1 The text below describes the locking rules for VFS-related methods. 2It is (believed to be) up-to-date. *Please*, if you change anything in 3prototypes or locking protocols - update this file. And update the relevant 4instances in the tree, don't leave that to maintainers of filesystems/devices/ 5etc. At the very least, put the list of dubious cases in the end of this file. 6Don't turn it into log - maintainers of out-of-the-tree code are supposed to 7be able to use diff(1). 8 Thing currently missing here: socket operations. Alexey? 9 10--------------------------- dentry_operations -------------------------- 11prototypes: 12 int (*d_revalidate)(struct dentry *, struct nameidata *); 13 int (*d_hash)(const struct dentry *, const struct inode *, 14 struct qstr *); 15 int (*d_compare)(const struct dentry *, const struct inode *, 16 const struct dentry *, const struct inode *, 17 unsigned int, const char *, const struct qstr *); 18 int (*d_delete)(struct dentry *); 19 void (*d_release)(struct dentry *); 20 void (*d_iput)(struct dentry *, struct inode *); 21 char *(*d_dname)((struct dentry *dentry, char *buffer, int buflen); 22 struct vfsmount *(*d_automount)(struct path *path); 23 int (*d_manage)(struct dentry *, bool); 24 25locking rules: 26 rename_lock ->d_lock may block rcu-walk 27d_revalidate: no no yes (ref-walk) maybe 28d_hash no no no maybe 29d_compare: yes no no maybe 30d_delete: no yes no no 31d_release: no no yes no 32d_prune: no yes no no 33d_iput: no no yes no 34d_dname: no no no no 35d_automount: no no yes no 36d_manage: no no yes (ref-walk) maybe 37 38--------------------------- inode_operations --------------------------- 39prototypes: 40 int (*create) (struct inode *,struct dentry *,int, struct nameidata *); 41 struct dentry * (*lookup) (struct inode *,struct dentry *, struct nameid 42ata *); 43 int (*link) (struct dentry *,struct inode *,struct dentry *); 44 int (*unlink) (struct inode *,struct dentry *); 45 int (*symlink) (struct inode *,struct dentry *,const char *); 46 int (*mkdir) (struct inode *,struct dentry *,int); 47 int (*rmdir) (struct inode *,struct dentry *); 48 int (*mknod) (struct inode *,struct dentry *,int,dev_t); 49 int (*rename) (struct inode *, struct dentry *, 50 struct inode *, struct dentry *); 51 int (*readlink) (struct dentry *, char __user *,int); 52 void * (*follow_link) (struct dentry *, struct nameidata *); 53 void (*put_link) (struct dentry *, struct nameidata *, void *); 54 void (*truncate) (struct inode *); 55 int (*permission) (struct inode *, int, unsigned int); 56 int (*get_acl)(struct inode *, int); 57 int (*setattr) (struct dentry *, struct iattr *); 58 int (*getattr) (struct vfsmount *, struct dentry *, struct kstat *); 59 int (*setxattr) (struct dentry *, const char *,const void *,size_t,int); 60 ssize_t (*getxattr) (struct dentry *, const char *, void *, size_t); 61 ssize_t (*listxattr) (struct dentry *, char *, size_t); 62 int (*removexattr) (struct dentry *, const char *); 63 void (*truncate_range)(struct inode *, loff_t, loff_t); 64 int (*fiemap)(struct inode *, struct fiemap_extent_info *, u64 start, u64 len); 65 66locking rules: 67 all may block 68 i_mutex(inode) 69lookup: yes 70create: yes 71link: yes (both) 72mknod: yes 73symlink: yes 74mkdir: yes 75unlink: yes (both) 76rmdir: yes (both) (see below) 77rename: yes (all) (see below) 78readlink: no 79follow_link: no 80put_link: no 81truncate: yes (see below) 82setattr: yes 83permission: no (may not block if called in rcu-walk mode) 84get_acl: no 85getattr: no 86setxattr: yes 87getxattr: no 88listxattr: no 89removexattr: yes 90truncate_range: yes 91fiemap: no 92 Additionally, ->rmdir(), ->unlink() and ->rename() have ->i_mutex on 93victim. 94 cross-directory ->rename() has (per-superblock) ->s_vfs_rename_sem. 95 ->truncate() is never called directly - it's a callback, not a 96method. It's called by vmtruncate() - deprecated library function used by 97->setattr(). Locking information above applies to that call (i.e. is 98inherited from ->setattr() - vmtruncate() is used when ATTR_SIZE had been 99passed). 100 101See Documentation/filesystems/directory-locking for more detailed discussion 102of the locking scheme for directory operations. 103 104--------------------------- super_operations --------------------------- 105prototypes: 106 struct inode *(*alloc_inode)(struct super_block *sb); 107 void (*destroy_inode)(struct inode *); 108 void (*dirty_inode) (struct inode *, int flags); 109 int (*write_inode) (struct inode *, struct writeback_control *wbc); 110 int (*drop_inode) (struct inode *); 111 void (*evict_inode) (struct inode *); 112 void (*put_super) (struct super_block *); 113 void (*write_super) (struct super_block *); 114 int (*sync_fs)(struct super_block *sb, int wait); 115 int (*freeze_fs) (struct super_block *); 116 int (*unfreeze_fs) (struct super_block *); 117 int (*statfs) (struct dentry *, struct kstatfs *); 118 int (*remount_fs) (struct super_block *, int *, char *); 119 void (*umount_begin) (struct super_block *); 120 int (*show_options)(struct seq_file *, struct vfsmount *); 121 ssize_t (*quota_read)(struct super_block *, int, char *, size_t, loff_t); 122 ssize_t (*quota_write)(struct super_block *, int, const char *, size_t, loff_t); 123 int (*bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t); 124 125locking rules: 126 All may block [not true, see below] 127 s_umount 128alloc_inode: 129destroy_inode: 130dirty_inode: 131write_inode: 132drop_inode: !!!inode->i_lock!!! 133evict_inode: 134put_super: write 135write_super: read 136sync_fs: read 137freeze_fs: read 138unfreeze_fs: read 139statfs: maybe(read) (see below) 140remount_fs: write 141umount_begin: no 142show_options: no (namespace_sem) 143quota_read: no (see below) 144quota_write: no (see below) 145bdev_try_to_free_page: no (see below) 146 147->statfs() has s_umount (shared) when called by ustat(2) (native or 148compat), but that's an accident of bad API; s_umount is used to pin 149the superblock down when we only have dev_t given us by userland to 150identify the superblock. Everything else (statfs(), fstatfs(), etc.) 151doesn't hold it when calling ->statfs() - superblock is pinned down 152by resolving the pathname passed to syscall. 153->quota_read() and ->quota_write() functions are both guaranteed to 154be the only ones operating on the quota file by the quota code (via 155dqio_sem) (unless an admin really wants to screw up something and 156writes to quota files with quotas on). For other details about locking 157see also dquot_operations section. 158->bdev_try_to_free_page is called from the ->releasepage handler of 159the block device inode. See there for more details. 160 161--------------------------- file_system_type --------------------------- 162prototypes: 163 int (*get_sb) (struct file_system_type *, int, 164 const char *, void *, struct vfsmount *); 165 struct dentry *(*mount) (struct file_system_type *, int, 166 const char *, void *); 167 void (*kill_sb) (struct super_block *); 168locking rules: 169 may block 170mount yes 171kill_sb yes 172 173->mount() returns ERR_PTR or the root dentry; its superblock should be locked 174on return. 175->kill_sb() takes a write-locked superblock, does all shutdown work on it, 176unlocks and drops the reference. 177 178--------------------------- address_space_operations -------------------------- 179prototypes: 180 int (*writepage)(struct page *page, struct writeback_control *wbc); 181 int (*readpage)(struct file *, struct page *); 182 int (*sync_page)(struct page *); 183 int (*writepages)(struct address_space *, struct writeback_control *); 184 int (*set_page_dirty)(struct page *page); 185 int (*readpages)(struct file *filp, struct address_space *mapping, 186 struct list_head *pages, unsigned nr_pages); 187 int (*write_begin)(struct file *, struct address_space *mapping, 188 loff_t pos, unsigned len, unsigned flags, 189 struct page **pagep, void **fsdata); 190 int (*write_end)(struct file *, struct address_space *mapping, 191 loff_t pos, unsigned len, unsigned copied, 192 struct page *page, void *fsdata); 193 sector_t (*bmap)(struct address_space *, sector_t); 194 int (*invalidatepage) (struct page *, unsigned long); 195 int (*releasepage) (struct page *, int); 196 void (*freepage)(struct page *); 197 int (*direct_IO)(int, struct kiocb *, const struct iovec *iov, 198 loff_t offset, unsigned long nr_segs); 199 int (*get_xip_mem)(struct address_space *, pgoff_t, int, void **, 200 unsigned long *); 201 int (*migratepage)(struct address_space *, struct page *, struct page *); 202 int (*launder_page)(struct page *); 203 int (*is_partially_uptodate)(struct page *, read_descriptor_t *, unsigned long); 204 int (*error_remove_page)(struct address_space *, struct page *); 205 206locking rules: 207 All except set_page_dirty and freepage may block 208 209 PageLocked(page) i_mutex 210writepage: yes, unlocks (see below) 211readpage: yes, unlocks 212sync_page: maybe 213writepages: 214set_page_dirty no 215readpages: 216write_begin: locks the page yes 217write_end: yes, unlocks yes 218bmap: 219invalidatepage: yes 220releasepage: yes 221freepage: yes 222direct_IO: 223get_xip_mem: maybe 224migratepage: yes (both) 225launder_page: yes 226is_partially_uptodate: yes 227error_remove_page: yes 228 229 ->write_begin(), ->write_end(), ->sync_page() and ->readpage() 230may be called from the request handler (/dev/loop). 231 232 ->readpage() unlocks the page, either synchronously or via I/O 233completion. 234 235 ->readpages() populates the pagecache with the passed pages and starts 236I/O against them. They come unlocked upon I/O completion. 237 238 ->writepage() is used for two purposes: for "memory cleansing" and for 239"sync". These are quite different operations and the behaviour may differ 240depending upon the mode. 241 242If writepage is called for sync (wbc->sync_mode != WBC_SYNC_NONE) then 243it *must* start I/O against the page, even if that would involve 244blocking on in-progress I/O. 245 246If writepage is called for memory cleansing (sync_mode == 247WBC_SYNC_NONE) then its role is to get as much writeout underway as 248possible. So writepage should try to avoid blocking against 249currently-in-progress I/O. 250 251If the filesystem is not called for "sync" and it determines that it 252would need to block against in-progress I/O to be able to start new I/O 253against the page the filesystem should redirty the page with 254redirty_page_for_writepage(), then unlock the page and return zero. 255This may also be done to avoid internal deadlocks, but rarely. 256 257If the filesystem is called for sync then it must wait on any 258in-progress I/O and then start new I/O. 259 260The filesystem should unlock the page synchronously, before returning to the 261caller, unless ->writepage() returns special WRITEPAGE_ACTIVATE 262value. WRITEPAGE_ACTIVATE means that page cannot really be written out 263currently, and VM should stop calling ->writepage() on this page for some 264time. VM does this by moving page to the head of the active list, hence the 265name. 266 267Unless the filesystem is going to redirty_page_for_writepage(), unlock the page 268and return zero, writepage *must* run set_page_writeback() against the page, 269followed by unlocking it. Once set_page_writeback() has been run against the 270page, write I/O can be submitted and the write I/O completion handler must run 271end_page_writeback() once the I/O is complete. If no I/O is submitted, the 272filesystem must run end_page_writeback() against the page before returning from 273writepage. 274 275That is: after 2.5.12, pages which are under writeout are *not* locked. Note, 276if the filesystem needs the page to be locked during writeout, that is ok, too, 277the page is allowed to be unlocked at any point in time between the calls to 278set_page_writeback() and end_page_writeback(). 279 280Note, failure to run either redirty_page_for_writepage() or the combination of 281set_page_writeback()/end_page_writeback() on a page submitted to writepage 282will leave the page itself marked clean but it will be tagged as dirty in the 283radix tree. This incoherency can lead to all sorts of hard-to-debug problems 284in the filesystem like having dirty inodes at umount and losing written data. 285 286 ->sync_page() locking rules are not well-defined - usually it is called 287with lock on page, but that is not guaranteed. Considering the currently 288existing instances of this method ->sync_page() itself doesn't look 289well-defined... 290 291 ->writepages() is used for periodic writeback and for syscall-initiated 292sync operations. The address_space should start I/O against at least 293*nr_to_write pages. *nr_to_write must be decremented for each page which is 294written. The address_space implementation may write more (or less) pages 295than *nr_to_write asks for, but it should try to be reasonably close. If 296nr_to_write is NULL, all dirty pages must be written. 297 298writepages should _only_ write pages which are present on 299mapping->io_pages. 300 301 ->set_page_dirty() is called from various places in the kernel 302when the target page is marked as needing writeback. It may be called 303under spinlock (it cannot block) and is sometimes called with the page 304not locked. 305 306 ->bmap() is currently used by legacy ioctl() (FIBMAP) provided by some 307filesystems and by the swapper. The latter will eventually go away. Please, 308keep it that way and don't breed new callers. 309 310 ->invalidatepage() is called when the filesystem must attempt to drop 311some or all of the buffers from the page when it is being truncated. It 312returns zero on success. If ->invalidatepage is zero, the kernel uses 313block_invalidatepage() instead. 314 315 ->releasepage() is called when the kernel is about to try to drop the 316buffers from the page in preparation for freeing it. It returns zero to 317indicate that the buffers are (or may be) freeable. If ->releasepage is zero, 318the kernel assumes that the fs has no private interest in the buffers. 319 320 ->freepage() is called when the kernel is done dropping the page 321from the page cache. 322 323 ->launder_page() may be called prior to releasing a page if 324it is still found to be dirty. It returns zero if the page was successfully 325cleaned, or an error value if not. Note that in order to prevent the page 326getting mapped back in and redirtied, it needs to be kept locked 327across the entire operation. 328 329----------------------- file_lock_operations ------------------------------ 330prototypes: 331 void (*fl_copy_lock)(struct file_lock *, struct file_lock *); 332 void (*fl_release_private)(struct file_lock *); 333 334 335locking rules: 336 file_lock_lock may block 337fl_copy_lock: yes no 338fl_release_private: maybe no 339 340----------------------- lock_manager_operations --------------------------- 341prototypes: 342 int (*lm_compare_owner)(struct file_lock *, struct file_lock *); 343 void (*lm_notify)(struct file_lock *); /* unblock callback */ 344 int (*lm_grant)(struct file_lock *, struct file_lock *, int); 345 void (*lm_release_private)(struct file_lock *); 346 void (*lm_break)(struct file_lock *); /* break_lease callback */ 347 int (*lm_change)(struct file_lock **, int); 348 349locking rules: 350 file_lock_lock may block 351lm_compare_owner: yes no 352lm_notify: yes no 353lm_grant: no no 354lm_release_private: maybe no 355lm_break: yes no 356lm_change yes no 357 358--------------------------- buffer_head ----------------------------------- 359prototypes: 360 void (*b_end_io)(struct buffer_head *bh, int uptodate); 361 362locking rules: 363 called from interrupts. In other words, extreme care is needed here. 364bh is locked, but that's all warranties we have here. Currently only RAID1, 365highmem, fs/buffer.c, and fs/ntfs/aops.c are providing these. Block devices 366call this method upon the IO completion. 367 368--------------------------- block_device_operations ----------------------- 369prototypes: 370 int (*open) (struct block_device *, fmode_t); 371 int (*release) (struct gendisk *, fmode_t); 372 int (*ioctl) (struct block_device *, fmode_t, unsigned, unsigned long); 373 int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long); 374 int (*direct_access) (struct block_device *, sector_t, void **, unsigned long *); 375 int (*media_changed) (struct gendisk *); 376 void (*unlock_native_capacity) (struct gendisk *); 377 int (*revalidate_disk) (struct gendisk *); 378 int (*getgeo)(struct block_device *, struct hd_geometry *); 379 void (*swap_slot_free_notify) (struct block_device *, unsigned long); 380 381locking rules: 382 bd_mutex 383open: yes 384release: yes 385ioctl: no 386compat_ioctl: no 387direct_access: no 388media_changed: no 389unlock_native_capacity: no 390revalidate_disk: no 391getgeo: no 392swap_slot_free_notify: no (see below) 393 394media_changed, unlock_native_capacity and revalidate_disk are called only from 395check_disk_change(). 396 397swap_slot_free_notify is called with swap_lock and sometimes the page lock 398held. 399 400 401--------------------------- file_operations ------------------------------- 402prototypes: 403 loff_t (*llseek) (struct file *, loff_t, int); 404 ssize_t (*read) (struct file *, char __user *, size_t, loff_t *); 405 ssize_t (*write) (struct file *, const char __user *, size_t, loff_t *); 406 ssize_t (*aio_read) (struct kiocb *, const struct iovec *, unsigned long, loff_t); 407 ssize_t (*aio_write) (struct kiocb *, const struct iovec *, unsigned long, loff_t); 408 int (*readdir) (struct file *, void *, filldir_t); 409 unsigned int (*poll) (struct file *, struct poll_table_struct *); 410 long (*unlocked_ioctl) (struct file *, unsigned int, unsigned long); 411 long (*compat_ioctl) (struct file *, unsigned int, unsigned long); 412 int (*mmap) (struct file *, struct vm_area_struct *); 413 int (*open) (struct inode *, struct file *); 414 int (*flush) (struct file *); 415 int (*release) (struct inode *, struct file *); 416 int (*fsync) (struct file *, loff_t start, loff_t end, int datasync); 417 int (*aio_fsync) (struct kiocb *, int datasync); 418 int (*fasync) (int, struct file *, int); 419 int (*lock) (struct file *, int, struct file_lock *); 420 ssize_t (*readv) (struct file *, const struct iovec *, unsigned long, 421 loff_t *); 422 ssize_t (*writev) (struct file *, const struct iovec *, unsigned long, 423 loff_t *); 424 ssize_t (*sendfile) (struct file *, loff_t *, size_t, read_actor_t, 425 void __user *); 426 ssize_t (*sendpage) (struct file *, struct page *, int, size_t, 427 loff_t *, int); 428 unsigned long (*get_unmapped_area)(struct file *, unsigned long, 429 unsigned long, unsigned long, unsigned long); 430 int (*check_flags)(int); 431 int (*flock) (struct file *, int, struct file_lock *); 432 ssize_t (*splice_write)(struct pipe_inode_info *, struct file *, loff_t *, 433 size_t, unsigned int); 434 ssize_t (*splice_read)(struct file *, loff_t *, struct pipe_inode_info *, 435 size_t, unsigned int); 436 int (*setlease)(struct file *, long, struct file_lock **); 437 long (*fallocate)(struct file *, int, loff_t, loff_t); 438}; 439 440locking rules: 441 All may block except for ->setlease. 442 No VFS locks held on entry except for ->setlease. 443 444->setlease has the file_list_lock held and must not sleep. 445 446->llseek() locking has moved from llseek to the individual llseek 447implementations. If your fs is not using generic_file_llseek, you 448need to acquire and release the appropriate locks in your ->llseek(). 449For many filesystems, it is probably safe to acquire the inode 450mutex or just to use i_size_read() instead. 451Note: this does not protect the file->f_pos against concurrent modifications 452since this is something the userspace has to take care about. 453 454->fasync() is responsible for maintaining the FASYNC bit in filp->f_flags. 455Most instances call fasync_helper(), which does that maintenance, so it's 456not normally something one needs to worry about. Return values > 0 will be 457mapped to zero in the VFS layer. 458 459->readdir() and ->ioctl() on directories must be changed. Ideally we would 460move ->readdir() to inode_operations and use a separate method for directory 461->ioctl() or kill the latter completely. One of the problems is that for 462anything that resembles union-mount we won't have a struct file for all 463components. And there are other reasons why the current interface is a mess... 464 465->read on directories probably must go away - we should just enforce -EISDIR 466in sys_read() and friends. 467 468--------------------------- dquot_operations ------------------------------- 469prototypes: 470 int (*write_dquot) (struct dquot *); 471 int (*acquire_dquot) (struct dquot *); 472 int (*release_dquot) (struct dquot *); 473 int (*mark_dirty) (struct dquot *); 474 int (*write_info) (struct super_block *, int); 475 476These operations are intended to be more or less wrapping functions that ensure 477a proper locking wrt the filesystem and call the generic quota operations. 478 479What filesystem should expect from the generic quota functions: 480 481 FS recursion Held locks when called 482write_dquot: yes dqonoff_sem or dqptr_sem 483acquire_dquot: yes dqonoff_sem or dqptr_sem 484release_dquot: yes dqonoff_sem or dqptr_sem 485mark_dirty: no - 486write_info: yes dqonoff_sem 487 488FS recursion means calling ->quota_read() and ->quota_write() from superblock 489operations. 490 491More details about quota locking can be found in fs/dquot.c. 492 493--------------------------- vm_operations_struct ----------------------------- 494prototypes: 495 void (*open)(struct vm_area_struct*); 496 void (*close)(struct vm_area_struct*); 497 int (*fault)(struct vm_area_struct*, struct vm_fault *); 498 int (*page_mkwrite)(struct vm_area_struct *, struct vm_fault *); 499 int (*access)(struct vm_area_struct *, unsigned long, void*, int, int); 500 501locking rules: 502 mmap_sem PageLocked(page) 503open: yes 504close: yes 505fault: yes can return with page locked 506page_mkwrite: yes can return with page locked 507access: yes 508 509 ->fault() is called when a previously not present pte is about 510to be faulted in. The filesystem must find and return the page associated 511with the passed in "pgoff" in the vm_fault structure. If it is possible that 512the page may be truncated and/or invalidated, then the filesystem must lock 513the page, then ensure it is not already truncated (the page lock will block 514subsequent truncate), and then return with VM_FAULT_LOCKED, and the page 515locked. The VM will unlock the page. 516 517 ->page_mkwrite() is called when a previously read-only pte is 518about to become writeable. The filesystem again must ensure that there are 519no truncate/invalidate races, and then return with the page locked. If 520the page has been truncated, the filesystem should not look up a new page 521like the ->fault() handler, but simply return with VM_FAULT_NOPAGE, which 522will cause the VM to retry the fault. 523 524 ->access() is called when get_user_pages() fails in 525acces_process_vm(), typically used to debug a process through 526/proc/pid/mem or ptrace. This function is needed only for 527VM_IO | VM_PFNMAP VMAs. 528 529================================================================================ 530 Dubious stuff 531 532(if you break something or notice that it is broken and do not fix it yourself 533- at least put it here) 534