LXR linux/fs/fuse/dev.c

   1/*
   2  FUSE: Filesystem in Userspace
   3  Copyright (C) 2001-2006  Miklos Szeredi <miklos@szeredi.hu>
   4
   5  This program can be distributed under the terms of the GNU GPL.
   6  See the file COPYING.
   7*/
   8
   9#include "fuse_i.h"
  10
  11#include <linux/init.h>
  12#include <linux/module.h>
  13#include <linux/poll.h>
  14#include <linux/uio.h>
  15#include <linux/miscdevice.h>
  16#include <linux/pagemap.h>
  17#include <linux/file.h>
  18#include <linux/slab.h>
  19
  20MODULE_ALIAS_MISCDEV(FUSE_MINOR);
  21
  22static struct kmem_cache *fuse_req_cachep;
  23
  24static struct fuse_conn *fuse_get_conn(struct file *file)
  25{
  26        /*
  27         * Lockless access is OK, because file->private data is set
  28         * once during mount and is valid until the file is released.
  29         */
  30        return file->private_data;
  31}
  32
  33static void fuse_request_init(struct fuse_req *req)
  34{
  35        memset(req, 0, sizeof(*req));
  36        INIT_LIST_HEAD(&req->list);
  37        INIT_LIST_HEAD(&req->intr_entry);
  38        init_waitqueue_head(&req->waitq);
  39        atomic_set(&req->count, 1);
  40}
  41
  42struct fuse_req *fuse_request_alloc(void)
  43{
  44        struct fuse_req *req = kmem_cache_alloc(fuse_req_cachep, GFP_KERNEL);
  45        if (req)
  46                fuse_request_init(req);
  47        return req;
  48}
  49
  50void fuse_request_free(struct fuse_req *req)
  51{
  52        kmem_cache_free(fuse_req_cachep, req);
  53}
  54
  55static void block_sigs(sigset_t *oldset)
  56{
  57        sigset_t mask;
  58
  59        siginitsetinv(&mask, sigmask(SIGKILL));
  60        sigprocmask(SIG_BLOCK, &mask, oldset);
  61}
  62
  63static void restore_sigs(sigset_t *oldset)
  64{
  65        sigprocmask(SIG_SETMASK, oldset, NULL);
  66}
  67
  68static void __fuse_get_request(struct fuse_req *req)
  69{
  70        atomic_inc(&req->count);
  71}
  72
  73/* Must be called with > 1 refcount */
  74static void __fuse_put_request(struct fuse_req *req)
  75{
  76        BUG_ON(atomic_read(&req->count) < 2);
  77        atomic_dec(&req->count);
  78}
  79
  80static void fuse_req_init_context(struct fuse_req *req)
  81{
  82        req->in.h.uid = current->fsuid;
  83        req->in.h.gid = current->fsgid;
  84        req->in.h.pid = current->pid;
  85}
  86
  87struct fuse_req *fuse_get_req(struct fuse_conn *fc)
  88{
  89        struct fuse_req *req;
  90        sigset_t oldset;
  91        int intr;
  92        int err;
  93
  94        atomic_inc(&fc->num_waiting);
  95        block_sigs(&oldset);
  96        intr = wait_event_interruptible(fc->blocked_waitq, !fc->blocked);
  97        restore_sigs(&oldset);
  98        err = -EINTR;
  99        if (intr)
 100                goto out;
 101
 102        err = -ENOTCONN;
 103        if (!fc->connected)
 104                goto out;
 105
 106        req = fuse_request_alloc();
 107        err = -ENOMEM;
 108        if (!req)
 109                goto out;
 110
 111        fuse_req_init_context(req);
 112        req->waiting = 1;
 113        return req;
 114
 115 out:
 116        atomic_dec(&fc->num_waiting);
 117        return ERR_PTR(err);
 118}
 119
 120/*
 121 * Return request in fuse_file->reserved_req.  However that may
 122 * currently be in use.  If that is the case, wait for it to become
 123 * available.
 124 */
 125static struct fuse_req *get_reserved_req(struct fuse_conn *fc,
 126                                         struct file *file)
 127{
 128        struct fuse_req *req = NULL;
 129        struct fuse_file *ff = file->private_data;
 130
 131        do {
 132                wait_event(fc->blocked_waitq, ff->reserved_req);
 133                spin_lock(&fc->lock);
 134                if (ff->reserved_req) {
 135                        req = ff->reserved_req;
 136                        ff->reserved_req = NULL;
 137                        get_file(file);
 138                        req->stolen_file = file;
 139                }
 140                spin_unlock(&fc->lock);
 141        } while (!req);
 142
 143        return req;
 144}
 145
 146/*
 147 * Put stolen request back into fuse_file->reserved_req
 148 */
 149static void put_reserved_req(struct fuse_conn *fc, struct fuse_req *req)
 150{
 151        struct file *file = req->stolen_file;
 152        struct fuse_file *ff = file->private_data;
 153
 154        spin_lock(&fc->lock);
 155        fuse_request_init(req);
 156        BUG_ON(ff->reserved_req);
 157        ff->reserved_req = req;
 158        wake_up(&fc->blocked_waitq);
 159        spin_unlock(&fc->lock);
 160        fput(file);
 161}
 162
 163/*
 164 * Gets a requests for a file operation, always succeeds
 165 *
 166 * This is used for sending the FLUSH request, which must get to
 167 * userspace, due to POSIX locks which may need to be unlocked.
 168 *
 169 * If allocation fails due to OOM, use the reserved request in
 170 * fuse_file.
 171 *
 172 * This is very unlikely to deadlock accidentally, since the
 173 * filesystem should not have it's own file open.  If deadlock is
 174 * intentional, it can still be broken by "aborting" the filesystem.
 175 */
 176struct fuse_req *fuse_get_req_nofail(struct fuse_conn *fc, struct file *file)
 177{
 178        struct fuse_req *req;
 179
 180        atomic_inc(&fc->num_waiting);
 181        wait_event(fc->blocked_waitq, !fc->blocked);
 182        req = fuse_request_alloc();
 183        if (!req)
 184                req = get_reserved_req(fc, file);
 185
 186        fuse_req_init_context(req);
 187        req->waiting = 1;
 188        return req;
 189}
 190
 191void fuse_put_request(struct fuse_conn *fc, struct fuse_req *req)
 192{
 193        if (atomic_dec_and_test(&req->count)) {
 194                if (req->waiting)
 195                        atomic_dec(&fc->num_waiting);
 196
 197                if (req->stolen_file)
 198                        put_reserved_req(fc, req);
 199                else
 200                        fuse_request_free(req);
 201        }
 202}
 203
 204/*
 205 * This function is called when a request is finished.  Either a reply
 206 * has arrived or it was aborted (and not yet sent) or some error
 207 * occurred during communication with userspace, or the device file
 208 * was closed.  The requester thread is woken up (if still waiting),
 209 * the 'end' callback is called if given, else the reference to the
 210 * request is released
 211 *
 212 * Called with fc->lock, unlocks it
 213 */
 214static void request_end(struct fuse_conn *fc, struct fuse_req *req)
 215        __releases(fc->lock)
 216{
 217        void (*end) (struct fuse_conn *, struct fuse_req *) = req->end;
 218        req->end = NULL;
 219        list_del(&req->list);
 220        list_del(&req->intr_entry);
 221        req->state = FUSE_REQ_FINISHED;
 222        if (req->background) {
 223                if (fc->num_background == FUSE_MAX_BACKGROUND) {
 224                        fc->blocked = 0;
 225                        wake_up_all(&fc->blocked_waitq);
 226                }
 227                fc->num_background--;
 228        }
 229        spin_unlock(&fc->lock);
 230        dput(req->dentry);
 231        mntput(req->vfsmount);
 232        if (req->file)
 233                fput(req->file);
 234        wake_up(&req->waitq);
 235        if (end)
 236                end(fc, req);
 237        else
 238                fuse_put_request(fc, req);
 239}
 240
 241static void wait_answer_interruptible(struct fuse_conn *fc,
 242                                      struct fuse_req *req)
 243{
 244        if (signal_pending(current))
 245                return;
 246
 247        spin_unlock(&fc->lock);
 248        wait_event_interruptible(req->waitq, req->state == FUSE_REQ_FINISHED);
 249        spin_lock(&fc->lock);
 250}
 251
 252static void queue_interrupt(struct fuse_conn *fc, struct fuse_req *req)
 253{
 254        list_add_tail(&req->intr_entry, &fc->interrupts);
 255        wake_up(&fc->waitq);
 256        kill_fasync(&fc->fasync, SIGIO, POLL_IN);
 257}
 258
 259/* Called with fc->lock held.  Releases, and then reacquires it. */
 260static void request_wait_answer(struct fuse_conn *fc, struct fuse_req *req)
 261{
 262        if (!fc->no_interrupt) {
 263                /* Any signal may interrupt this */
 264                wait_answer_interruptible(fc, req);
 265
 266                if (req->aborted)
 267                        goto aborted;
 268                if (req->state == FUSE_REQ_FINISHED)
 269                        return;
 270
 271                req->interrupted = 1;
 272                if (req->state == FUSE_REQ_SENT)
 273                        queue_interrupt(fc, req);
 274        }
 275
 276        if (req->force) {
 277                spin_unlock(&fc->lock);
 278                wait_event(req->waitq, req->state == FUSE_REQ_FINISHED);
 279                spin_lock(&fc->lock);
 280        } else {
 281                sigset_t oldset;
 282
 283                /* Only fatal signals may interrupt this */
 284                block_sigs(&oldset);
 285                wait_answer_interruptible(fc, req);
 286                restore_sigs(&oldset);
 287        }
 288
 289        if (req->aborted)
 290                goto aborted;
 291        if (req->state == FUSE_REQ_FINISHED)
 292                return;
 293
 294        req->out.h.error = -EINTR;
 295        req->aborted = 1;
 296
 297 aborted:
 298        if (req->locked) {
 299                /* This is uninterruptible sleep, because data is
 300                   being copied to/from the buffers of req.  During
 301                   locked state, there mustn't be any filesystem
 302                   operation (e.g. page fault), since that could lead
 303                   to deadlock */
 304                spin_unlock(&fc->lock);
 305                wait_event(req->waitq, !req->locked);
 306                spin_lock(&fc->lock);
 307        }
 308        if (req->state == FUSE_REQ_PENDING) {
 309                list_del(&req->list);
 310                __fuse_put_request(req);
 311        } else if (req->state == FUSE_REQ_SENT) {
 312                spin_unlock(&fc->lock);
 313                wait_event(req->waitq, req->state == FUSE_REQ_FINISHED);
 314                spin_lock(&fc->lock);
 315        }
 316}
 317
 318static unsigned len_args(unsigned numargs, struct fuse_arg *args)
 319{
 320        unsigned nbytes = 0;
 321        unsigned i;
 322
 323        for (i = 0; i < numargs; i++)
 324                nbytes += args[i].size;
 325
 326        return nbytes;
 327}
 328
 329static u64 fuse_get_unique(struct fuse_conn *fc)
 330 {
 331        fc->reqctr++;
 332        /* zero is special */
 333        if (fc->reqctr == 0)
 334                fc->reqctr = 1;
 335
 336        return fc->reqctr;
 337}
 338
 339static void queue_request(struct fuse_conn *fc, struct fuse_req *req)
 340{
 341        req->in.h.unique = fuse_get_unique(fc);
 342        req->in.h.len = sizeof(struct fuse_in_header) +
 343                len_args(req->in.numargs, (struct fuse_arg *) req->in.args);
 344        list_add_tail(&req->list, &fc->pending);
 345        req->state = FUSE_REQ_PENDING;
 346        if (!req->waiting) {
 347                req->waiting = 1;
 348                atomic_inc(&fc->num_waiting);
 349        }
 350        wake_up(&fc->waitq);
 351        kill_fasync(&fc->fasync, SIGIO, POLL_IN);
 352}
 353
 354void request_send(struct fuse_conn *fc, struct fuse_req *req)
 355{
 356        req->isreply = 1;
 357        spin_lock(&fc->lock);
 358        if (!fc->connected)
 359                req->out.h.error = -ENOTCONN;
 360        else if (fc->conn_error)
 361                req->out.h.error = -ECONNREFUSED;
 362        else {
 363                queue_request(fc, req);
 364                /* acquire extra reference, since request is still needed
 365                   after request_end() */
 366                __fuse_get_request(req);
 367
 368                request_wait_answer(fc, req);
 369        }
 370        spin_unlock(&fc->lock);
 371}
 372
 373static void request_send_nowait(struct fuse_conn *fc, struct fuse_req *req)
 374{
 375        spin_lock(&fc->lock);
 376        if (fc->connected) {
 377                req->background = 1;
 378                fc->num_background++;
 379                if (fc->num_background == FUSE_MAX_BACKGROUND)
 380                        fc->blocked = 1;
 381
 382                queue_request(fc, req);
 383                spin_unlock(&fc->lock);
 384        } else {
 385                req->out.h.error = -ENOTCONN;
 386                request_end(fc, req);
 387        }
 388}
 389
 390void request_send_noreply(struct fuse_conn *fc, struct fuse_req *req)
 391{
 392        req->isreply = 0;
 393        request_send_nowait(fc, req);
 394}
 395
 396void request_send_background(struct fuse_conn *fc, struct fuse_req *req)
 397{
 398        req->isreply = 1;
 399        request_send_nowait(fc, req);
 400}
 401
 402/*
 403 * Lock the request.  Up to the next unlock_request() there mustn't be
 404 * anything that could cause a page-fault.  If the request was already
 405 * aborted bail out.
 406 */
 407static int lock_request(struct fuse_conn *fc, struct fuse_req *req)
 408{
 409        int err = 0;
 410        if (req) {
 411                spin_lock(&fc->lock);
 412                if (req->aborted)
 413                        err = -ENOENT;
 414                else
 415                        req->locked = 1;
 416                spin_unlock(&fc->lock);
 417        }
 418        return err;
 419}
 420
 421/*
 422 * Unlock request.  If it was aborted during being locked, the
 423 * requester thread is currently waiting for it to be unlocked, so
 424 * wake it up.
 425 */
 426static void unlock_request(struct fuse_conn *fc, struct fuse_req *req)
 427{
 428        if (req) {
 429                spin_lock(&fc->lock);
 430                req->locked = 0;
 431                if (req->aborted)
 432                        wake_up(&req->waitq);
 433                spin_unlock(&fc->lock);
 434        }
 435}
 436
 437struct fuse_copy_state {
 438        struct fuse_conn *fc;
 439        int write;
 440        struct fuse_req *req;
 441        const struct iovec *iov;
 442        unsigned long nr_segs;
 443        unsigned long seglen;
 444        unsigned long addr;
 445        struct page *pg;
 446        void *mapaddr;
 447        void *buf;
 448        unsigned len;
 449};
 450
 451static void fuse_copy_init(struct fuse_copy_state *cs, struct fuse_conn *fc,
 452                           int write, struct fuse_req *req,
 453                           const struct iovec *iov, unsigned long nr_segs)
 454{
 455        memset(cs, 0, sizeof(*cs));
 456        cs->fc = fc;
 457        cs->write = write;
 458        cs->req = req;
 459        cs->iov = iov;
 460        cs->nr_segs = nr_segs;
 461}
 462
 463/* Unmap and put previous page of userspace buffer */
 464static void fuse_copy_finish(struct fuse_copy_state *cs)
 465{
 466        if (cs->mapaddr) {
 467                kunmap_atomic(cs->mapaddr, KM_USER0);
 468                if (cs->write) {
 469                        flush_dcache_page(cs->pg);
 470                        set_page_dirty_lock(cs->pg);
 471                }
 472                put_page(cs->pg);
 473                cs->mapaddr = NULL;
 474        }
 475}
 476
 477/*
 478 * Get another pagefull of userspace buffer, and map it to kernel
 479 * address space, and lock request
 480 */
 481static int fuse_copy_fill(struct fuse_copy_state *cs)
 482{
 483        unsigned long offset;
 484        int err;
 485
 486        unlock_request(cs->fc, cs->req);
 487        fuse_copy_finish(cs);
 488        if (!cs->seglen) {
 489                BUG_ON(!cs->nr_segs);
 490                cs->seglen = cs->iov[0].iov_len;
 491                cs->addr = (unsigned long) cs->iov[0].iov_base;
 492                cs->iov ++;
 493                cs->nr_segs --;
 494        }
 495        down_read(&current->mm->mmap_sem);
 496        err = get_user_pages(current, current->mm, cs->addr, 1, cs->write, 0,
 497                             &cs->pg, NULL);
 498        up_read(&current->mm->mmap_sem);
 499        if (err < 0)
 500                return err;
 501        BUG_ON(err != 1);
 502        offset = cs->addr % PAGE_SIZE;
 503        cs->mapaddr = kmap_atomic(cs->pg, KM_USER0);
 504        cs->buf = cs->mapaddr + offset;
 505        cs->len = min(PAGE_SIZE - offset, cs->seglen);
 506        cs->seglen -= cs->len;
 507        cs->addr += cs->len;
 508
 509        return lock_request(cs->fc, cs->req);
 510}
 511
 512/* Do as much copy to/from userspace buffer as we can */
 513static int fuse_copy_do(struct fuse_copy_state *cs, void **val, unsigned *size)
 514{
 515        unsigned ncpy = min(*size, cs->len);
 516        if (val) {
 517                if (cs->write)
 518                        memcpy(cs->buf, *val, ncpy);
 519                else
 520                        memcpy(*val, cs->buf, ncpy);
 521                *val += ncpy;
 522        }
 523        *size -= ncpy;
 524        cs->len -= ncpy;
 525        cs->buf += ncpy;
 526        return ncpy;
 527}
 528
 529/*
 530 * Copy a page in the request to/from the userspace buffer.  Must be
 531 * done atomically
 532 */
 533static int fuse_copy_page(struct fuse_copy_state *cs, struct page *page,
 534                          unsigned offset, unsigned count, int zeroing)
 535{
 536        if (page && zeroing && count < PAGE_SIZE) {
 537                void *mapaddr = kmap_atomic(page, KM_USER1);
 538                memset(mapaddr, 0, PAGE_SIZE);
 539                kunmap_atomic(mapaddr, KM_USER1);
 540        }
 541        while (count) {
 542                int err;
 543                if (!cs->len && (err = fuse_copy_fill(cs)))
 544                        return err;
 545                if (page) {
 546                        void *mapaddr = kmap_atomic(page, KM_USER1);
 547                        void *buf = mapaddr + offset;
 548                        offset += fuse_copy_do(cs, &buf, &count);
 549                        kunmap_atomic(mapaddr, KM_USER1);
 550                } else
 551                        offset += fuse_copy_do(cs, NULL, &count);
 552        }
 553        if (page && !cs->write)
 554                flush_dcache_page(page);
 555        return 0;
 556}
 557
 558/* Copy pages in the request to/from userspace buffer */
 559static int fuse_copy_pages(struct fuse_copy_state *cs, unsigned nbytes,
 560                           int zeroing)
 561{
 562        unsigned i;
 563        struct fuse_req *req = cs->req;
 564        unsigned offset = req->page_offset;
 565        unsigned count = min(nbytes, (unsigned) PAGE_SIZE - offset);
 566
 567        for (i = 0; i < req->num_pages && (nbytes || zeroing); i++) {
 568                struct page *page = req->pages[i];
 569                int err = fuse_copy_page(cs, page, offset, count, zeroing);
 570                if (err)
 571                        return err;
 572
 573                nbytes -= count;
 574                count = min(nbytes, (unsigned) PAGE_SIZE);
 575                offset = 0;
 576        }
 577        return 0;
 578}
 579
 580/* Copy a single argument in the request to/from userspace buffer */
 581static int fuse_copy_one(struct fuse_copy_state *cs, void *val, unsigned size)
 582{
 583        while (size) {
 584                int err;
 585                if (!cs->len && (err = fuse_copy_fill(cs)))
 586                        return err;
 587                fuse_copy_do(cs, &val, &size);
 588        }
 589        return 0;
 590}
 591
 592/* Copy request arguments to/from userspace buffer */
 593static int fuse_copy_args(struct fuse_copy_state *cs, unsigned numargs,
 594                          unsigned argpages, struct fuse_arg *args,
 595                          int zeroing)
 596{
 597        int err = 0;
 598        unsigned i;
 599
 600        for (i = 0; !err && i < numargs; i++)  {
 601                struct fuse_arg *arg = &args[i];
 602                if (i == numargs - 1 && argpages)
 603                        err = fuse_copy_pages(cs, arg->size, zeroing);
 604                else
 605                        err = fuse_copy_one(cs, arg->value, arg->size);
 606        }
 607        return err;
 608}
 609
 610static int request_pending(struct fuse_conn *fc)
 611{
 612        return !list_empty(&fc->pending) || !list_empty(&fc->interrupts);
 613}
 614
 615/* Wait until a request is available on the pending list */
 616static void request_wait(struct fuse_conn *fc)
 617{
 618        DECLARE_WAITQUEUE(wait, current);
 619
 620        add_wait_queue_exclusive(&fc->waitq, &wait);
 621        while (fc->connected && !request_pending(fc)) {
 622                set_current_state(TASK_INTERRUPTIBLE);
 623                if (signal_pending(current))
 624                        break;
 625
 626                spin_unlock(&fc->lock);
 627                schedule();
 628                spin_lock(&fc->lock);
 629        }
 630        set_current_state(TASK_RUNNING);
 631        remove_wait_queue(&fc->waitq, &wait);
 632}
 633
 634/*
 635 * Transfer an interrupt request to userspace
 636 *
 637 * Unlike other requests this is assembled on demand, without a need
 638 * to allocate a separate fuse_req structure.
 639 *
 640 * Called with fc->lock held, releases it
 641 */
 642static int fuse_read_interrupt(struct fuse_conn *fc, struct fuse_req *req,
 643                               const struct iovec *iov, unsigned long nr_segs)
 644        __releases(fc->lock)
 645{
 646        struct fuse_copy_state cs;
 647        struct fuse_in_header ih;
 648        struct fuse_interrupt_in arg;
 649        unsigned reqsize = sizeof(ih) + sizeof(arg);
 650        int err;
 651
 652        list_del_init(&req->intr_entry);
 653        req->intr_unique = fuse_get_unique(fc);
 654        memset(&ih, 0, sizeof(ih));
 655        memset(&arg, 0, sizeof(arg));
 656        ih.len = reqsize;
 657        ih.opcode = FUSE_INTERRUPT;
 658        ih.unique = req->intr_unique;
 659        arg.unique = req->in.h.unique;
 660
 661        spin_unlock(&fc->lock);
 662        if (iov_length(iov, nr_segs) < reqsize)
 663                return -EINVAL;
 664
 665        fuse_copy_init(&cs, fc, 1, NULL, iov, nr_segs);
 666        err = fuse_copy_one(&cs, &ih, sizeof(ih));
 667        if (!err)
 668                err = fuse_copy_one(&cs, &arg, sizeof(arg));
 669        fuse_copy_finish(&cs);
 670
 671        return err ? err : reqsize;
 672}
 673
 674/*
 675 * Read a single request into the userspace filesystem's buffer.  This
 676 * function waits until a request is available, then removes it from
 677 * the pending list and copies request data to userspace buffer.  If
 678 * no reply is needed (FORGET) or request has been aborted or there
 679 * was an error during the copying then it's finished by calling
 680 * request_end().  Otherwise add it to the processing list, and set
 681 * the 'sent' flag.
 682 */
 683static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
 684                              unsigned long nr_segs, loff_t pos)
 685{
 686        int err;
 687        struct fuse_req *req;
 688        struct fuse_in *in;
 689        struct fuse_copy_state cs;
 690        unsigned reqsize;
 691        struct file *file = iocb->ki_filp;
 692        struct fuse_conn *fc = fuse_get_conn(file);
 693        if (!fc)
 694                return -EPERM;
 695
 696 restart:
 697        spin_lock(&fc->lock);
 698        err = -EAGAIN;
 699        if ((file->f_flags & O_NONBLOCK) && fc->connected &&
 700            !request_pending(fc))
 701                goto err_unlock;
 702
 703        request_wait(fc);
 704        err = -ENODEV;
 705        if (!fc->connected)
 706                goto err_unlock;
 707        err = -ERESTARTSYS;
 708        if (!request_pending(fc))
 709                goto err_unlock;
 710
 711        if (!list_empty(&fc->interrupts)) {
 712                req = list_entry(fc->interrupts.next, struct fuse_req,
 713                                 intr_entry);
 714                return fuse_read_interrupt(fc, req, iov, nr_segs);
 715        }
 716
 717        req = list_entry(fc->pending.next, struct fuse_req, list);
 718        req->state = FUSE_REQ_READING;
 719        list_move(&req->list, &fc->io);
 720
 721        in = &req->in;
 722        reqsize = in->h.len;
 723        /* If request is too large, reply with an error and restart the read */
 724        if (iov_length(iov, nr_segs) < reqsize) {
 725                req->out.h.error = -EIO;
 726                /* SETXATTR is special, since it may contain too large data */
 727                if (in->h.opcode == FUSE_SETXATTR)
 728                        req->out.h.error = -E2BIG;
 729                request_end(fc, req);
 730                goto restart;
 731        }
 732        spin_unlock(&fc->lock);
 733        fuse_copy_init(&cs, fc, 1, req, iov, nr_segs);
 734        err = fuse_copy_one(&cs, &in->h, sizeof(in->h));
 735        if (!err)
 736                err = fuse_copy_args(&cs, in->numargs, in->argpages,
 737                                     (struct fuse_arg *) in->args, 0);
 738        fuse_copy_finish(&cs);
 739        spin_lock(&fc->lock);
 740        req->locked = 0;
 741        if (!err && req->aborted)
 742                err = -ENOENT;
 743        if (err) {
 744                if (!req->aborted)
 745                        req->out.h.error = -EIO;
 746                request_end(fc, req);
 747                return err;
 748        }
 749        if (!req->isreply)
 750                request_end(fc, req);
 751        else {
 752                req->state = FUSE_REQ_SENT;
 753                list_move_tail(&req->list, &fc->processing);
 754                if (req->interrupted)
 755                        queue_interrupt(fc, req);
 756                spin_unlock(&fc->lock);
 757        }
 758        return reqsize;
 759
 760 err_unlock:
 761        spin_unlock(&fc->lock);
 762        return err;
 763}
 764
 765/* Look up request on processing list by unique ID */
 766static struct fuse_req *request_find(struct fuse_conn *fc, u64 unique)
 767{
 768        struct list_head *entry;
 769
 770        list_for_each(entry, &fc->processing) {
 771                struct fuse_req *req;
 772                req = list_entry(entry, struct fuse_req, list);
 773                if (req->in.h.unique == unique || req->intr_unique == unique)
 774                        return req;
 775        }
 776        return NULL;
 777}
 778
 779static int copy_out_args(struct fuse_copy_state *cs, struct fuse_out *out,
 780                         unsigned nbytes)
 781{
 782        unsigned reqsize = sizeof(struct fuse_out_header);
 783
 784        if (out->h.error)
 785                return nbytes != reqsize ? -EINVAL : 0;
 786
 787        reqsize += len_args(out->numargs, out->args);
 788
 789        if (reqsize < nbytes || (reqsize > nbytes && !out->argvar))
 790                return -EINVAL;
 791        else if (reqsize > nbytes) {
 792                struct fuse_arg *lastarg = &out->args[out->numargs-1];
 793                unsigned diffsize = reqsize - nbytes;
 794                if (diffsize > lastarg->size)
 795                        return -EINVAL;
 796                lastarg->size -= diffsize;
 797        }
 798        return fuse_copy_args(cs, out->numargs, out->argpages, out->args,
 799                              out->page_zeroing);
 800}
 801
 802/*
 803 * Write a single reply to a request.  First the header is copied from
 804 * the write buffer.  The request is then searched on the processing
 805 * list by the unique ID found in the header.  If found, then remove
 806 * it from the list and copy the rest of the buffer to the request.
 807 * The request is finished by calling request_end()
 808 */
 809static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
 810                               unsigned long nr_segs, loff_t pos)
 811{
 812        int err;
 813        unsigned nbytes = iov_length(iov, nr_segs);
 814        struct fuse_req *req;
 815        struct fuse_out_header oh;
 816        struct fuse_copy_state cs;
 817        struct fuse_conn *fc = fuse_get_conn(iocb->ki_filp);
 818        if (!fc)
 819                return -EPERM;
 820
 821        fuse_copy_init(&cs, fc, 0, NULL, iov, nr_segs);
 822        if (nbytes < sizeof(struct fuse_out_header))
 823                return -EINVAL;
 824
 825        err = fuse_copy_one(&cs, &oh, sizeof(oh));
 826        if (err)
 827                goto err_finish;
 828        err = -EINVAL;
 829        if (!oh.unique || oh.error <= -1000 || oh.error > 0 ||
 830            oh.len != nbytes)
 831                goto err_finish;
 832
 833        spin_lock(&fc->lock);
 834        err = -ENOENT;
 835        if (!fc->connected)
 836                goto err_unlock;
 837
 838        req = request_find(fc, oh.unique);
 839        if (!req)
 840                goto err_unlock;
 841
 842        if (req->aborted) {
 843                spin_unlock(&fc->lock);
 844                fuse_copy_finish(&cs);
 845                spin_lock(&fc->lock);
 846                request_end(fc, req);
 847                return -ENOENT;
 848        }
 849        /* Is it an interrupt reply? */
 850        if (req->intr_unique == oh.unique) {
 851                err = -EINVAL;
 852                if (nbytes != sizeof(struct fuse_out_header))
 853                        goto err_unlock;
 854
 855                if (oh.error == -ENOSYS)
 856                        fc->no_interrupt = 1;
 857                else if (oh.error == -EAGAIN)
 858                        queue_interrupt(fc, req);
 859
 860                spin_unlock(&fc->lock);
 861                fuse_copy_finish(&cs);
 862                return nbytes;
 863        }
 864
 865        req->state = FUSE_REQ_WRITING;
 866        list_move(&req->list, &fc->io);
 867        req->out.h = oh;
 868        req->locked = 1;
 869        cs.req = req;
 870        spin_unlock(&fc->lock);
 871
 872        err = copy_out_args(&cs, &req->out, nbytes);
 873        fuse_copy_finish(&cs);
 874
 875        spin_lock(&fc->lock);
 876        req->locked = 0;
 877        if (!err) {
 878                if (req->aborted)
 879                        err = -ENOENT;
 880        } else if (!req->aborted)
 881                req->out.h.error = -EIO;
 882        request_end(fc, req);
 883
 884        return err ? err : nbytes;
 885
 886 err_unlock:
 887        spin_unlock(&fc->lock);
 888 err_finish:
 889        fuse_copy_finish(&cs);
 890        return err;
 891}
 892
 893static unsigned fuse_dev_poll(struct file *file, poll_table *wait)
 894{
 895        unsigned mask = POLLOUT | POLLWRNORM;
 896        struct fuse_conn *fc = fuse_get_conn(file);
 897        if (!fc)
 898                return POLLERR;
 899
 900        poll_wait(file, &fc->waitq, wait);
 901
 902        spin_lock(&fc->lock);
 903        if (!fc->connected)
 904                mask = POLLERR;
 905        else if (request_pending(fc))
 906                mask |= POLLIN | POLLRDNORM;
 907        spin_unlock(&fc->lock);
 908
 909        return mask;
 910}
 911
 912/*
 913 * Abort all requests on the given list (pending or processing)
 914 *
 915 * This function releases and reacquires fc->lock
 916 */
 917static void end_requests(struct fuse_conn *fc, struct list_head *head)
 918{
 919        while (!list_empty(head)) {
 920                struct fuse_req *req;
 921                req = list_entry(head->next, struct fuse_req, list);
 922                req->out.h.error = -ECONNABORTED;
 923                request_end(fc, req);
 924                spin_lock(&fc->lock);
 925        }
 926}
 927
 928/*
 929 * Abort requests under I/O
 930 *
 931 * The requests are set to aborted and finished, and the request
 932 * waiter is woken up.  This will make request_wait_answer() wait
 933 * until the request is unlocked and then return.
 934 *
 935 * If the request is asynchronous, then the end function needs to be
 936 * called after waiting for the request to be unlocked (if it was
 937 * locked).
 938 */
 939static void end_io_requests(struct fuse_conn *fc)
 940{
 941        while (!list_empty(&fc->io)) {
 942                struct fuse_req *req =
 943                        list_entry(fc->io.next, struct fuse_req, list);
 944                void (*end) (struct fuse_conn *, struct fuse_req *) = req->end;
 945
 946                req->aborted = 1;
 947                req->out.h.error = -ECONNABORTED;
 948                req->state = FUSE_REQ_FINISHED;
 949                list_del_init(&req->list);
 950                wake_up(&req->waitq);
 951                if (end) {
 952                        req->end = NULL;
 953                        /* The end function will consume this reference */
 954                        __fuse_get_request(req);
 955                        spin_unlock(&fc->lock);
 956                        wait_event(req->waitq, !req->locked);
 957                        end(fc, req);
 958                        spin_lock(&fc->lock);
 959                }
 960        }
 961}
 962
 963/*
 964 * Abort all requests.
 965 *
 966 * Emergency exit in case of a malicious or accidental deadlock, or
 967 * just a hung filesystem.
 968 *
 969 * The same effect is usually achievable through killing the
 970 * filesystem daemon and all users of the filesystem.  The exception
 971 * is the combination of an asynchronous request and the tricky
 972 * deadlock (see Documentation/filesystems/fuse.txt).
 973 *
 974 * During the aborting, progression of requests from the pending and
 975 * processing lists onto the io list, and progression of new requests
 976 * onto the pending list is prevented by req->connected being false.
 977 *
 978 * Progression of requests under I/O to the processing list is
 979 * prevented by the req->aborted flag being true for these requests.
 980 * For this reason requests on the io list must be aborted first.
 981 */
 982void fuse_abort_conn(struct fuse_conn *fc)
 983{
 984        spin_lock(&fc->lock);
 985        if (fc->connected) {
 986                fc->connected = 0;
 987                fc->blocked = 0;
 988                end_io_requests(fc);
 989                end_requests(fc, &fc->pending);
 990                end_requests(fc, &fc->processing);
 991                wake_up_all(&fc->waitq);
 992                wake_up_all(&fc->blocked_waitq);
 993                kill_fasync(&fc->fasync, SIGIO, POLL_IN);
 994        }
 995        spin_unlock(&fc->lock);
 996}
 997
 998static int fuse_dev_release(struct inode *inode, struct file *file)
 999{
1000        struct fuse_conn *fc = fuse_get_conn(file);

1001        if (fc) {
1002                spin_lock(&fc->lock);
1003                fc->connected = 0;
1004                end_requests(fc, &fc->pending);
1005                end_requests(fc, &fc->processing);
1006                spin_unlock(&fc->lock);
1007                fasync_helper(-1, file, 0, &fc->fasync);
1008                fuse_conn_put(fc);
1009        }
1010
1011        return 0;
1012}
1013
1014static int fuse_dev_fasync(int fd, struct file *file, int on)
1015{
1016        struct fuse_conn *fc = fuse_get_conn(file);
1017        if (!fc)
1018                return -EPERM;
1019
1020        /* No locking - fasync_helper does its own locking */
1021        return fasync_helper(fd, file, on, &fc->fasync);
1022}
1023
1024const struct file_operations fuse_dev_operations = {
1025        .owner          = THIS_MODULE,
1026        .llseek         = no_llseek,
1027        .read           = do_sync_read,
1028        .aio_read       = fuse_dev_read,
1029        .write          = do_sync_write,
1030        .aio_write      = fuse_dev_write,
1031        .poll           = fuse_dev_poll,
1032        .release        = fuse_dev_release,
1033        .fasync         = fuse_dev_fasync,
1034};
1035
1036static struct miscdevice fuse_miscdevice = {
1037        .minor = FUSE_MINOR,
1038        .name  = "fuse",
1039        .fops = &fuse_dev_operations,
1040};
1041
1042int __init fuse_dev_init(void)
1043{
1044        int err = -ENOMEM;
1045        fuse_req_cachep = kmem_cache_create("fuse_request",
1046                                            sizeof(struct fuse_req),
1047                                            0, 0, NULL, NULL);
1048        if (!fuse_req_cachep)
1049                goto out;
1050
1051        err = misc_register(&fuse_miscdevice);
1052        if (err)
1053                goto out_cache_clean;
1054
1055        return 0;
1056
1057 out_cache_clean:
1058        kmem_cache_destroy(fuse_req_cachep);
1059 out:
1060        return err;
1061}
1062
1063void fuse_dev_cleanup(void)
1064{
1065        misc_deregister(&fuse_miscdevice);
1066        kmem_cache_destroy(fuse_req_cachep);
1067}
1068