1        The text below describes the locking rules for VFS-related methods.
   2It is (believed to be) up-to-date. *Please*, if you change anything in
   3prototypes or locking protocols - update this file. And update the relevant
   4instances in the tree, don't leave that to maintainers of filesystems/devices/
   5etc. At the very least, put the list of dubious cases in the end of this file.
   6Don't turn it into log - maintainers of out-of-the-tree code are supposed to
   7be able to use diff(1).
   8        Thing currently missing here: socket operations. Alexey?
  10--------------------------- dentry_operations --------------------------
  12        int (*d_revalidate)(struct dentry *, unsigned int);
  13        int (*d_weak_revalidate)(struct dentry *, unsigned int);
  14        int (*d_hash)(const struct dentry *, struct qstr *);
  15        int (*d_compare)(const struct dentry *, const struct dentry *,
  16                        unsigned int, const char *, const struct qstr *);
  17        int (*d_delete)(struct dentry *);
  18        void (*d_release)(struct dentry *);
  19        void (*d_iput)(struct dentry *, struct inode *);
  20        char *(*d_dname)((struct dentry *dentry, char *buffer, int buflen);
  21        struct vfsmount *(*d_automount)(struct path *path);
  22        int (*d_manage)(struct dentry *, bool);
  24locking rules:
  25                rename_lock     ->d_lock        may block       rcu-walk
  26d_revalidate:   no              no              yes (ref-walk)  maybe
  27d_weak_revalidate:no            no              yes             no
  28d_hash          no              no              no              maybe
  29d_compare:      yes             no              no              maybe
  30d_delete:       no              yes             no              no
  31d_release:      no              no              yes             no
  32d_prune:        no              yes             no              no
  33d_iput:         no              no              yes             no
  34d_dname:        no              no              no              no
  35d_automount:    no              no              yes             no
  36d_manage:       no              no              yes (ref-walk)  maybe
  38--------------------------- inode_operations --------------------------- 
  40        int (*create) (struct inode *,struct dentry *,umode_t, bool);
  41        struct dentry * (*lookup) (struct inode *,struct dentry *, unsigned int);
  42        int (*link) (struct dentry *,struct inode *,struct dentry *);
  43        int (*unlink) (struct inode *,struct dentry *);
  44        int (*symlink) (struct inode *,struct dentry *,const char *);
  45        int (*mkdir) (struct inode *,struct dentry *,umode_t);
  46        int (*rmdir) (struct inode *,struct dentry *);
  47        int (*mknod) (struct inode *,struct dentry *,umode_t,dev_t);
  48        int (*rename) (struct inode *, struct dentry *,
  49                        struct inode *, struct dentry *);
  50        int (*readlink) (struct dentry *, char __user *,int);
  51        void * (*follow_link) (struct dentry *, struct nameidata *);
  52        void (*put_link) (struct dentry *, struct nameidata *, void *);
  53        void (*truncate) (struct inode *);
  54        int (*permission) (struct inode *, int, unsigned int);
  55        int (*get_acl)(struct inode *, int);
  56        int (*setattr) (struct dentry *, struct iattr *);
  57        int (*getattr) (struct vfsmount *, struct dentry *, struct kstat *);
  58        int (*setxattr) (struct dentry *, const char *,const void *,size_t,int);
  59        ssize_t (*getxattr) (struct dentry *, const char *, void *, size_t);
  60        ssize_t (*listxattr) (struct dentry *, char *, size_t);
  61        int (*removexattr) (struct dentry *, const char *);
  62        int (*fiemap)(struct inode *, struct fiemap_extent_info *, u64 start, u64 len);
  63        void (*update_time)(struct inode *, struct timespec *, int);
  64        int (*atomic_open)(struct inode *, struct dentry *,
  65                                struct file *, unsigned open_flag,
  66                                umode_t create_mode, int *opened);
  67        int (*tmpfile) (struct inode *, struct dentry *, umode_t);
  69locking rules:
  70        all may block
  71                i_mutex(inode)
  72lookup:         yes
  73create:         yes
  74link:           yes (both)
  75mknod:          yes
  76symlink:        yes
  77mkdir:          yes
  78unlink:         yes (both)
  79rmdir:          yes (both)      (see below)
  80rename:         yes (all)       (see below)
  81readlink:       no
  82follow_link:    no
  83put_link:       no
  84setattr:        yes
  85permission:     no (may not block if called in rcu-walk mode)
  86get_acl:        no
  87getattr:        no
  88setxattr:       yes
  89getxattr:       no
  90listxattr:      no
  91removexattr:    yes
  92fiemap:         no
  93update_time:    no
  94atomic_open:    yes
  95tmpfile:        no
  97        Additionally, ->rmdir(), ->unlink() and ->rename() have ->i_mutex on
  99        cross-directory ->rename() has (per-superblock) ->s_vfs_rename_sem.
 101See Documentation/filesystems/directory-locking for more detailed discussion
 102of the locking scheme for directory operations.
 104--------------------------- super_operations ---------------------------
 106        struct inode *(*alloc_inode)(struct super_block *sb);
 107        void (*destroy_inode)(struct inode *);
 108        void (*dirty_inode) (struct inode *, int flags);
 109        int (*write_inode) (struct inode *, struct writeback_control *wbc);
 110        int (*drop_inode) (struct inode *);
 111        void (*evict_inode) (struct inode *);
 112        void (*put_super) (struct super_block *);
 113        int (*sync_fs)(struct super_block *sb, int wait);
 114        int (*freeze_fs) (struct super_block *);
 115        int (*unfreeze_fs) (struct super_block *);
 116        int (*statfs) (struct dentry *, struct kstatfs *);
 117        int (*remount_fs) (struct super_block *, int *, char *);
 118        void (*umount_begin) (struct super_block *);
 119        int (*show_options)(struct seq_file *, struct dentry *);
 120        ssize_t (*quota_read)(struct super_block *, int, char *, size_t, loff_t);
 121        ssize_t (*quota_write)(struct super_block *, int, const char *, size_t, loff_t);
 122        int (*bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
 124locking rules:
 125        All may block [not true, see below]
 126                        s_umount
 131drop_inode:                             !!!inode->i_lock!!!
 133put_super:              write
 134sync_fs:                read
 135freeze_fs:              write
 136unfreeze_fs:            write
 137statfs:                 maybe(read)     (see below)
 138remount_fs:             write
 139umount_begin:           no
 140show_options:           no              (namespace_sem)
 141quota_read:             no              (see below)
 142quota_write:            no              (see below)
 143bdev_try_to_free_page:  no              (see below)
 145->statfs() has s_umount (shared) when called by ustat(2) (native or
 146compat), but that's an accident of bad API; s_umount is used to pin
 147the superblock down when we only have dev_t given us by userland to
 148identify the superblock.  Everything else (statfs(), fstatfs(), etc.)
 149doesn't hold it when calling ->statfs() - superblock is pinned down
 150by resolving the pathname passed to syscall.
 151->quota_read() and ->quota_write() functions are both guaranteed to
 152be the only ones operating on the quota file by the quota code (via
 153dqio_sem) (unless an admin really wants to screw up something and
 154writes to quota files with quotas on). For other details about locking
 155see also dquot_operations section.
 156->bdev_try_to_free_page is called from the ->releasepage handler of
 157the block device inode.  See there for more details.
 159--------------------------- file_system_type ---------------------------
 161        int (*get_sb) (struct file_system_type *, int,
 162                       const char *, void *, struct vfsmount *);
 163        struct dentry *(*mount) (struct file_system_type *, int,
 164                       const char *, void *);
 165        void (*kill_sb) (struct super_block *);
 166locking rules:
 167                may block
 168mount           yes
 169kill_sb         yes
 171->mount() returns ERR_PTR or the root dentry; its superblock should be locked
 172on return.
 173->kill_sb() takes a write-locked superblock, does all shutdown work on it,
 174unlocks and drops the reference.
 176--------------------------- address_space_operations --------------------------
 178        int (*writepage)(struct page *page, struct writeback_control *wbc);
 179        int (*readpage)(struct file *, struct page *);
 180        int (*sync_page)(struct page *);
 181        int (*writepages)(struct address_space *, struct writeback_control *);
 182        int (*set_page_dirty)(struct page *page);
 183        int (*readpages)(struct file *filp, struct address_space *mapping,
 184                        struct list_head *pages, unsigned nr_pages);
 185        int (*write_begin)(struct file *, struct address_space *mapping,
 186                                loff_t pos, unsigned len, unsigned flags,
 187                                struct page **pagep, void **fsdata);
 188        int (*write_end)(struct file *, struct address_space *mapping,
 189                                loff_t pos, unsigned len, unsigned copied,
 190                                struct page *page, void *fsdata);
 191        sector_t (*bmap)(struct address_space *, sector_t);
 192        void (*invalidatepage) (struct page *, unsigned int, unsigned int);
 193        int (*releasepage) (struct page *, int);
 194        void (*freepage)(struct page *);
 195        int (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
 196                        loff_t offset, unsigned long nr_segs);
 197        int (*get_xip_mem)(struct address_space *, pgoff_t, int, void **,
 198                                unsigned long *);
 199        int (*migratepage)(struct address_space *, struct page *, struct page *);
 200        int (*launder_page)(struct page *);
 201        int (*is_partially_uptodate)(struct page *, read_descriptor_t *, unsigned long);
 202        int (*error_remove_page)(struct address_space *, struct page *);
 203        int (*swap_activate)(struct file *);
 204        int (*swap_deactivate)(struct file *);
 206locking rules:
 207        All except set_page_dirty and freepage may block
 209                        PageLocked(page)        i_mutex
 210writepage:              yes, unlocks (see below)
 211readpage:               yes, unlocks
 212sync_page:              maybe
 214set_page_dirty          no
 216write_begin:            locks the page          yes
 217write_end:              yes, unlocks            yes
 219invalidatepage:         yes
 220releasepage:            yes
 221freepage:               yes
 223get_xip_mem:                                    maybe
 224migratepage:            yes (both)
 225launder_page:           yes
 226is_partially_uptodate:  yes
 227error_remove_page:      yes
 228swap_activate:          no
 229swap_deactivate:        no
 231        ->write_begin(), ->write_end(), ->sync_page() and ->readpage()
 232may be called from the request handler (/dev/loop).
 234        ->readpage() unlocks the page, either synchronously or via I/O
 237        ->readpages() populates the pagecache with the passed pages and starts
 238I/O against them.  They come unlocked upon I/O completion.
 240        ->writepage() is used for two purposes: for "memory cleansing" and for
 241"sync".  These are quite different operations and the behaviour may differ
 242depending upon the mode.
 244If writepage is called for sync (wbc->sync_mode != WBC_SYNC_NONE) then
 245it *must* start I/O against the page, even if that would involve
 246blocking on in-progress I/O.
 248If writepage is called for memory cleansing (sync_mode ==
 249WBC_SYNC_NONE) then its role is to get as much writeout underway as
 250possible.  So writepage should try to avoid blocking against
 251currently-in-progress I/O.
 253If the filesystem is not called for "sync" and it determines that it
 254would need to block against in-progress I/O to be able to start new I/O
 255against the page the filesystem should redirty the page with
 256redirty_page_for_writepage(), then unlock the page and return zero.
 257This may also be done to avoid internal deadlocks, but rarely.
 259If the filesystem is called for sync then it must wait on any
 260in-progress I/O and then start new I/O.
 262The filesystem should unlock the page synchronously, before returning to the
 263caller, unless ->writepage() returns special WRITEPAGE_ACTIVATE
 264value. WRITEPAGE_ACTIVATE means that page cannot really be written out
 265currently, and VM should stop calling ->writepage() on this page for some
 266time. VM does this by moving page to the head of the active list, hence the
 269Unless the filesystem is going to redirty_page_for_writepage(), unlock the page
 270and return zero, writepage *must* run set_page_writeback() against the page,
 271followed by unlocking it.  Once set_page_writeback() has been run against the
 272page, write I/O can be submitted and the write I/O completion handler must run
 273end_page_writeback() once the I/O is complete.  If no I/O is submitted, the
 274filesystem must run end_page_writeback() against the page before returning from
 277That is: after 2.5.12, pages which are under writeout are *not* locked.  Note,
 278if the filesystem needs the page to be locked during writeout, that is ok, too,
 279the page is allowed to be unlocked at any point in time between the calls to
 280set_page_writeback() and end_page_writeback().
 282Note, failure to run either redirty_page_for_writepage() or the combination of
 283set_page_writeback()/end_page_writeback() on a page submitted to writepage
 284will leave the page itself marked clean but it will be tagged as dirty in the
 285radix tree.  This incoherency can lead to all sorts of hard-to-debug problems
 286in the filesystem like having dirty inodes at umount and losing written data.
 288        ->sync_page() locking rules are not well-defined - usually it is called
 289with lock on page, but that is not guaranteed. Considering the currently
 290existing instances of this method ->sync_page() itself doesn't look
 293        ->writepages() is used for periodic writeback and for syscall-initiated
 294sync operations.  The address_space should start I/O against at least
 295*nr_to_write pages.  *nr_to_write must be decremented for each page which is
 296written.  The address_space implementation may write more (or less) pages
 297than *nr_to_write asks for, but it should try to be reasonably close.  If
 298nr_to_write is NULL, all dirty pages must be written.
 300writepages should _only_ write pages which are present on
 303        ->set_page_dirty() is called from various places in the kernel
 304when the target page is marked as needing writeback.  It may be called
 305under spinlock (it cannot block) and is sometimes called with the page
 306not locked.
 308        ->bmap() is currently used by legacy ioctl() (FIBMAP) provided by some
 309filesystems and by the swapper. The latter will eventually go away.  Please,
 310keep it that way and don't breed new callers.
 312        ->invalidatepage() is called when the filesystem must attempt to drop
 313some or all of the buffers from the page when it is being truncated. It
 314returns zero on success. If ->invalidatepage is zero, the kernel uses
 315block_invalidatepage() instead.
 317        ->releasepage() is called when the kernel is about to try to drop the
 318buffers from the page in preparation for freeing it.  It returns zero to
 319indicate that the buffers are (or may be) freeable.  If ->releasepage is zero,
 320the kernel assumes that the fs has no private interest in the buffers.
 322        ->freepage() is called when the kernel is done dropping the page
 323from the page cache.
 325        ->launder_page() may be called prior to releasing a page if
 326it is still found to be dirty. It returns zero if the page was successfully
 327cleaned, or an error value if not. Note that in order to prevent the page
 328getting mapped back in and redirtied, it needs to be kept locked
 329across the entire operation.
 331        ->swap_activate will be called with a non-zero argument on
 332files backing (non block device backed) swapfiles. A return value
 333of zero indicates success, in which case this file can be used for
 334backing swapspace. The swapspace operations will be proxied to the
 335address space operations.
 337        ->swap_deactivate() will be called in the sys_swapoff()
 338path after ->swap_activate() returned success.
 340----------------------- file_lock_operations ------------------------------
 342        void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
 343        void (*fl_release_private)(struct file_lock *);
 346locking rules:
 347                        inode->i_lock   may block
 348fl_copy_lock:           yes             no
 349fl_release_private:     maybe           no
 351----------------------- lock_manager_operations ---------------------------
 353        int (*lm_compare_owner)(struct file_lock *, struct file_lock *);
 354        unsigned long (*lm_owner_key)(struct file_lock *);
 355        void (*lm_notify)(struct file_lock *);  /* unblock callback */
 356        int (*lm_grant)(struct file_lock *, struct file_lock *, int);
 357        void (*lm_break)(struct file_lock *); /* break_lease callback */
 358        int (*lm_change)(struct file_lock **, int);
 360locking rules:
 362                        inode->i_lock   blocked_lock_lock       may block
 363lm_compare_owner:       yes[1]          maybe                   no
 364lm_owner_key            yes[1]          yes                     no
 365lm_notify:              yes             yes                     no
 366lm_grant:               no              no                      no
 367lm_break:               yes             no                      no
 368lm_change               yes             no                      no
 370[1]:    ->lm_compare_owner and ->lm_owner_key are generally called with
 371*an* inode->i_lock held. It may not be the i_lock of the inode
 372associated with either file_lock argument! This is the case with deadlock
 373detection, since the code has to chase down the owners of locks that may
 374be entirely unrelated to the one on which the lock is being acquired.
 375For deadlock detection however, the blocked_lock_lock is also held. The
 376fact that these locks are held ensures that the file_locks do not
 377disappear out from under you while doing the comparison or generating an
 378owner key.
 380--------------------------- buffer_head -----------------------------------
 382        void (*b_end_io)(struct buffer_head *bh, int uptodate);
 384locking rules:
 385        called from interrupts. In other words, extreme care is needed here.
 386bh is locked, but that's all warranties we have here. Currently only RAID1,
 387highmem, fs/buffer.c, and fs/ntfs/aops.c are providing these. Block devices
 388call this method upon the IO completion.
 390--------------------------- block_device_operations -----------------------
 392        int (*open) (struct block_device *, fmode_t);
 393        int (*release) (struct gendisk *, fmode_t);
 394        int (*ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
 395        int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
 396        int (*direct_access) (struct block_device *, sector_t, void **, unsigned long *);
 397        int (*media_changed) (struct gendisk *);
 398        void (*unlock_native_capacity) (struct gendisk *);
 399        int (*revalidate_disk) (struct gendisk *);
 400        int (*getgeo)(struct block_device *, struct hd_geometry *);
 401        void (*swap_slot_free_notify) (struct block_device *, unsigned long);
 403locking rules:
 404                        bd_mutex
 405open:                   yes
 406release:                yes
 407ioctl:                  no
 408compat_ioctl:           no
 409direct_access:          no
 410media_changed:          no
 411unlock_native_capacity: no
 412revalidate_disk:        no
 413getgeo:                 no
 414swap_slot_free_notify:  no      (see below)
 416media_changed, unlock_native_capacity and revalidate_disk are called only from
 419swap_slot_free_notify is called with swap_lock and sometimes the page lock
 423--------------------------- file_operations -------------------------------
 425        loff_t (*llseek) (struct file *, loff_t, int);
 426        ssize_t (*read) (struct file *, char __user *, size_t, loff_t *);
 427        ssize_t (*write) (struct file *, const char __user *, size_t, loff_t *);
 428        ssize_t (*aio_read) (struct kiocb *, const struct iovec *, unsigned long, loff_t);
 429        ssize_t (*aio_write) (struct kiocb *, const struct iovec *, unsigned long, loff_t);
 430        int (*iterate) (struct file *, struct dir_context *);
 431        unsigned int (*poll) (struct file *, struct poll_table_struct *);
 432        long (*unlocked_ioctl) (struct file *, unsigned int, unsigned long);
 433        long (*compat_ioctl) (struct file *, unsigned int, unsigned long);
 434        int (*mmap) (struct file *, struct vm_area_struct *);
 435        int (*open) (struct inode *, struct file *);
 436        int (*flush) (struct file *);
 437        int (*release) (struct inode *, struct file *);
 438        int (*fsync) (struct file *, loff_t start, loff_t end, int datasync);
 439        int (*aio_fsync) (struct kiocb *, int datasync);
 440        int (*fasync) (int, struct file *, int);
 441        int (*lock) (struct file *, int, struct file_lock *);
 442        ssize_t (*readv) (struct file *, const struct iovec *, unsigned long,
 443                        loff_t *);
 444        ssize_t (*writev) (struct file *, const struct iovec *, unsigned long,
 445                        loff_t *);
 446        ssize_t (*sendfile) (struct file *, loff_t *, size_t, read_actor_t,
 447                        void __user *);
 448        ssize_t (*sendpage) (struct file *, struct page *, int, size_t,
 449                        loff_t *, int);
 450        unsigned long (*get_unmapped_area)(struct file *, unsigned long,
 451                        unsigned long, unsigned long, unsigned long);
 452        int (*check_flags)(int);
 453        int (*flock) (struct file *, int, struct file_lock *);
 454        ssize_t (*splice_write)(struct pipe_inode_info *, struct file *, loff_t *,
 455                        size_t, unsigned int);
 456        ssize_t (*splice_read)(struct file *, loff_t *, struct pipe_inode_info *,
 457                        size_t, unsigned int);
 458        int (*setlease)(struct file *, long, struct file_lock **);
 459        long (*fallocate)(struct file *, int, loff_t, loff_t);
 462locking rules:
 463        All may block except for ->setlease.
 464        No VFS locks held on entry except for ->setlease.
 466->setlease has the file_list_lock held and must not sleep.
 468->llseek() locking has moved from llseek to the individual llseek
 469implementations.  If your fs is not using generic_file_llseek, you
 470need to acquire and release the appropriate locks in your ->llseek().
 471For many filesystems, it is probably safe to acquire the inode
 472mutex or just to use i_size_read() instead.
 473Note: this does not protect the file->f_pos against concurrent modifications
 474since this is something the userspace has to take care about.
 476->fasync() is responsible for maintaining the FASYNC bit in filp->f_flags.
 477Most instances call fasync_helper(), which does that maintenance, so it's
 478not normally something one needs to worry about.  Return values > 0 will be
 479mapped to zero in the VFS layer.
 481->readdir() and ->ioctl() on directories must be changed. Ideally we would
 482move ->readdir() to inode_operations and use a separate method for directory
 483->ioctl() or kill the latter completely. One of the problems is that for
 484anything that resembles union-mount we won't have a struct file for all
 485components. And there are other reasons why the current interface is a mess...
 487->read on directories probably must go away - we should just enforce -EISDIR
 488in sys_read() and friends.
 490--------------------------- dquot_operations -------------------------------
 492        int (*write_dquot) (struct dquot *);
 493        int (*acquire_dquot) (struct dquot *);
 494        int (*release_dquot) (struct dquot *);
 495        int (*mark_dirty) (struct dquot *);
 496        int (*write_info) (struct super_block *, int);
 498These operations are intended to be more or less wrapping functions that ensure
 499a proper locking wrt the filesystem and call the generic quota operations.
 501What filesystem should expect from the generic quota functions:
 503                FS recursion    Held locks when called
 504write_dquot:    yes             dqonoff_sem or dqptr_sem
 505acquire_dquot:  yes             dqonoff_sem or dqptr_sem
 506release_dquot:  yes             dqonoff_sem or dqptr_sem
 507mark_dirty:     no              -
 508write_info:     yes             dqonoff_sem
 510FS recursion means calling ->quota_read() and ->quota_write() from superblock
 513More details about quota locking can be found in fs/dquot.c.
 515--------------------------- vm_operations_struct -----------------------------
 517        void (*open)(struct vm_area_struct*);
 518        void (*close)(struct vm_area_struct*);
 519        int (*fault)(struct vm_area_struct*, struct vm_fault *);
 520        int (*page_mkwrite)(struct vm_area_struct *, struct vm_fault *);
 521        int (*access)(struct vm_area_struct *, unsigned long, void*, int, int);
 523locking rules:
 524                mmap_sem        PageLocked(page)
 525open:           yes
 526close:          yes
 527fault:          yes             can return with page locked
 528page_mkwrite:   yes             can return with page locked
 529access:         yes
 531        ->fault() is called when a previously not present pte is about
 532to be faulted in. The filesystem must find and return the page associated
 533with the passed in "pgoff" in the vm_fault structure. If it is possible that
 534the page may be truncated and/or invalidated, then the filesystem must lock
 535the page, then ensure it is not already truncated (the page lock will block
 536subsequent truncate), and then return with VM_FAULT_LOCKED, and the page
 537locked. The VM will unlock the page.
 539        ->page_mkwrite() is called when a previously read-only pte is
 540about to become writeable. The filesystem again must ensure that there are
 541no truncate/invalidate races, and then return with the page locked. If
 542the page has been truncated, the filesystem should not look up a new page
 543like the ->fault() handler, but simply return with VM_FAULT_NOPAGE, which
 544will cause the VM to retry the fault.
 546        ->access() is called when get_user_pages() fails in
 547acces_process_vm(), typically used to debug a process through
 548/proc/pid/mem or ptrace.  This function is needed only for
 552                        Dubious stuff
 554(if you break something or notice that it is broken and do not fix it yourself
 555- at least put it here)
 556 kindly hosted by Redpill Linpro AS, provider of Linux consulting and operations services since 1995.