275 if (fiq->forget_batch <= -8)
1276 fiq->forget_batch = 16;
1277 }
1278
1279 req = list_entry(fiq->pending.next, struct fuse_req, list);
1280 clear_bit(FR_PENDING, &req->flags);
1281 list_del_init(&req->list);
1282 spin_unlock(&fiq->waitq.lock);
1283
1284 in = &req->in;
1285 reqsize = in->h.len;
1286
1287 if (task_active_pid_ns(current) != fc->pid_ns) {
1288 rcu_read_lock();
1289 in->h.pid = pid_vnr(find_pid_ns(in->h.pid, fc->pid_ns));
1290 rcu_read_unlock();
1291 }
1292
1293 /* If request is too large, reply with an error and restart the read */
1294 if (nbytes < reqsize) {
1295 req->out.h.error = -EIO;
1296 /* SETXATTR is special, since it may contain too large data */
1297 if (in->h.opcode == FUSE_SETXATTR)
1298 req->out.h.error = -E2BIG;
1299 request_end(fc, req);
1300 goto restart;
1301 }
1302 spin_lock(&fpq->lock);
1303 list_add(&req->list, &fpq->io);
1304 spin_unlock(&fpq->lock);
1305 cs->req = req;
1306 err = fuse_copy_one(cs, &in->h, sizeof(in->h));
1307 if (!err)
1308 err = fuse_copy_args(cs, in->numargs, in->argpages,
1309 (struct fuse_arg *) in->args, 0);
1310 fuse_copy_finish(cs);
1311 spin_lock(&fpq->lock);
1312 clear_bit(FR_LOCKED, &req->flags);
1313 if (!fpq->connected) {
1314 err = -ENODEV;
1315 goto out_end;
1316 }
1317 if (err) {
1318 req->out.h.error = -EIO;
1319 goto out_end;
1320 }
1321 if (!test_bit(FR_ISREPLY, &req->flags)) {
1322 err = reqsize;
1323 goto out_end;
1324 }
1325 list_move_tail(&req->list, &fpq->processing);
1326 __fuse_get_request(req);
1327 set_bit(FR_SENT, &req->flags);
1328 spin_unlock(&fpq->lock);
1329 /* matches barrier in request_wait_answer() */
1330 smp_mb__after_atomic();
1331 if (test_bit(FR_INTERRUPTED, &req->flags))
1332 queue_interrupt(fiq, req);
1333 fuse_put_request(fc, req);
1334
1335 return reqsize;
1336
1337out_end:
1338 if (!test_bit(FR_PRIVATE, &req->flags))
1339 list_del_init(&req->list);
1340 spin_unlock(&fpq->lock);
1341 request_end(fc, req);
1342 return err;
1343
1344 err_unlock:
1345 spin_unlock(&fiq->waitq.lock);
1346 return err;
1347}
1348
1349static int fuse_dev_open(struct inode *inode, struct file *file)
1350{
1351 /*
1352 * The fuse device's file's private_data is used to hold
1353 * the fuse_conn(ection) when it is mounted, and is used to
1354 * keep track of whether the file has been mounted already.
1355 */
1356 file->private_data = NULL;
1357 return 0;
1358}
1359
1360static ssize_t fuse_dev_read(struct kiocb *iocb, struct iov_iter *to)
1361{
1362 struct fuse_copy_state cs;
1363 struct file *file = iocb->ki_filp;
1364 struct fuse_dev *fud = fuse_get_dev(file);
1365
1366 if (!fud)
1367 return -EPERM;
1368
1369 if (!iter_is_iovec(to))
1370 return -EINVAL;
1371
1372 fuse_copy_init(&cs, 1, to);
1373
1374 return fuse_dev_do_read(fud, file, &cs, iov_iter_count(to));
1375}
1376
1377static ssize_t fuse_dev_splice_read(struct file *in, loff_t *ppos,
1378 struct pipe_inode_info *pipe,
1379 size_t len, unsigned int flags)
1380{
1381 int total, ret;
1382 int page_nr = 0;
1383 struct pipe_buffer *bufs;
1384 struct fuse_copy_state cs;
1385 struct fuse_dev *fud = fuse_get_dev(in);
1386
1387 if (!fud)
1388 return -EPERM;
1389
1390 bufs = kmalloc(pipe->buffers * sizeof(struct pipe_buffer), GFP_KERNEL);
1391 if (!bufs)
1392 return -ENOMEM;
1393
1394 fuse_copy_init(&cs, 1, NULL);
1395 cs.pipebufs = bufs;
1396 cs.pipe = pipe;
1397 ret = fuse_dev_do_read(fud, in, &cs, len);
1398 if (ret < 0)
1399 goto out;
1400
1401 if (pipe->nrbufs + cs.nr_segs > pipe->buffers) {
1402 ret = -EIO;
1403 goto out;
1404 }
1405
1406 for (ret = total = 0; page_nr < cs.nr_segs; total += ret) {
1407 /*
1408 * Need to be careful about this. Having buf->ops in module
1409 * code can Oops if the buffer persists after module unload.
1410 */
1411 bufs[page_nr].ops = &nosteal_pipe_buf_ops;
1412 bufs[page_nr].flags = 0;
1413 ret = add_to_pipe(pipe, &bufs[page_nr++]);
1414 if (unlikely(ret < 0))
1415 break;
1416 }
1417 if (total)
1418 ret = total;
1419out:
1420 for (; page_nr < cs.nr_segs; page_nr++)
1421 put_page(bufs[page_nr].page);
1422
1423 kfree(bufs);
1424 return ret;
1425}
1426
1427static int fuse_notify_poll(struct fuse_conn *fc, unsigned int size,
1428 struct fuse_copy_state *cs)
1429{
1430 struct fuse_notify_poll_wakeup_out outarg;
1431 int err = -EINVAL;
1432
1433 if (size != sizeof(outarg))
1434 goto err;
1435
1436 err = fuse_copy_one(cs, &outarg, sizeof(outarg));
1437 if (err)
1438 goto err;
1439
1440 fuse_copy_finish(cs);
1441 return fuse_notify_poll_wakeup(fc, &outarg);
1442
1443err:
1444 fuse_copy_finish(cs);
1445 return err;
1446}
1447
1448static int fuse_notify_inval_inode(struct fuse_conn *fc, unsigned int size,
1449 struct fuse_copy_state *cs)
1450{
1451 struct fuse_notify_inval_inode_out outarg;
1452 int err = -EINVAL;
1453
1454 if (size != sizeof(outarg))
1455 goto err;
1456
1457 err = fuse_copy_one(cs, &outarg, sizeof(outarg));
1458 if (err)
1459 goto err;
1460 fuse_copy_finish(cs);
1461
1462 down_read(&fc->killsb);
1463 err = -ENOENT;
1464 if (fc->sb) {
1465 err = fuse_reverse_inval_inode(fc->sb, outarg.ino,
1466 outarg.off, outarg.len);
1467 }
1468 up_read(&fc->killsb);
1469 return err;
1470
1471err:
1472 fuse_copy_finish(cs);
1473 return err;
1474}
1475
1476static int fuse_notify_inval_entry(struct fuse_conn *fc, unsigned int size,
1477 struct fuse_copy_state *cs)
1478{
1479 struct fuse_notify_inval_entry_out outarg;
1480 int err = -ENOMEM;
1481 char *buf;
1482 struct qstr name;
1483
1484 buf = kzalloc(FUSE_NAME_MAX + 1, GFP_KERNEL);
1485 if (!buf)
1486 goto err;
1487
1488 err = -EINVAL;
1489 if (size < sizeof(outarg))
1490 goto err;
1491
1492 err = fuse_copy_one(cs, &outarg, sizeof(outarg));
1493 if (err)
1494 goto err;
1495
1496 err = -ENAMETOOLONG;
1497 if (outarg.namelen > FUSE_NAME_MAX)
1498 goto err;
1499
1500 err = -EINVAL;
1501 if (size != sizeof(outarg) + outarg.namelen + 1)
1502 goto err;
1503
1504 name.name = buf;
1505 name.len = outarg.namelen;
1506 err = fuse_copy_one(cs, buf, outarg.namelen + 1);
1507 if (err)
1508 goto err;
1509 fuse_copy_finish(cs);
1510 buf[outarg.namelen] = 0;
1511
1512 down_read(&fc->killsb);
1513 err = -ENOENT;
1514 if (fc->sb)
1515 err = fuse_reverse_inval_entry(fc->sb, outarg.parent, 0, &name);
1516 up_read(&fc->killsb);
1517 kfree(buf);
1518 return err;
1519
1520err:
1521 kfree(buf);
1522 fuse_copy_finish(cs);
1523 return err;
1524}
1525
1526static int fuse_notify_delete(struct fuse_conn *fc, unsigned int size,
1527 struct fuse_copy_state *cs)
1528{
1529 struct fuse_notify_delete_out outarg;
1530 int err = -ENOMEM;
1531 char *buf;
1532 struct qstr name;
1533
1534 buf = kzalloc(FUSE_NAME_MAX + 1, GFP_KERNEL);
1535 if (!buf)
1536 goto err;
1537
1538 err = -EINVAL;
1539 if (size < sizeof(outarg))
1540 goto err;
1541
1542 err = fuse_copy_one(cs, &outarg, sizeof(outarg));
1543 if (err)
1544 goto err;
1545
1546 err = -ENAMETOOLONG;
1547 if (outarg.namelen > FUSE_NAME_MAX)
1548 goto err;
1549
1550 err = -EINVAL;
1551 if (size != sizeof(outarg) + outarg.namelen + 1)
1552 goto err;
1553
1554 name.name = buf;
1555 name.len = outarg.namelen;
1556 err = fuse_copy_one(cs, buf, outarg.namelen + 1);
1557 if (err)
1558 goto err;
1559 fuse_copy_finish(cs);
1560 buf[outarg.namelen] = 0;
1561
1562 down_read(&fc->killsb);
1563 err = -ENOENT;
1564 if (fc->sb)
1565 err = fuse_reverse_inval_entry(fc->sb, outarg.parent,
1566 outarg.child, &name);
1567 up_read(&fc->killsb);
1568 kfree(buf);
1569 return err;
1570
1571err:
1572 kfree(buf);
1573 fuse_copy_finish(cs);
1574 return err;
1575}
1576
1577static int fuse_notify_store(struct fuse_conn *fc, unsigned int size,
1578 struct fuse_copy_state *cs)
1579{
1580 struct fuse_notify_store_out outarg;
1581 struct inode *inode;
1582 struct address_space *mapping;
1583 u64 nodeid;
1584 int err;
1585 pgoff_t index;
1586 unsigned int offset;
1587 unsigned int num;
1588 loff_t file_size;
1589 loff_t end;
1590
1591 err = -EINVAL;
1592 if (size < sizeof(outarg))
1593 goto out_finish;
1594
1595 err = fuse_copy_one(cs, &outarg, sizeof(outarg));
1596 if (err)
1597 goto out_finish;
1598
1599 err = -EINVAL;
1600 if (size - sizeof(outarg) != outarg.size)
1601 goto out_finish;
1602
1603 nodeid = outarg.nodeid;
1604
1605 down_read(&fc->killsb);
1606
1607 err = -ENOENT;
1608 if (!fc->sb)
1609 goto out_up_killsb;
1610
1611 inode = ilookup5(fc->sb, nodeid, fuse_inode_eq, &nodeid);
1612 if (!inode)
1613 goto out_up_killsb;
1614
1615 mapping = inode->i_mapping;
1616 index = outarg.offset >> PAGE_SHIFT;
1617 offset = outarg.offset & ~PAGE_MASK;
1618 file_size = i_size_read(inode);
1619 end = outarg.offset + outarg.size;
1620 if (end > file_size) {
1621 file_size = end;
1622 fuse_write_update_size(inode, file_size);
1623 }
1624
1625 num = outarg.size;
1626 while (num) {
1627 struct page *page;
1628 unsigned int this_num;
1629
1630 err = -ENOMEM;
1631 page = find_or_create_page(mapping, index,
1632 mapping_gfp_mask(mapping));
1633 if (!page)
1634 goto out_iput;
1635
1636 this_num = min_t(unsigned, num, PAGE_SIZE - offset);
1637 err = fuse_copy_page(cs, &page, offset, this_num, 0);
1638 if (!err && offset == 0 &&
1639 (this_num == PAGE_SIZE || file_size == end))
1640 SetPageUptodate(page);
1641 unlock_page(page);
1642 put_page(page);
1643
1644 if (err)
1645 goto out_iput;
1646
1647 num -= this_num;
1648 offset = 0;
1649 index++;
1650 }
1651
1652 err = 0;
1653
1654out_iput:
1655 iput(inode);
1656out_up_killsb:
1657 up_read(&fc->killsb);
1658out_finish:
1659 fuse_copy_finish(cs);
1660 return err;
1661}
1662
1663static void fuse_retrieve_end(struct fuse_conn *fc, struct fuse_req *req)
1664{
1665 release_pages(req->pages, req->num_pages, false);
1666}
1667
1668static int fuse_retrieve(struct fuse_conn *fc, struct inode *inode,
1669 struct fuse_notify_retrieve_out *outarg)
1670{
1671 int err;
1672 struct address_space *mapping = inode->i_mapping;
1673 struct fuse_req *req;
1674 pgoff_t index;
1675 loff_t file_size;
1676 unsigned int num;
1677 unsigned int offset;
1678 size_t total_len = 0;
1679 int num_pages;
1680
1681 offset = outarg->offset & ~PAGE_MASK;
1682 file_size = i_size_read(inode);
1683
1684 num = min(outarg->size, fc->max_write);
1685 if (outarg->offset > file_size)
1686 num = 0;
1687 else if (outarg->offset + num > file_size)
1688 num = file_size - outarg->offset;
1689
1690 num_pages = (num + offset + PAGE_SIZE - 1) >> PAGE_SHIFT;
1691 num_pages = min(num_pages, FUSE_MAX_PAGES_PER_REQ);
1692
1693 req = fuse_get_req(fc, num_pages);
1694 if (IS_ERR(req))
1695 return PTR_ERR(req);
1696
1697 req->in.h.opcode = FUSE_NOTIFY_REPLY;
1698 req->in.h.nodeid = outarg->nodeid;
1699 req->in.numargs = 2;
1700 req->in.argpages = 1;
1701 req->end = fuse_retrieve_end;
1702
1703 index = outarg->offset >> PAGE_SHIFT;
1704
1705 while (num && req->num_pages < num_pages) {
1706 struct page *page;
1707 unsigned int this_num;
1708
1709 page = find_get_page(mapping, index);
1710 if (!page)
1711 break;
1712
1713 this_num = min_t(unsigned, num, PAGE_SIZE - offset);
1714 req->pages[req->num_pages] = page;
1715 req->page_descs[req->num_pages].offset = offset;
1716 req->page_descs[req->num_pages].length = this_num;
1717 req->num_pages++;
1718
1719 offset = 0;
1720 num -= this_num;
1721 total_len += this_num;
1722 index++;
1723 }
1724 req->misc.retrieve_in.offset = outarg->offset;
1725 req->misc.retrieve_in.size = total_len;
1726 req->in.args[0].size = sizeof(req->misc.retrieve_in);
1727 req->in.args[0].value = &req->misc.retrieve_in;
1728 req->in.args[1].size = total_len;
1729
1730 err = fuse_request_send_notify_reply(fc, req, outarg->notify_unique);
1731 if (err) {
1732 fuse_retrieve_end(fc, req);
1733 fuse_put_request(fc, req);
1734 }
1735
1736 return err;
1737}
1738
1739static int fuse_notify_retrieve(struct fuse_conn *fc, unsigned int size,
1740 struct fuse_copy_state *cs)
1741{
1742 struct fuse_notify_retrieve_out outarg;
1743 struct inode *inode;
1744 int err;
1745
1746 err = -EINVAL;
1747 if (size != sizeof(outarg))
1748 goto copy_finish;
1749
1750 err = fuse_copy_one(cs, &outarg, sizeof(outarg));
1751 if (err)
1752 goto copy_finish;
1753
1754 fuse_copy_finish(cs);
1755
1756 down_read(&fc->killsb);
1757 err = -ENOENT;
1758 if (fc->sb) {
1759 u64 nodeid = outarg.nodeid;
1760
1761 inode = ilookup5(fc->sb, nodeid, fuse_inode_eq, &nodeid);
1762 if (inode) {
1763 err = fuse_retrieve(fc, inode, &outarg);
1764 iput(inode);
1765 }
1766 }
1767 up_read(&fc->killsb);
1768
1769 return err;
1770
1771copy_finish:
1772 fuse_copy_finish(cs);
1773 return err;
1774}
1775
1776static int fuse_notify(struct fuse_conn *fc, enum fuse_notify_code code,
1777 unsigned int size, struct fuse_copy_state *cs)
1778{
1779 /* Don't try to move pages (yet) */
1780 cs->move_pages = 0;
1781
1782 switch (code) {
1783 case FUSE_NOTIFY_POLL:
1784 return fuse_notify_poll(fc, size, cs);
1785
1786 case FUSE_NOTIFY_INVAL_INODE:
1787 return fuse_notify_inval_inode(fc, size, cs);
1788
1789 case FUSE_NOTIFY_INVAL_ENTRY:
1790 return fuse_notify_inval_entry(fc, size, cs);
1791
1792 case FUSE_NOTIFY_STORE:
1793 return fuse_notify_store(fc, size, cs);
1794
1795 case FUSE_NOTIFY_RETRIEVE:
1796 return fuse_notify_retrieve(fc, size, cs);
1797
1798 case FUSE_NOTIFY_DELETE:
1799 return fuse_notify_delete(fc, size, cs);
1800
1801 default:
1802 fuse_copy_finish(cs);
1803 return -EINVAL;
1804 }
1805}
1806
1807/* Look up request on processing list by unique ID */
1808static struct fuse_req *request_find(struct fuse_pqueue *fpq, u64 unique)
1809{
1810 struct fuse_req *req;
1811
1812 list_for_each_entry(req, &fpq->processing, list) {
1813 if (req->in.h.unique == unique || req->intr_unique == unique)
1814 return req;
1815 }
1816 return NULL;
1817}
1818
1819static int copy_out_args(struct fuse_copy_state *cs, struct fuse_out *out,
1820 unsigned nbytes)
1821{
1822 unsigned reqsize = sizeof(struct fuse_out_header);
1823
1824 if (out->h.error)
1825 return nbytes != reqsize ? -EINVAL : 0;
1826
1827 reqsize += len_args(out->numargs, out->args);
1828
1829 if (reqsize < nbytes || (reqsize > nbytes && !out->argvar))
1830 return -EINVAL;
1831 else if (reqsize > nbytes) {
1832 struct fuse_arg *lastarg = &out->args[out->numargs-1];
1833 unsigned diffsize = reqsize - nbytes;
1834 if (diffsize > lastarg->size)
1835 return -EINVAL;
1836 lastarg->size -= diffsize;
1837 }
1838 return fuse_copy_args(cs, out->numargs, out->argpages, out->args,
1839 out->page_zeroing);
1840}
1841
1842/*
1843 * Write a single reply to a request. First the header is copied from
1844 * the write buffer. The request is then searched on the processing
1845 * list by the unique ID found in the header. If found, then remove
1846 * it from the list and copy the rest of the buffer to the request.
1847 * The request is finished by calling request_end()
1848 */
1849static ssize_t fuse_dev_do_write(struct fuse_dev *fud,
1850 struct fuse_copy_state *cs, size_t nbytes)
1851{
1852 int err;
1853 struct fuse_conn *fc = fud->fc;
1854 struct fuse_pqueue *fpq = &fud->pq;
1855 struct fuse_req *req;
1856 struct fuse_out_header oh;
1857
1858 if (nbytes < sizeof(struct fuse_out_header))
1859 return -EINVAL;
1860
1861 err = fuse_copy_one(cs, &oh, sizeof(oh));
1862 if (err)
1863 goto err_finish;
1864
1865 err = -EINVAL;
1866 if (oh.len != nbytes)
1867 goto err_finish;
1868
1869 /*
1870 * Zero oh.unique indicates unsolicited notification message
1871 * and error contains notification code.
1872 */
1873 if (!oh.unique) {
1874 err = fuse_notify(fc, oh.error, nbytes - sizeof(oh), cs);
1875 return err ? err : nbytes;
1876 }
1877
1878 err = -EINVAL;
1879 if (oh.error <= -1000 || oh.error > 0)
1880 goto err_finish;
1881
1882 spin_lock(&fpq->lock);
1883 err = -ENOENT;
1884 if (!fpq->connected)
1885 goto err_unlock_pq;
1886
1887 req = request_find(fpq, oh.unique);
1888 if (!req)
1889 goto err_unlock_pq;
1890
1891 /* Is it an interrupt reply? */
1892 if (req->intr_unique == oh.unique) {
1893 __fuse_get_request(req);
1894 spin_unlock(&fpq->lock);
1895
1896 err = -EINVAL;
1897 if (nbytes != sizeof(struct fuse_out_header)) {
1898 fuse_put_request(fc, req);
1899 goto err_finish;
1900 }
1901
1902 if (oh.error == -ENOSYS)
1903 fc->no_interrupt = 1;
1904 else if (oh.error == -EAGAIN)
1905 queue_interrupt(&fc->iq, req);
1906 fuse_put_request(fc, req);
1907
1908 fuse_copy_finish(cs);
1909 return nbytes;
1910 }
1911
1912 clear_bit(FR_SENT, &req->flags);
1913 list_move(&req->list, &fpq->io);
1914 req->out.h = oh;
1915 set_bit(FR_LOCKED, &req->flags);
1916 spin_unlock(&fpq->lock);
1917 cs->req = req;
1918 if (!req->out.page_replace)
1919 cs->move_pages = 0;
1920
1921 err = copy_out_args(cs, &req->out, nbytes);
1922 if (req->in.h.opcode == FUSE_CANONICAL_PATH) {
1923 char *path = (char *)req->out.args[0].value;
1924
1925 path[req->out.args[0].size - 1] = 0;
1926 req->out.h.error = kern_path(path, 0, req->canonical_path);
1927 }
1928 fuse_copy_finish(cs);
1929
1930 spin_lock(&fpq->lock);
1931 clear_bit(FR_LOCKED, &req->flags);
1932 if (!fpq->connected)
1933 err = -ENOENT;
1934 else if (err)
1935 req->out.h.error = -EIO;
1936 if (!test_bit(FR_PRIVATE, &req->flags))
1937 list_del_init(&req->list);
1938 spin_unlock(&fpq->lock);
1939
1940 request_end(fc, req);
1941
1942 return err ? err : nbytes;
1943
1944 err_unlock_pq:
1945 spin_unlock(&fpq->lock);
1946 err_finish:
1947 fuse_copy_finish(cs);
1948 return err;
1949}
1950
1951static ssize_t fuse_dev_write(struct kiocb *iocb, struct iov_iter *from)
1952{
1953 struct fuse_copy_state cs;
1954 struct fuse_dev *fud = fuse_get_dev(iocb->ki_filp);
1955
1956 if (!fud)
1957 return -EPERM;
1958
1959 if (!iter_is_iovec(from))
1960 return -EINVAL;
1961
1962 fuse_copy_init(&cs, 0, from);
1963
1964 return fuse_dev_do_write(fud, &cs, iov_iter_count(from));
1965}
1966
1967static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
1968 struct file *out, loff_t *ppos,
1969 size_t len, unsigned int flags)
1970{
1971 unsigned nbuf;
1972 unsigned idx;
1973 struct pipe_buffer *bufs;
1974 struct fuse_copy_state cs;
1975 struct fuse_dev *fud;
1976 size_t rem;
1977 ssize_t ret;
1978
1979 fud = fuse_get_dev(out);
1980 if (!fud)
1981 return -EPERM;
1982
1983 pipe_lock(pipe);
1984
1985 bufs = kmalloc(pipe->buffers * sizeof(struct pipe_buffer), GFP_KERNEL);
1986 if (!bufs) {
1987 pipe_unlock(pipe);
1988 return -ENOMEM;
1989 }
1990
1991 nbuf = 0;
1992 rem = 0;
1993 for (idx = 0; idx < pipe->nrbufs && rem < len; idx++)
1994 rem += pipe->bufs[(pipe->curbuf + idx) & (pipe->buffers - 1)].len;
1995
1996 ret = -EINVAL;
1997 if (rem < len)
1998 goto out_free;
1999
2000 rem = len;
2001 while (rem) {
2002 struct pipe_buffer *ibuf;
2003 struct pipe_buffer *obuf;
2004
2005 BUG_ON(nbuf >= pipe->buffers);
2006 BUG_ON(!pipe->nrbufs);
2007 ibuf = &pipe->bufs[pipe->curbuf];
2008 obuf = &bufs[nbuf];
2009
2010 if (rem >= ibuf->len) {
2011 *obuf = *ibuf;
2012 ibuf->ops = NULL;
2013 pipe->curbuf = (pipe->curbuf + 1) & (pipe->buffers - 1);
2014 pipe->nrbufs--;
2015 } else {
2016 if (!pipe_buf_get(pipe, ibuf))
2017 goto out_free;
2018
2019 *obuf = *ibuf;
2020 obuf->flags &= ~PIPE_BUF_FLAG_GIFT;
2021 obuf->len = rem;
2022 ibuf->offset += obuf->len;
2023 ibuf->len -= obuf->len;
2024 }
2025 nbuf++;
2026 rem -= obuf->len;
2027 }
2028 pipe_unlock(pipe);
2029
2030 fuse_copy_init(&cs, 0, NULL);
2031 cs.pipebufs = bufs;
2032 cs.nr_segs = nbuf;
2033 cs.pipe = pipe;
2034
2035 if (flags & SPLICE_F_MOVE)
2036 cs.move_pages = 1;
2037
2038 ret = fuse_dev_do_write(fud, &cs, len);
2039
2040 pipe_lock(pipe);
2041out_free:
2042 for (idx = 0; idx < nbuf; idx++)
2043 pipe_buf_release(pipe, &bufs[idx]);
2044 pipe_unlock(pipe);
2045
2046 kfree(bufs);
2047 return ret;
2048}
2049
2050static unsigned fuse_dev_poll(struct file *file, poll_table *wait)
2051{
2052 unsigned mask = POLLOUT | POLLWRNORM;
2053 struct fuse_iqueue *fiq;
2054 struct fuse_dev *fud = fuse_get_dev(file);
2055
2056 if (!fud)
2057 return POLLERR;
2058
2059 fiq = &fud->fc->iq;
2060 poll_wait(file, &fiq->waitq, wait);
2061
2062 spin_lock(&fiq->waitq.lock);
2063 if (!fiq->connected)
2064 mask = POLLERR;
2065 else if (request_pending(fiq))
2066 mask |= POLLIN | POLLRDNORM;
2067 spin_unlock(&fiq->waitq.lock);
2068
2069 return mask;
2070}
2071
2072/*
2073 * Abort all requests on the given list (pending or processing)
2074 *
2075 * This function releases and reacquires fc->lock
2076 */
2077static void end_requests(struct fuse_conn *fc, struct list_head *head)
2078{
2079 while (!list_empty(head)) {
2080 struct fuse_req *req;
2081 req = list_entry(head->next, struct fuse_req, list);
2082 req->out.h.error = -ECONNABORTED;
2083 clear_bit(FR_SENT, &req->flags);
2084 list_del_init(&req->list);
2085 request_end(fc, req);
2086 }
2087}
2088
2089static void end_polls(struct fuse_conn *fc)
2090{
2091 struct rb_node *p;
2092
2093 p = rb_first(&fc->polled_files);
2094
2095 while (p) {
2096 struct fuse_file *ff;
2097 ff = rb_entry(p, struct fuse_file, polled_node);
2098 wake_up_interruptible_all(&ff->poll_wait);
2099
2100 p = rb_next(p);
2101 }
2102}
2103
2104/*
2105 * Abort all requests.
2106 *
2107 * Emergency exit in case of a malicious or accidental deadlock, or just a hung
2108 * filesystem.
2109 *
2110 * The same effect is usually achievable through killing the filesystem daemon
2111 * and all users of the filesystem. The exception is the combination of an
2112 * asynchronous request and the tricky deadlock (see
2113 * Documentation/filesystems/fuse.txt).
2114 *
2115 * Aborting requests under I/O goes as follows: 1: Separate out unlocked
2116 * requests, they should be finished off immediately. Locked requests will be
2117 * finished after unlock; see unlock_request(). 2: Finish off the unlocked
2118 * requests. It is possible that some request will finish before we can. This
2119 * is OK, the request will in that case be removed from the list before we touch
2120 * it.
2121 */
2122void fuse_abort_conn(struct fuse_conn *fc)
2123{
2124 struct fuse_iqueue *fiq = &fc->iq;
2125
2126 spin_lock(&fc->lock);
2127 if (fc->connected) {
2128 struct fuse_dev *fud;
2129 struct fuse_req *req, *next;
2130 LIST_HEAD(to_end1);
2131 LIST_HEAD(to_end2);
2132
2133 fc->connected = 0;
2134 fc->blocked = 0;
2135 fuse_set_initialized(fc);
2136 list_for_each_entry(fud, &fc->devices, entry) {
2137 struct fuse_pqueue *fpq = &fud->pq;
2138
2139 spin_lock(&fpq->lock);
2140 fpq->connected = 0;
2141 list_for_each_entry_safe(req, next, &fpq->io, list) {
2142 req->out.h.error = -ECONNABORTED;
2143 spin_lock(&req->waitq.lock);
2144 set_bit(FR_ABORTED, &req->flags);
2145 if (!test_bit(FR_LOCKED, &req->flags)) {
2146 set_bit(FR_PRIVATE, &req->flags);
2147 __fuse_get_request(req);
2148 list_move(&req->list, &to_end1);
2149 }
2150 spin_unlock(&req->waitq.lock);
2151 }
2152 list_splice_init(&fpq->processing, &to_end2);
2153 spin_unlock(&fpq->lock);
2154 }
2155 fc->max_background = UINT_MAX;
2156 flush_bg_queue(fc);
2157
2158 spin_lock(&fiq->waitq.lock);
2159 fiq->connected = 0;
2160 list_splice_init(&fiq->pending, &to_end2);
2161 list_for_each_entry(req, &to_end2, list)
2162 clear_bit(FR_PENDING, &req->flags);
2163 while (forget_pending(fiq))
2164 kfree(dequeue_forget(fiq, 1, NULL));
2165 wake_up_all_locked(&fiq->waitq);
2166 spin_unlock(&fiq->waitq.lock);
2167 kill_fasync(&fiq->fasync, SIGIO, POLL_IN);
2168 end_polls(fc);
2169 wake_up_all(&fc->blocked_waitq);
2170 spin_unlock(&fc->lock);
2171
2172 while (!list_empty(&to_end1)) {
2173 req = list_first_entry(&to_end1, struct fuse_req, list);
2174 list_del_init(&req->list);
2175 request_end(fc, req);
2176 }
2177 end_requests(fc, &to_end2);
2178 } else {
2179 spin_unlock(&fc->lock);
2180 }
2181}
2182EXPORT_SYMBOL_GPL(fuse_abort_conn);
2183
2184void fuse_wait_aborted(struct fuse_conn *fc)
2185{
2186 /* matches implicit memory barrier in fuse_drop_waiting() */
2187 smp_mb();
2188 wait_event(fc->blocked_waitq, atomic_read(&fc->num_waiting) == 0);
2189}
2190
2191int fuse_dev_release(struct inode *inode, struct file *file)
2192{
2193 struct fuse_dev *fud = fuse_get_dev(file);
2194
2195 if (fud) {
2196 struct fuse_conn *fc = fud->fc;
2197 struct fuse_pqueue *fpq = &fud->pq;
2198 LIST_HEAD(to_end);
2199
2200 spin_lock(&fpq->lock);
2201 WARN_ON(!list_empty(&fpq->io));
2202 list_splice_init(&fpq->processing, &to_end);
2203 spin_unlock(&fpq->lock);
2204
2205 end_requests(fc, &to_end);
2206
2207 /* Are we the last open device? */
2208 if (atomic_dec_and_test(&fc->dev_count)) {
2209 WARN_ON(fc->iq.fasync != NULL);
2210 fuse_abort_conn(fc);
2211 }
2212 fuse_dev_free(fud);
2213 }
2214 return 0;
2215}
2216EXPORT_SYMBOL_GPL(fuse_dev_release);
2217
2218static int fuse_dev_fasync(int fd, struct file *file, int on)
2219{
2220 struct fuse_dev *fud = fuse_get_dev(file);
2221
2222 if (!fud)
2223 return -EPERM;
2224
2225 /* No locking - fasync_helper does its own locking */
2226 return fasync_helper(fd, file, on, &fud->fc->iq.fasync);
2227}
2228
2229static int fuse_device_clone(struct fuse_conn *fc, struct file *new)
2230{
2231 struct fuse_dev *fud;
2232
2233 if (new->private_data)
2234 return -EINVAL;
2235
2236 fud = fuse_dev_alloc(fc);
2237 if (!fud)
2238 return -ENOMEM;
2239
2240 new->private_data = fud;
2241 atomic_inc(&fc->dev_count);
2242
2243 return 0;
2244}
2245
2246static long fuse_dev_ioctl(struct file *file, unsigned int cmd,
2247 unsigned long arg)
2248{
2249 int err = -ENOTTY;
2250
2251 if (cmd == FUSE_DEV_IOC_CLONE) {
2252 int oldfd;
2253
2254 err = -EFAULT;
2255 if (!get_user(oldfd, (__u32 __user *) arg)) {
2256 struct file *old = fget(oldfd);
2257
2258 err = -EINVAL;
2259 if (old) {
2260 struct fuse_dev *fud = NULL;
2261
2262 /*
2263 * Check against file->f_op because CUSE
2264 * uses the same ioctl handler.
2265 */
2266 if (old->f_op == file->f_op &&
2267 old->f_cred->user_ns == file->f_cred->user_ns)
2268 fud = fuse_get_dev(old);
2269
2270 if (fud) {
2271 mutex_lock(&fuse_mutex);
2272 err = fuse_device_clone(fud->fc, file);
2273 mutex_unlock(&fuse_mutex);
2274 }
2275 fput(old);
2276 }
2277 }
2278 }
2279 return err;
2280}
2281
2282const struct file_operations fuse_dev_operations = {
2283 .owner = THIS_MODULE,
2284 .open = fuse_dev_open,
2285 .llseek = no_llseek,
2286 .read_iter = fuse_dev_read,
2287 .splice_read = fuse_dev_splice_read,
2288 .write_iter = fuse_dev_write,
2289 .splice_write = fuse_dev_splice_write,
2290 .poll = fuse_dev_poll,
2291 .release = fuse_dev_release,
2292 .fasync = fuse_dev_fasync,
2293 .unlocked_ioctl = fuse_dev_ioctl,
2294 .compat_ioctl = fuse_dev_ioctl,
2295};
2296EXPORT_SYMBOL_GPL(fuse_dev_operations);
2297
2298static struct miscdevice fuse_miscdevice = {
2299 .minor = FUSE_MINOR,
2300 .name = "fuse",
2301 .fops = &fuse_dev_operations,
2302};
2303
2304int __init fuse_dev_init(void)
2305{
2306 int err = -ENOMEM;
2307 fuse_req_cachep = kmem_cache_create("fuse_request",
2308 sizeof(struct fuse_req),
2309 0, 0, NULL);
2310 if (!fuse_req_cachep)
2311 goto out;
2312
2313 err = misc_register(&fuse_miscdevice);
2314 if (err)
2315 goto out_cache_clean;
2316
2317 return 0;
2318
2319 out_cache_clean:
2320 kmem_cache_destroy(fuse_req_cachep);
2321 out:
2322 return err;
2323}
2324
2325void fuse_dev_cleanup(void)
2326{
2327 misc_deregister(&fuse_miscdevice);
2328 kmem_cache_destroy(fuse_req_cachep);
2329}