1 /*
2 FUSE: Filesystem in Userspace
3 Copyright (C) 2001-2008 Miklos Szeredi <miklos@szeredi.hu>
4
5 This program can be distributed under the terms of the GNU GPL.
6 See the file COPYING.
7 */
8
9 #include "fuse_i.h"
10
11 #include <linux/init.h>
12 #include <linux/module.h>
13 #include <linux/poll.h>
14 #include <linux/sched/signal.h>
15 #include <linux/uio.h>
16 #include <linux/miscdevice.h>
17 #include <linux/pagemap.h>
18 #include <linux/file.h>
19 #include <linux/slab.h>
20 #include <linux/pipe_fs_i.h>
21 #include <linux/swap.h>
22 #include <linux/splice.h>
23 #include <linux/sched.h>
24
25 MODULE_ALIAS_MISCDEV(FUSE_MINOR);
26 MODULE_ALIAS("devname:fuse");
27
28 static struct kmem_cache *fuse_req_cachep;
29
fuse_get_dev(struct file * file)30 static struct fuse_dev *fuse_get_dev(struct file *file)
31 {
32 /*
33 * Lockless access is OK, because file->private data is set
34 * once during mount and is valid until the file is released.
35 */
36 return READ_ONCE(file->private_data);
37 }
38
fuse_request_init(struct fuse_req * req,struct page ** pages,struct fuse_page_desc * page_descs,unsigned npages)39 static void fuse_request_init(struct fuse_req *req, struct page **pages,
40 struct fuse_page_desc *page_descs,
41 unsigned npages)
42 {
43 memset(req, 0, sizeof(*req));
44 memset(pages, 0, sizeof(*pages) * npages);
45 memset(page_descs, 0, sizeof(*page_descs) * npages);
46 INIT_LIST_HEAD(&req->list);
47 INIT_LIST_HEAD(&req->intr_entry);
48 init_waitqueue_head(&req->waitq);
49 refcount_set(&req->count, 1);
50 req->pages = pages;
51 req->page_descs = page_descs;
52 req->max_pages = npages;
53 __set_bit(FR_PENDING, &req->flags);
54 }
55
__fuse_request_alloc(unsigned npages,gfp_t flags)56 static struct fuse_req *__fuse_request_alloc(unsigned npages, gfp_t flags)
57 {
58 struct fuse_req *req = kmem_cache_alloc(fuse_req_cachep, flags);
59 if (req) {
60 struct page **pages;
61 struct fuse_page_desc *page_descs;
62
63 if (npages <= FUSE_REQ_INLINE_PAGES) {
64 pages = req->inline_pages;
65 page_descs = req->inline_page_descs;
66 } else {
67 pages = kmalloc_array(npages, sizeof(struct page *),
68 flags);
69 page_descs =
70 kmalloc_array(npages,
71 sizeof(struct fuse_page_desc),
72 flags);
73 }
74
75 if (!pages || !page_descs) {
76 kfree(pages);
77 kfree(page_descs);
78 kmem_cache_free(fuse_req_cachep, req);
79 return NULL;
80 }
81
82 fuse_request_init(req, pages, page_descs, npages);
83 }
84 return req;
85 }
86
fuse_request_alloc(unsigned npages)87 struct fuse_req *fuse_request_alloc(unsigned npages)
88 {
89 return __fuse_request_alloc(npages, GFP_KERNEL);
90 }
91 EXPORT_SYMBOL_GPL(fuse_request_alloc);
92
fuse_request_alloc_nofs(unsigned npages)93 struct fuse_req *fuse_request_alloc_nofs(unsigned npages)
94 {
95 return __fuse_request_alloc(npages, GFP_NOFS);
96 }
97
fuse_request_free(struct fuse_req * req)98 void fuse_request_free(struct fuse_req *req)
99 {
100 if (req->pages != req->inline_pages) {
101 kfree(req->pages);
102 kfree(req->page_descs);
103 }
104 kmem_cache_free(fuse_req_cachep, req);
105 }
106
__fuse_get_request(struct fuse_req * req)107 void __fuse_get_request(struct fuse_req *req)
108 {
109 refcount_inc(&req->count);
110 }
111
112 /* Must be called with > 1 refcount */
__fuse_put_request(struct fuse_req * req)113 static void __fuse_put_request(struct fuse_req *req)
114 {
115 refcount_dec(&req->count);
116 }
117
fuse_set_initialized(struct fuse_conn * fc)118 void fuse_set_initialized(struct fuse_conn *fc)
119 {
120 /* Make sure stores before this are seen on another CPU */
121 smp_wmb();
122 fc->initialized = 1;
123 }
124
fuse_block_alloc(struct fuse_conn * fc,bool for_background)125 static bool fuse_block_alloc(struct fuse_conn *fc, bool for_background)
126 {
127 return !fc->initialized || (for_background && fc->blocked);
128 }
129
fuse_drop_waiting(struct fuse_conn * fc)130 static void fuse_drop_waiting(struct fuse_conn *fc)
131 {
132 /*
133 * lockess check of fc->connected is okay, because atomic_dec_and_test()
134 * provides a memory barrier mached with the one in fuse_wait_aborted()
135 * to ensure no wake-up is missed.
136 */
137 if (atomic_dec_and_test(&fc->num_waiting) &&
138 !READ_ONCE(fc->connected)) {
139 /* wake up aborters */
140 wake_up_all(&fc->blocked_waitq);
141 }
142 }
143
__fuse_get_req(struct fuse_conn * fc,unsigned npages,bool for_background)144 static struct fuse_req *__fuse_get_req(struct fuse_conn *fc, unsigned npages,
145 bool for_background)
146 {
147 struct fuse_req *req;
148 int err;
149 atomic_inc(&fc->num_waiting);
150
151 if (fuse_block_alloc(fc, for_background)) {
152 err = -EINTR;
153 if (wait_event_killable_exclusive(fc->blocked_waitq,
154 !fuse_block_alloc(fc, for_background)))
155 goto out;
156 }
157 /* Matches smp_wmb() in fuse_set_initialized() */
158 smp_rmb();
159
160 err = -ENOTCONN;
161 if (!fc->connected)
162 goto out;
163
164 err = -ECONNREFUSED;
165 if (fc->conn_error)
166 goto out;
167
168 req = fuse_request_alloc(npages);
169 err = -ENOMEM;
170 if (!req) {
171 if (for_background)
172 wake_up(&fc->blocked_waitq);
173 goto out;
174 }
175
176 req->in.h.uid = from_kuid(fc->user_ns, current_fsuid());
177 req->in.h.gid = from_kgid(fc->user_ns, current_fsgid());
178 req->in.h.pid = pid_nr_ns(task_pid(current), fc->pid_ns);
179
180 __set_bit(FR_WAITING, &req->flags);
181 if (for_background)
182 __set_bit(FR_BACKGROUND, &req->flags);
183
184 if (unlikely(req->in.h.uid == ((uid_t)-1) ||
185 req->in.h.gid == ((gid_t)-1))) {
186 fuse_put_request(fc, req);
187 return ERR_PTR(-EOVERFLOW);
188 }
189 return req;
190
191 out:
192 fuse_drop_waiting(fc);
193 return ERR_PTR(err);
194 }
195
fuse_get_req(struct fuse_conn * fc,unsigned npages)196 struct fuse_req *fuse_get_req(struct fuse_conn *fc, unsigned npages)
197 {
198 return __fuse_get_req(fc, npages, false);
199 }
200 EXPORT_SYMBOL_GPL(fuse_get_req);
201
fuse_get_req_for_background(struct fuse_conn * fc,unsigned npages)202 struct fuse_req *fuse_get_req_for_background(struct fuse_conn *fc,
203 unsigned npages)
204 {
205 return __fuse_get_req(fc, npages, true);
206 }
207 EXPORT_SYMBOL_GPL(fuse_get_req_for_background);
208
209 /*
210 * Return request in fuse_file->reserved_req. However that may
211 * currently be in use. If that is the case, wait for it to become
212 * available.
213 */
get_reserved_req(struct fuse_conn * fc,struct file * file)214 static struct fuse_req *get_reserved_req(struct fuse_conn *fc,
215 struct file *file)
216 {
217 struct fuse_req *req = NULL;
218 struct fuse_file *ff = file->private_data;
219
220 do {
221 wait_event(fc->reserved_req_waitq, ff->reserved_req);
222 spin_lock(&fc->lock);
223 if (ff->reserved_req) {
224 req = ff->reserved_req;
225 ff->reserved_req = NULL;
226 req->stolen_file = get_file(file);
227 }
228 spin_unlock(&fc->lock);
229 } while (!req);
230
231 return req;
232 }
233
234 /*
235 * Put stolen request back into fuse_file->reserved_req
236 */
put_reserved_req(struct fuse_conn * fc,struct fuse_req * req)237 static void put_reserved_req(struct fuse_conn *fc, struct fuse_req *req)
238 {
239 struct file *file = req->stolen_file;
240 struct fuse_file *ff = file->private_data;
241
242 spin_lock(&fc->lock);
243 fuse_request_init(req, req->pages, req->page_descs, req->max_pages);
244 BUG_ON(ff->reserved_req);
245 ff->reserved_req = req;
246 wake_up_all(&fc->reserved_req_waitq);
247 spin_unlock(&fc->lock);
248 fput(file);
249 }
250
251 /*
252 * Gets a requests for a file operation, always succeeds
253 *
254 * This is used for sending the FLUSH request, which must get to
255 * userspace, due to POSIX locks which may need to be unlocked.
256 *
257 * If allocation fails due to OOM, use the reserved request in
258 * fuse_file.
259 *
260 * This is very unlikely to deadlock accidentally, since the
261 * filesystem should not have it's own file open. If deadlock is
262 * intentional, it can still be broken by "aborting" the filesystem.
263 */
fuse_get_req_nofail_nopages(struct fuse_conn * fc,struct file * file)264 struct fuse_req *fuse_get_req_nofail_nopages(struct fuse_conn *fc,
265 struct file *file)
266 {
267 struct fuse_req *req;
268
269 atomic_inc(&fc->num_waiting);
270 wait_event(fc->blocked_waitq, fc->initialized);
271 /* Matches smp_wmb() in fuse_set_initialized() */
272 smp_rmb();
273 req = fuse_request_alloc(0);
274 if (!req)
275 req = get_reserved_req(fc, file);
276
277 req->in.h.uid = from_kuid_munged(fc->user_ns, current_fsuid());
278 req->in.h.gid = from_kgid_munged(fc->user_ns, current_fsgid());
279 req->in.h.pid = pid_nr_ns(task_pid(current), fc->pid_ns);
280
281 __set_bit(FR_WAITING, &req->flags);
282 __clear_bit(FR_BACKGROUND, &req->flags);
283 return req;
284 }
285
fuse_put_request(struct fuse_conn * fc,struct fuse_req * req)286 void fuse_put_request(struct fuse_conn *fc, struct fuse_req *req)
287 {
288 if (refcount_dec_and_test(&req->count)) {
289 if (test_bit(FR_BACKGROUND, &req->flags)) {
290 /*
291 * We get here in the unlikely case that a background
292 * request was allocated but not sent
293 */
294 spin_lock(&fc->lock);
295 if (!fc->blocked)
296 wake_up(&fc->blocked_waitq);
297 spin_unlock(&fc->lock);
298 }
299
300 if (test_bit(FR_WAITING, &req->flags)) {
301 __clear_bit(FR_WAITING, &req->flags);
302 fuse_drop_waiting(fc);
303 }
304
305 if (req->stolen_file)
306 put_reserved_req(fc, req);
307 else
308 fuse_request_free(req);
309 }
310 }
311 EXPORT_SYMBOL_GPL(fuse_put_request);
312
len_args(unsigned numargs,struct fuse_arg * args)313 static unsigned len_args(unsigned numargs, struct fuse_arg *args)
314 {
315 unsigned nbytes = 0;
316 unsigned i;
317
318 for (i = 0; i < numargs; i++)
319 nbytes += args[i].size;
320
321 return nbytes;
322 }
323
fuse_get_unique(struct fuse_iqueue * fiq)324 static u64 fuse_get_unique(struct fuse_iqueue *fiq)
325 {
326 return ++fiq->reqctr;
327 }
328
queue_request(struct fuse_iqueue * fiq,struct fuse_req * req)329 static void queue_request(struct fuse_iqueue *fiq, struct fuse_req *req)
330 {
331 req->in.h.len = sizeof(struct fuse_in_header) +
332 len_args(req->in.numargs, (struct fuse_arg *) req->in.args);
333 list_add_tail(&req->list, &fiq->pending);
334 wake_up(&fiq->waitq);
335 kill_fasync(&fiq->fasync, SIGIO, POLL_IN);
336 }
337
fuse_queue_forget(struct fuse_conn * fc,struct fuse_forget_link * forget,u64 nodeid,u64 nlookup)338 void fuse_queue_forget(struct fuse_conn *fc, struct fuse_forget_link *forget,
339 u64 nodeid, u64 nlookup)
340 {
341 struct fuse_iqueue *fiq = &fc->iq;
342
343 forget->forget_one.nodeid = nodeid;
344 forget->forget_one.nlookup = nlookup;
345
346 spin_lock(&fiq->lock);
347 if (fiq->connected) {
348 fiq->forget_list_tail->next = forget;
349 fiq->forget_list_tail = forget;
350 wake_up(&fiq->waitq);
351 kill_fasync(&fiq->fasync, SIGIO, POLL_IN);
352 } else {
353 kfree(forget);
354 }
355 spin_unlock(&fiq->lock);
356 }
357
flush_bg_queue(struct fuse_conn * fc)358 static void flush_bg_queue(struct fuse_conn *fc)
359 {
360 while (fc->active_background < fc->max_background &&
361 !list_empty(&fc->bg_queue)) {
362 struct fuse_req *req;
363 struct fuse_iqueue *fiq = &fc->iq;
364
365 req = list_entry(fc->bg_queue.next, struct fuse_req, list);
366 list_del(&req->list);
367 fc->active_background++;
368 spin_lock(&fiq->lock);
369 req->in.h.unique = fuse_get_unique(fiq);
370 queue_request(fiq, req);
371 spin_unlock(&fiq->lock);
372 }
373 }
374
375 /*
376 * This function is called when a request is finished. Either a reply
377 * has arrived or it was aborted (and not yet sent) or some error
378 * occurred during communication with userspace, or the device file
379 * was closed. The requester thread is woken up (if still waiting),
380 * the 'end' callback is called if given, else the reference to the
381 * request is released
382 */
request_end(struct fuse_conn * fc,struct fuse_req * req)383 static void request_end(struct fuse_conn *fc, struct fuse_req *req)
384 {
385 struct fuse_iqueue *fiq = &fc->iq;
386
387 if (test_and_set_bit(FR_FINISHED, &req->flags))
388 goto put_request;
389
390 spin_lock(&fiq->lock);
391 list_del_init(&req->intr_entry);
392 spin_unlock(&fiq->lock);
393 WARN_ON(test_bit(FR_PENDING, &req->flags));
394 WARN_ON(test_bit(FR_SENT, &req->flags));
395 if (test_bit(FR_BACKGROUND, &req->flags)) {
396 spin_lock(&fc->lock);
397 clear_bit(FR_BACKGROUND, &req->flags);
398 if (fc->num_background == fc->max_background) {
399 fc->blocked = 0;
400 wake_up(&fc->blocked_waitq);
401 } else if (!fc->blocked) {
402 /*
403 * Wake up next waiter, if any. It's okay to use
404 * waitqueue_active(), as we've already synced up
405 * fc->blocked with waiters with the wake_up() call
406 * above.
407 */
408 if (waitqueue_active(&fc->blocked_waitq))
409 wake_up(&fc->blocked_waitq);
410 }
411
412 if (fc->num_background == fc->congestion_threshold && fc->sb) {
413 clear_bdi_congested(fc->sb->s_bdi, BLK_RW_SYNC);
414 clear_bdi_congested(fc->sb->s_bdi, BLK_RW_ASYNC);
415 }
416 fc->num_background--;
417 fc->active_background--;
418 flush_bg_queue(fc);
419 spin_unlock(&fc->lock);
420 }
421 wake_up(&req->waitq);
422 if (req->end)
423 req->end(fc, req);
424 put_request:
425 fuse_put_request(fc, req);
426 }
427
queue_interrupt(struct fuse_iqueue * fiq,struct fuse_req * req)428 static void queue_interrupt(struct fuse_iqueue *fiq, struct fuse_req *req)
429 {
430 spin_lock(&fiq->lock);
431 if (test_bit(FR_FINISHED, &req->flags)) {
432 spin_unlock(&fiq->lock);
433 return;
434 }
435 if (list_empty(&req->intr_entry)) {
436 list_add_tail(&req->intr_entry, &fiq->interrupts);
437 wake_up(&fiq->waitq);
438 }
439 spin_unlock(&fiq->lock);
440 kill_fasync(&fiq->fasync, SIGIO, POLL_IN);
441 }
442
request_wait_answer(struct fuse_conn * fc,struct fuse_req * req)443 static void request_wait_answer(struct fuse_conn *fc, struct fuse_req *req)
444 {
445 struct fuse_iqueue *fiq = &fc->iq;
446 int err;
447
448 if (!fc->no_interrupt) {
449 /* Any signal may interrupt this */
450 err = wait_event_interruptible(req->waitq,
451 test_bit(FR_FINISHED, &req->flags));
452 if (!err)
453 return;
454
455 set_bit(FR_INTERRUPTED, &req->flags);
456 /* matches barrier in fuse_dev_do_read() */
457 smp_mb__after_atomic();
458 if (test_bit(FR_SENT, &req->flags))
459 queue_interrupt(fiq, req);
460 }
461
462 if (!test_bit(FR_FORCE, &req->flags)) {
463 /* Only fatal signals may interrupt this */
464 err = wait_event_killable(req->waitq,
465 test_bit(FR_FINISHED, &req->flags));
466 if (!err)
467 return;
468
469 spin_lock(&fiq->lock);
470 /* Request is not yet in userspace, bail out */
471 if (test_bit(FR_PENDING, &req->flags)) {
472 list_del(&req->list);
473 spin_unlock(&fiq->lock);
474 __fuse_put_request(req);
475 req->out.h.error = -EINTR;
476 return;
477 }
478 spin_unlock(&fiq->lock);
479 }
480
481 /*
482 * Either request is already in userspace, or it was forced.
483 * Wait it out.
484 */
485 wait_event(req->waitq, test_bit(FR_FINISHED, &req->flags));
486 }
487
__fuse_request_send(struct fuse_conn * fc,struct fuse_req * req)488 static void __fuse_request_send(struct fuse_conn *fc, struct fuse_req *req)
489 {
490 struct fuse_iqueue *fiq = &fc->iq;
491
492 BUG_ON(test_bit(FR_BACKGROUND, &req->flags));
493 spin_lock(&fiq->lock);
494 if (!fiq->connected) {
495 spin_unlock(&fiq->lock);
496 req->out.h.error = -ENOTCONN;
497 } else {
498 req->in.h.unique = fuse_get_unique(fiq);
499 queue_request(fiq, req);
500 /* acquire extra reference, since request is still needed
501 after request_end() */
502 __fuse_get_request(req);
503 spin_unlock(&fiq->lock);
504
505 request_wait_answer(fc, req);
506 /* Pairs with smp_wmb() in request_end() */
507 smp_rmb();
508 }
509 }
510
fuse_request_send(struct fuse_conn * fc,struct fuse_req * req)511 void fuse_request_send(struct fuse_conn *fc, struct fuse_req *req)
512 {
513 __set_bit(FR_ISREPLY, &req->flags);
514 if (!test_bit(FR_WAITING, &req->flags)) {
515 __set_bit(FR_WAITING, &req->flags);
516 atomic_inc(&fc->num_waiting);
517 }
518 __fuse_request_send(fc, req);
519 }
520 EXPORT_SYMBOL_GPL(fuse_request_send);
521
fuse_adjust_compat(struct fuse_conn * fc,struct fuse_args * args)522 static void fuse_adjust_compat(struct fuse_conn *fc, struct fuse_args *args)
523 {
524 if (fc->minor < 4 && args->in.h.opcode == FUSE_STATFS)
525 args->out.args[0].size = FUSE_COMPAT_STATFS_SIZE;
526
527 if (fc->minor < 9) {
528 switch (args->in.h.opcode) {
529 case FUSE_LOOKUP:
530 case FUSE_CREATE:
531 case FUSE_MKNOD:
532 case FUSE_MKDIR:
533 case FUSE_SYMLINK:
534 case FUSE_LINK:
535 args->out.args[0].size = FUSE_COMPAT_ENTRY_OUT_SIZE;
536 break;
537 case FUSE_GETATTR:
538 case FUSE_SETATTR:
539 args->out.args[0].size = FUSE_COMPAT_ATTR_OUT_SIZE;
540 break;
541 }
542 }
543 if (fc->minor < 12) {
544 switch (args->in.h.opcode) {
545 case FUSE_CREATE:
546 args->in.args[0].size = sizeof(struct fuse_open_in);
547 break;
548 case FUSE_MKNOD:
549 args->in.args[0].size = FUSE_COMPAT_MKNOD_IN_SIZE;
550 break;
551 }
552 }
553 }
554
fuse_simple_request(struct fuse_conn * fc,struct fuse_args * args)555 ssize_t fuse_simple_request(struct fuse_conn *fc, struct fuse_args *args)
556 {
557 struct fuse_req *req;
558 ssize_t ret;
559
560 req = fuse_get_req(fc, 0);
561 if (IS_ERR(req))
562 return PTR_ERR(req);
563
564 /* Needs to be done after fuse_get_req() so that fc->minor is valid */
565 fuse_adjust_compat(fc, args);
566
567 req->in.h.opcode = args->in.h.opcode;
568 req->in.h.nodeid = args->in.h.nodeid;
569 req->in.numargs = args->in.numargs;
570 memcpy(req->in.args, args->in.args,
571 args->in.numargs * sizeof(struct fuse_in_arg));
572 req->out.argvar = args->out.argvar;
573 req->out.numargs = args->out.numargs;
574 memcpy(req->out.args, args->out.args,
575 args->out.numargs * sizeof(struct fuse_arg));
576 fuse_request_send(fc, req);
577 ret = req->out.h.error;
578 if (!ret && args->out.argvar) {
579 BUG_ON(args->out.numargs != 1);
580 ret = req->out.args[0].size;
581 }
582 fuse_put_request(fc, req);
583
584 return ret;
585 }
586
587 /*
588 * Called under fc->lock
589 *
590 * fc->connected must have been checked previously
591 */
fuse_request_send_background_locked(struct fuse_conn * fc,struct fuse_req * req)592 void fuse_request_send_background_locked(struct fuse_conn *fc,
593 struct fuse_req *req)
594 {
595 BUG_ON(!test_bit(FR_BACKGROUND, &req->flags));
596 if (!test_bit(FR_WAITING, &req->flags)) {
597 __set_bit(FR_WAITING, &req->flags);
598 atomic_inc(&fc->num_waiting);
599 }
600 __set_bit(FR_ISREPLY, &req->flags);
601 fc->num_background++;
602 if (fc->num_background == fc->max_background)
603 fc->blocked = 1;
604 if (fc->num_background == fc->congestion_threshold && fc->sb) {
605 set_bdi_congested(fc->sb->s_bdi, BLK_RW_SYNC);
606 set_bdi_congested(fc->sb->s_bdi, BLK_RW_ASYNC);
607 }
608 list_add_tail(&req->list, &fc->bg_queue);
609 flush_bg_queue(fc);
610 }
611
fuse_request_send_background(struct fuse_conn * fc,struct fuse_req * req)612 void fuse_request_send_background(struct fuse_conn *fc, struct fuse_req *req)
613 {
614 BUG_ON(!req->end);
615 spin_lock(&fc->lock);
616 if (fc->connected) {
617 fuse_request_send_background_locked(fc, req);
618 spin_unlock(&fc->lock);
619 } else {
620 spin_unlock(&fc->lock);
621 req->out.h.error = -ENOTCONN;
622 req->end(fc, req);
623 fuse_put_request(fc, req);
624 }
625 }
626 EXPORT_SYMBOL_GPL(fuse_request_send_background);
627
fuse_request_send_notify_reply(struct fuse_conn * fc,struct fuse_req * req,u64 unique)628 static int fuse_request_send_notify_reply(struct fuse_conn *fc,
629 struct fuse_req *req, u64 unique)
630 {
631 int err = -ENODEV;
632 struct fuse_iqueue *fiq = &fc->iq;
633
634 __clear_bit(FR_ISREPLY, &req->flags);
635 req->in.h.unique = unique;
636 spin_lock(&fiq->lock);
637 if (fiq->connected) {
638 queue_request(fiq, req);
639 err = 0;
640 }
641 spin_unlock(&fiq->lock);
642
643 return err;
644 }
645
fuse_force_forget(struct file * file,u64 nodeid)646 void fuse_force_forget(struct file *file, u64 nodeid)
647 {
648 struct inode *inode = file_inode(file);
649 struct fuse_conn *fc = get_fuse_conn(inode);
650 struct fuse_req *req;
651 struct fuse_forget_in inarg;
652
653 memset(&inarg, 0, sizeof(inarg));
654 inarg.nlookup = 1;
655 req = fuse_get_req_nofail_nopages(fc, file);
656 req->in.h.opcode = FUSE_FORGET;
657 req->in.h.nodeid = nodeid;
658 req->in.numargs = 1;
659 req->in.args[0].size = sizeof(inarg);
660 req->in.args[0].value = &inarg;
661 __clear_bit(FR_ISREPLY, &req->flags);
662 __fuse_request_send(fc, req);
663 /* ignore errors */
664 fuse_put_request(fc, req);
665 }
666
667 /*
668 * Lock the request. Up to the next unlock_request() there mustn't be
669 * anything that could cause a page-fault. If the request was already
670 * aborted bail out.
671 */
lock_request(struct fuse_req * req)672 static int lock_request(struct fuse_req *req)
673 {
674 int err = 0;
675 if (req) {
676 spin_lock(&req->waitq.lock);
677 if (test_bit(FR_ABORTED, &req->flags))
678 err = -ENOENT;
679 else
680 set_bit(FR_LOCKED, &req->flags);
681 spin_unlock(&req->waitq.lock);
682 }
683 return err;
684 }
685
686 /*
687 * Unlock request. If it was aborted while locked, caller is responsible
688 * for unlocking and ending the request.
689 */
unlock_request(struct fuse_req * req)690 static int unlock_request(struct fuse_req *req)
691 {
692 int err = 0;
693 if (req) {
694 spin_lock(&req->waitq.lock);
695 if (test_bit(FR_ABORTED, &req->flags))
696 err = -ENOENT;
697 else
698 clear_bit(FR_LOCKED, &req->flags);
699 spin_unlock(&req->waitq.lock);
700 }
701 return err;
702 }
703
704 struct fuse_copy_state {
705 int write;
706 struct fuse_req *req;
707 struct iov_iter *iter;
708 struct pipe_buffer *pipebufs;
709 struct pipe_buffer *currbuf;
710 struct pipe_inode_info *pipe;
711 unsigned long nr_segs;
712 struct page *pg;
713 unsigned len;
714 unsigned offset;
715 unsigned move_pages:1;
716 };
717
fuse_copy_init(struct fuse_copy_state * cs,int write,struct iov_iter * iter)718 static void fuse_copy_init(struct fuse_copy_state *cs, int write,
719 struct iov_iter *iter)
720 {
721 memset(cs, 0, sizeof(*cs));
722 cs->write = write;
723 cs->iter = iter;
724 }
725
726 /* Unmap and put previous page of userspace buffer */
fuse_copy_finish(struct fuse_copy_state * cs)727 static void fuse_copy_finish(struct fuse_copy_state *cs)
728 {
729 if (cs->currbuf) {
730 struct pipe_buffer *buf = cs->currbuf;
731
732 if (cs->write)
733 buf->len = PAGE_SIZE - cs->len;
734 cs->currbuf = NULL;
735 } else if (cs->pg) {
736 if (cs->write) {
737 flush_dcache_page(cs->pg);
738 set_page_dirty_lock(cs->pg);
739 }
740 put_page(cs->pg);
741 }
742 cs->pg = NULL;
743 }
744
745 /*
746 * Get another pagefull of userspace buffer, and map it to kernel
747 * address space, and lock request
748 */
fuse_copy_fill(struct fuse_copy_state * cs)749 static int fuse_copy_fill(struct fuse_copy_state *cs)
750 {
751 struct page *page;
752 int err;
753
754 err = unlock_request(cs->req);
755 if (err)
756 return err;
757
758 fuse_copy_finish(cs);
759 if (cs->pipebufs) {
760 struct pipe_buffer *buf = cs->pipebufs;
761
762 if (!cs->write) {
763 err = pipe_buf_confirm(cs->pipe, buf);
764 if (err)
765 return err;
766
767 BUG_ON(!cs->nr_segs);
768 cs->currbuf = buf;
769 cs->pg = buf->page;
770 cs->offset = buf->offset;
771 cs->len = buf->len;
772 cs->pipebufs++;
773 cs->nr_segs--;
774 } else {
775 if (cs->nr_segs == cs->pipe->buffers)
776 return -EIO;
777
778 page = alloc_page(GFP_HIGHUSER);
779 if (!page)
780 return -ENOMEM;
781
782 buf->page = page;
783 buf->offset = 0;
784 buf->len = 0;
785
786 cs->currbuf = buf;
787 cs->pg = page;
788 cs->offset = 0;
789 cs->len = PAGE_SIZE;
790 cs->pipebufs++;
791 cs->nr_segs++;
792 }
793 } else {
794 size_t off;
795 err = iov_iter_get_pages(cs->iter, &page, PAGE_SIZE, 1, &off);
796 if (err < 0)
797 return err;
798 BUG_ON(!err);
799 cs->len = err;
800 cs->offset = off;
801 cs->pg = page;
802 iov_iter_advance(cs->iter, err);
803 }
804
805 return lock_request(cs->req);
806 }
807
808 /* Do as much copy to/from userspace buffer as we can */
fuse_copy_do(struct fuse_copy_state * cs,void ** val,unsigned * size)809 static int fuse_copy_do(struct fuse_copy_state *cs, void **val, unsigned *size)
810 {
811 unsigned ncpy = min(*size, cs->len);
812 if (val) {
813 void *pgaddr = kmap_atomic(cs->pg);
814 void *buf = pgaddr + cs->offset;
815
816 if (cs->write)
817 memcpy(buf, *val, ncpy);
818 else
819 memcpy(*val, buf, ncpy);
820
821 kunmap_atomic(pgaddr);
822 *val += ncpy;
823 }
824 *size -= ncpy;
825 cs->len -= ncpy;
826 cs->offset += ncpy;
827 return ncpy;
828 }
829
fuse_check_page(struct page * page)830 static int fuse_check_page(struct page *page)
831 {
832 if (page_mapcount(page) ||
833 page->mapping != NULL ||
834 (page->flags & PAGE_FLAGS_CHECK_AT_PREP &
835 ~(1 << PG_locked |
836 1 << PG_referenced |
837 1 << PG_uptodate |
838 1 << PG_lru |
839 1 << PG_active |
840 1 << PG_reclaim |
841 1 << PG_waiters))) {
842 printk(KERN_WARNING "fuse: trying to steal weird page\n");
843 printk(KERN_WARNING " page=%p index=%li flags=%08lx, count=%i, mapcount=%i, mapping=%p\n", page, page->index, page->flags, page_count(page), page_mapcount(page), page->mapping);
844 return 1;
845 }
846 return 0;
847 }
848
fuse_try_move_page(struct fuse_copy_state * cs,struct page ** pagep)849 static int fuse_try_move_page(struct fuse_copy_state *cs, struct page **pagep)
850 {
851 int err;
852 struct page *oldpage = *pagep;
853 struct page *newpage;
854 struct pipe_buffer *buf = cs->pipebufs;
855
856 get_page(oldpage);
857 err = unlock_request(cs->req);
858 if (err)
859 goto out_put_old;
860
861 fuse_copy_finish(cs);
862
863 err = pipe_buf_confirm(cs->pipe, buf);
864 if (err)
865 goto out_put_old;
866
867 BUG_ON(!cs->nr_segs);
868 cs->currbuf = buf;
869 cs->len = buf->len;
870 cs->pipebufs++;
871 cs->nr_segs--;
872
873 if (cs->len != PAGE_SIZE)
874 goto out_fallback;
875
876 if (pipe_buf_steal(cs->pipe, buf) != 0)
877 goto out_fallback;
878
879 newpage = buf->page;
880
881 if (!PageUptodate(newpage))
882 SetPageUptodate(newpage);
883
884 ClearPageMappedToDisk(newpage);
885
886 if (fuse_check_page(newpage) != 0)
887 goto out_fallback_unlock;
888
889 /*
890 * This is a new and locked page, it shouldn't be mapped or
891 * have any special flags on it
892 */
893 if (WARN_ON(page_mapped(oldpage)))
894 goto out_fallback_unlock;
895 if (WARN_ON(page_has_private(oldpage)))
896 goto out_fallback_unlock;
897 if (WARN_ON(PageDirty(oldpage) || PageWriteback(oldpage)))
898 goto out_fallback_unlock;
899 if (WARN_ON(PageMlocked(oldpage)))
900 goto out_fallback_unlock;
901
902 err = replace_page_cache_page(oldpage, newpage, GFP_KERNEL);
903 if (err) {
904 unlock_page(newpage);
905 goto out_put_old;
906 }
907
908 get_page(newpage);
909
910 if (!(buf->flags & PIPE_BUF_FLAG_LRU))
911 lru_cache_add_file(newpage);
912
913 err = 0;
914 spin_lock(&cs->req->waitq.lock);
915 if (test_bit(FR_ABORTED, &cs->req->flags))
916 err = -ENOENT;
917 else
918 *pagep = newpage;
919 spin_unlock(&cs->req->waitq.lock);
920
921 if (err) {
922 unlock_page(newpage);
923 put_page(newpage);
924 goto out_put_old;
925 }
926
927 unlock_page(oldpage);
928 /* Drop ref for ap->pages[] array */
929 put_page(oldpage);
930 cs->len = 0;
931
932 err = 0;
933 out_put_old:
934 /* Drop ref obtained in this function */
935 put_page(oldpage);
936 return err;
937
938 out_fallback_unlock:
939 unlock_page(newpage);
940 out_fallback:
941 cs->pg = buf->page;
942 cs->offset = buf->offset;
943
944 err = lock_request(cs->req);
945 if (!err)
946 err = 1;
947
948 goto out_put_old;
949 }
950
fuse_ref_page(struct fuse_copy_state * cs,struct page * page,unsigned offset,unsigned count)951 static int fuse_ref_page(struct fuse_copy_state *cs, struct page *page,
952 unsigned offset, unsigned count)
953 {
954 struct pipe_buffer *buf;
955 int err;
956
957 if (cs->nr_segs == cs->pipe->buffers)
958 return -EIO;
959
960 get_page(page);
961 err = unlock_request(cs->req);
962 if (err) {
963 put_page(page);
964 return err;
965 }
966
967 fuse_copy_finish(cs);
968
969 buf = cs->pipebufs;
970 buf->page = page;
971 buf->offset = offset;
972 buf->len = count;
973
974 cs->pipebufs++;
975 cs->nr_segs++;
976 cs->len = 0;
977
978 return 0;
979 }
980
981 /*
982 * Copy a page in the request to/from the userspace buffer. Must be
983 * done atomically
984 */
fuse_copy_page(struct fuse_copy_state * cs,struct page ** pagep,unsigned offset,unsigned count,int zeroing)985 static int fuse_copy_page(struct fuse_copy_state *cs, struct page **pagep,
986 unsigned offset, unsigned count, int zeroing)
987 {
988 int err;
989 struct page *page = *pagep;
990
991 if (page && zeroing && count < PAGE_SIZE)
992 clear_highpage(page);
993
994 while (count) {
995 if (cs->write && cs->pipebufs && page) {
996 /*
997 * Can't control lifetime of pipe buffers, so always
998 * copy user pages.
999 */
1000 if (cs->req->in.user_pages) {
1001 err = fuse_copy_fill(cs);
1002 if (err)
1003 return err;
1004 } else {
1005 return fuse_ref_page(cs, page, offset, count);
1006 }
1007 } else if (!cs->len) {
1008 if (cs->move_pages && page &&
1009 offset == 0 && count == PAGE_SIZE) {
1010 err = fuse_try_move_page(cs, pagep);
1011 if (err <= 0)
1012 return err;
1013 } else {
1014 err = fuse_copy_fill(cs);
1015 if (err)
1016 return err;
1017 }
1018 }
1019 if (page) {
1020 void *mapaddr = kmap_atomic(page);
1021 void *buf = mapaddr + offset;
1022 offset += fuse_copy_do(cs, &buf, &count);
1023 kunmap_atomic(mapaddr);
1024 } else
1025 offset += fuse_copy_do(cs, NULL, &count);
1026 }
1027 if (page && !cs->write)
1028 flush_dcache_page(page);
1029 return 0;
1030 }
1031
1032 /* Copy pages in the request to/from userspace buffer */
fuse_copy_pages(struct fuse_copy_state * cs,unsigned nbytes,int zeroing)1033 static int fuse_copy_pages(struct fuse_copy_state *cs, unsigned nbytes,
1034 int zeroing)
1035 {
1036 unsigned i;
1037 struct fuse_req *req = cs->req;
1038
1039 for (i = 0; i < req->num_pages && (nbytes || zeroing); i++) {
1040 int err;
1041 unsigned offset = req->page_descs[i].offset;
1042 unsigned count = min(nbytes, req->page_descs[i].length);
1043
1044 err = fuse_copy_page(cs, &req->pages[i], offset, count,
1045 zeroing);
1046 if (err)
1047 return err;
1048
1049 nbytes -= count;
1050 }
1051 return 0;
1052 }
1053
1054 /* Copy a single argument in the request to/from userspace buffer */
fuse_copy_one(struct fuse_copy_state * cs,void * val,unsigned size)1055 static int fuse_copy_one(struct fuse_copy_state *cs, void *val, unsigned size)
1056 {
1057 while (size) {
1058 if (!cs->len) {
1059 int err = fuse_copy_fill(cs);
1060 if (err)
1061 return err;
1062 }
1063 fuse_copy_do(cs, &val, &size);
1064 }
1065 return 0;
1066 }
1067
1068 /* Copy request arguments to/from userspace buffer */
fuse_copy_args(struct fuse_copy_state * cs,unsigned numargs,unsigned argpages,struct fuse_arg * args,int zeroing)1069 static int fuse_copy_args(struct fuse_copy_state *cs, unsigned numargs,
1070 unsigned argpages, struct fuse_arg *args,
1071 int zeroing)
1072 {
1073 int err = 0;
1074 unsigned i;
1075
1076 for (i = 0; !err && i < numargs; i++) {
1077 struct fuse_arg *arg = &args[i];
1078 if (i == numargs - 1 && argpages)
1079 err = fuse_copy_pages(cs, arg->size, zeroing);
1080 else
1081 err = fuse_copy_one(cs, arg->value, arg->size);
1082 }
1083 return err;
1084 }
1085
forget_pending(struct fuse_iqueue * fiq)1086 static int forget_pending(struct fuse_iqueue *fiq)
1087 {
1088 return fiq->forget_list_head.next != NULL;
1089 }
1090
request_pending(struct fuse_iqueue * fiq)1091 static int request_pending(struct fuse_iqueue *fiq)
1092 {
1093 return !list_empty(&fiq->pending) || !list_empty(&fiq->interrupts) ||
1094 forget_pending(fiq);
1095 }
1096
1097 /*
1098 * Transfer an interrupt request to userspace
1099 *
1100 * Unlike other requests this is assembled on demand, without a need
1101 * to allocate a separate fuse_req structure.
1102 *
1103 * Called with fiq->lock held, releases it
1104 */
fuse_read_interrupt(struct fuse_iqueue * fiq,struct fuse_copy_state * cs,size_t nbytes,struct fuse_req * req)1105 static int fuse_read_interrupt(struct fuse_iqueue *fiq,
1106 struct fuse_copy_state *cs,
1107 size_t nbytes, struct fuse_req *req)
1108 __releases(fiq->lock)
1109 {
1110 struct fuse_in_header ih;
1111 struct fuse_interrupt_in arg;
1112 unsigned reqsize = sizeof(ih) + sizeof(arg);
1113 int err;
1114
1115 list_del_init(&req->intr_entry);
1116 req->intr_unique = fuse_get_unique(fiq);
1117 memset(&ih, 0, sizeof(ih));
1118 memset(&arg, 0, sizeof(arg));
1119 ih.len = reqsize;
1120 ih.opcode = FUSE_INTERRUPT;
1121 ih.unique = req->intr_unique;
1122 arg.unique = req->in.h.unique;
1123
1124 spin_unlock(&fiq->lock);
1125 if (nbytes < reqsize)
1126 return -EINVAL;
1127
1128 err = fuse_copy_one(cs, &ih, sizeof(ih));
1129 if (!err)
1130 err = fuse_copy_one(cs, &arg, sizeof(arg));
1131 fuse_copy_finish(cs);
1132
1133 return err ? err : reqsize;
1134 }
1135
dequeue_forget(struct fuse_iqueue * fiq,unsigned max,unsigned * countp)1136 static struct fuse_forget_link *dequeue_forget(struct fuse_iqueue *fiq,
1137 unsigned max,
1138 unsigned *countp)
1139 {
1140 struct fuse_forget_link *head = fiq->forget_list_head.next;
1141 struct fuse_forget_link **newhead = &head;
1142 unsigned count;
1143
1144 for (count = 0; *newhead != NULL && count < max; count++)
1145 newhead = &(*newhead)->next;
1146
1147 fiq->forget_list_head.next = *newhead;
1148 *newhead = NULL;
1149 if (fiq->forget_list_head.next == NULL)
1150 fiq->forget_list_tail = &fiq->forget_list_head;
1151
1152 if (countp != NULL)
1153 *countp = count;
1154
1155 return head;
1156 }
1157
fuse_read_single_forget(struct fuse_iqueue * fiq,struct fuse_copy_state * cs,size_t nbytes)1158 static int fuse_read_single_forget(struct fuse_iqueue *fiq,
1159 struct fuse_copy_state *cs,
1160 size_t nbytes)
1161 __releases(fiq->lock)
1162 {
1163 int err;
1164 struct fuse_forget_link *forget = dequeue_forget(fiq, 1, NULL);
1165 struct fuse_forget_in arg = {
1166 .nlookup = forget->forget_one.nlookup,
1167 };
1168 struct fuse_in_header ih = {
1169 .opcode = FUSE_FORGET,
1170 .nodeid = forget->forget_one.nodeid,
1171 .unique = fuse_get_unique(fiq),
1172 .len = sizeof(ih) + sizeof(arg),
1173 };
1174
1175 spin_unlock(&fiq->lock);
1176 kfree(forget);
1177 if (nbytes < ih.len)
1178 return -EINVAL;
1179
1180 err = fuse_copy_one(cs, &ih, sizeof(ih));
1181 if (!err)
1182 err = fuse_copy_one(cs, &arg, sizeof(arg));
1183 fuse_copy_finish(cs);
1184
1185 if (err)
1186 return err;
1187
1188 return ih.len;
1189 }
1190
fuse_read_batch_forget(struct fuse_iqueue * fiq,struct fuse_copy_state * cs,size_t nbytes)1191 static int fuse_read_batch_forget(struct fuse_iqueue *fiq,
1192 struct fuse_copy_state *cs, size_t nbytes)
1193 __releases(fiq->lock)
1194 {
1195 int err;
1196 unsigned max_forgets;
1197 unsigned count;
1198 struct fuse_forget_link *head;
1199 struct fuse_batch_forget_in arg = { .count = 0 };
1200 struct fuse_in_header ih = {
1201 .opcode = FUSE_BATCH_FORGET,
1202 .unique = fuse_get_unique(fiq),
1203 .len = sizeof(ih) + sizeof(arg),
1204 };
1205
1206 if (nbytes < ih.len) {
1207 spin_unlock(&fiq->lock);
1208 return -EINVAL;
1209 }
1210
1211 max_forgets = (nbytes - ih.len) / sizeof(struct fuse_forget_one);
1212 head = dequeue_forget(fiq, max_forgets, &count);
1213 spin_unlock(&fiq->lock);
1214
1215 arg.count = count;
1216 ih.len += count * sizeof(struct fuse_forget_one);
1217 err = fuse_copy_one(cs, &ih, sizeof(ih));
1218 if (!err)
1219 err = fuse_copy_one(cs, &arg, sizeof(arg));
1220
1221 while (head) {
1222 struct fuse_forget_link *forget = head;
1223
1224 if (!err) {
1225 err = fuse_copy_one(cs, &forget->forget_one,
1226 sizeof(forget->forget_one));
1227 }
1228 head = forget->next;
1229 kfree(forget);
1230 }
1231
1232 fuse_copy_finish(cs);
1233
1234 if (err)
1235 return err;
1236
1237 return ih.len;
1238 }
1239
fuse_read_forget(struct fuse_conn * fc,struct fuse_iqueue * fiq,struct fuse_copy_state * cs,size_t nbytes)1240 static int fuse_read_forget(struct fuse_conn *fc, struct fuse_iqueue *fiq,
1241 struct fuse_copy_state *cs,
1242 size_t nbytes)
1243 __releases(fiq->lock)
1244 {
1245 if (fc->minor < 16 || fiq->forget_list_head.next->next == NULL)
1246 return fuse_read_single_forget(fiq, cs, nbytes);
1247 else
1248 return fuse_read_batch_forget(fiq, cs, nbytes);
1249 }
1250
1251 /*
1252 * Read a single request into the userspace filesystem's buffer. This
1253 * function waits until a request is available, then removes it from
1254 * the pending list and copies request data to userspace buffer. If
1255 * no reply is needed (FORGET) or request has been aborted or there
1256 * was an error during the copying then it's finished by calling
1257 * request_end(). Otherwise add it to the processing list, and set
1258 * the 'sent' flag.
1259 */
fuse_dev_do_read(struct fuse_dev * fud,struct file * file,struct fuse_copy_state * cs,size_t nbytes)1260 static ssize_t fuse_dev_do_read(struct fuse_dev *fud, struct file *file,
1261 struct fuse_copy_state *cs, size_t nbytes)
1262 {
1263 ssize_t err;
1264 struct fuse_conn *fc = fud->fc;
1265 struct fuse_iqueue *fiq = &fc->iq;
1266 struct fuse_pqueue *fpq = &fud->pq;
1267 struct fuse_req *req;
1268 struct fuse_in *in;
1269 unsigned reqsize;
1270
1271 restart:
1272 for (;;) {
1273 spin_lock(&fiq->lock);
1274 if (!fiq->connected || request_pending(fiq))
1275 break;
1276 spin_unlock(&fiq->lock);
1277
1278 if (file->f_flags & O_NONBLOCK)
1279 return -EAGAIN;
1280 err = wait_event_interruptible_exclusive(fiq->waitq,
1281 !fiq->connected || request_pending(fiq));
1282 if (err)
1283 return err;
1284 }
1285
1286 if (!fiq->connected) {
1287 err = (fc->aborted && fc->abort_err) ? -ECONNABORTED : -ENODEV;
1288 goto err_unlock;
1289 }
1290
1291 if (!list_empty(&fiq->interrupts)) {
1292 req = list_entry(fiq->interrupts.next, struct fuse_req,
1293 intr_entry);
1294 return fuse_read_interrupt(fiq, cs, nbytes, req);
1295 }
1296
1297 if (forget_pending(fiq)) {
1298 if (list_empty(&fiq->pending) || fiq->forget_batch-- > 0)
1299 return fuse_read_forget(fc, fiq, cs, nbytes);
1300
1301 if (fiq->forget_batch <= -8)
1302 fiq->forget_batch = 16;
1303 }
1304
1305 req = list_entry(fiq->pending.next, struct fuse_req, list);
1306 clear_bit(FR_PENDING, &req->flags);
1307 list_del_init(&req->list);
1308 spin_unlock(&fiq->lock);
1309
1310 in = &req->in;
1311 reqsize = in->h.len;
1312
1313 /* If request is too large, reply with an error and restart the read */
1314 if (nbytes < reqsize) {
1315 req->out.h.error = -EIO;
1316 /* SETXATTR is special, since it may contain too large data */
1317 if (in->h.opcode == FUSE_SETXATTR)
1318 req->out.h.error = -E2BIG;
1319 request_end(fc, req);
1320 goto restart;
1321 }
1322 spin_lock(&fpq->lock);
1323 list_add(&req->list, &fpq->io);
1324 spin_unlock(&fpq->lock);
1325 cs->req = req;
1326 err = fuse_copy_one(cs, &in->h, sizeof(in->h));
1327 if (!err)
1328 err = fuse_copy_args(cs, in->numargs, in->argpages,
1329 (struct fuse_arg *) in->args, 0);
1330 fuse_copy_finish(cs);
1331 spin_lock(&fpq->lock);
1332 clear_bit(FR_LOCKED, &req->flags);
1333 if (!fpq->connected) {
1334 err = (fc->aborted && fc->abort_err) ? -ECONNABORTED : -ENODEV;
1335 goto out_end;
1336 }
1337 if (err) {
1338 req->out.h.error = -EIO;
1339 goto out_end;
1340 }
1341 if (!test_bit(FR_ISREPLY, &req->flags)) {
1342 err = reqsize;
1343 goto out_end;
1344 }
1345 list_move_tail(&req->list, &fpq->processing);
1346 __fuse_get_request(req);
1347 set_bit(FR_SENT, &req->flags);
1348 spin_unlock(&fpq->lock);
1349 /* matches barrier in request_wait_answer() */
1350 smp_mb__after_atomic();
1351 if (test_bit(FR_INTERRUPTED, &req->flags))
1352 queue_interrupt(fiq, req);
1353 fuse_put_request(fc, req);
1354
1355 return reqsize;
1356
1357 out_end:
1358 if (!test_bit(FR_PRIVATE, &req->flags))
1359 list_del_init(&req->list);
1360 spin_unlock(&fpq->lock);
1361 request_end(fc, req);
1362 return err;
1363
1364 err_unlock:
1365 spin_unlock(&fiq->lock);
1366 return err;
1367 }
1368
fuse_dev_open(struct inode * inode,struct file * file)1369 static int fuse_dev_open(struct inode *inode, struct file *file)
1370 {
1371 /*
1372 * The fuse device's file's private_data is used to hold
1373 * the fuse_conn(ection) when it is mounted, and is used to
1374 * keep track of whether the file has been mounted already.
1375 */
1376 file->private_data = NULL;
1377 return 0;
1378 }
1379
fuse_dev_read(struct kiocb * iocb,struct iov_iter * to)1380 static ssize_t fuse_dev_read(struct kiocb *iocb, struct iov_iter *to)
1381 {
1382 struct fuse_copy_state cs;
1383 struct file *file = iocb->ki_filp;
1384 struct fuse_dev *fud = fuse_get_dev(file);
1385
1386 if (!fud)
1387 return -EPERM;
1388
1389 if (!iter_is_iovec(to))
1390 return -EINVAL;
1391
1392 fuse_copy_init(&cs, 1, to);
1393
1394 return fuse_dev_do_read(fud, file, &cs, iov_iter_count(to));
1395 }
1396
fuse_dev_splice_read(struct file * in,loff_t * ppos,struct pipe_inode_info * pipe,size_t len,unsigned int flags)1397 static ssize_t fuse_dev_splice_read(struct file *in, loff_t *ppos,
1398 struct pipe_inode_info *pipe,
1399 size_t len, unsigned int flags)
1400 {
1401 int total, ret;
1402 int page_nr = 0;
1403 struct pipe_buffer *bufs;
1404 struct fuse_copy_state cs;
1405 struct fuse_dev *fud = fuse_get_dev(in);
1406
1407 if (!fud)
1408 return -EPERM;
1409
1410 bufs = kvmalloc_array(pipe->buffers, sizeof(struct pipe_buffer),
1411 GFP_KERNEL);
1412 if (!bufs)
1413 return -ENOMEM;
1414
1415 fuse_copy_init(&cs, 1, NULL);
1416 cs.pipebufs = bufs;
1417 cs.pipe = pipe;
1418 ret = fuse_dev_do_read(fud, in, &cs, len);
1419 if (ret < 0)
1420 goto out;
1421
1422 if (pipe->nrbufs + cs.nr_segs > pipe->buffers) {
1423 ret = -EIO;
1424 goto out;
1425 }
1426
1427 for (ret = total = 0; page_nr < cs.nr_segs; total += ret) {
1428 /*
1429 * Need to be careful about this. Having buf->ops in module
1430 * code can Oops if the buffer persists after module unload.
1431 */
1432 bufs[page_nr].ops = &nosteal_pipe_buf_ops;
1433 bufs[page_nr].flags = 0;
1434 ret = add_to_pipe(pipe, &bufs[page_nr++]);
1435 if (unlikely(ret < 0))
1436 break;
1437 }
1438 if (total)
1439 ret = total;
1440 out:
1441 for (; page_nr < cs.nr_segs; page_nr++)
1442 put_page(bufs[page_nr].page);
1443
1444 kvfree(bufs);
1445 return ret;
1446 }
1447
fuse_notify_poll(struct fuse_conn * fc,unsigned int size,struct fuse_copy_state * cs)1448 static int fuse_notify_poll(struct fuse_conn *fc, unsigned int size,
1449 struct fuse_copy_state *cs)
1450 {
1451 struct fuse_notify_poll_wakeup_out outarg;
1452 int err = -EINVAL;
1453
1454 if (size != sizeof(outarg))
1455 goto err;
1456
1457 err = fuse_copy_one(cs, &outarg, sizeof(outarg));
1458 if (err)
1459 goto err;
1460
1461 fuse_copy_finish(cs);
1462 return fuse_notify_poll_wakeup(fc, &outarg);
1463
1464 err:
1465 fuse_copy_finish(cs);
1466 return err;
1467 }
1468
fuse_notify_inval_inode(struct fuse_conn * fc,unsigned int size,struct fuse_copy_state * cs)1469 static int fuse_notify_inval_inode(struct fuse_conn *fc, unsigned int size,
1470 struct fuse_copy_state *cs)
1471 {
1472 struct fuse_notify_inval_inode_out outarg;
1473 int err = -EINVAL;
1474
1475 if (size != sizeof(outarg))
1476 goto err;
1477
1478 err = fuse_copy_one(cs, &outarg, sizeof(outarg));
1479 if (err)
1480 goto err;
1481 fuse_copy_finish(cs);
1482
1483 down_read(&fc->killsb);
1484 err = -ENOENT;
1485 if (fc->sb) {
1486 err = fuse_reverse_inval_inode(fc->sb, outarg.ino,
1487 outarg.off, outarg.len);
1488 }
1489 up_read(&fc->killsb);
1490 return err;
1491
1492 err:
1493 fuse_copy_finish(cs);
1494 return err;
1495 }
1496
fuse_notify_inval_entry(struct fuse_conn * fc,unsigned int size,struct fuse_copy_state * cs)1497 static int fuse_notify_inval_entry(struct fuse_conn *fc, unsigned int size,
1498 struct fuse_copy_state *cs)
1499 {
1500 struct fuse_notify_inval_entry_out outarg;
1501 int err = -ENOMEM;
1502 char *buf;
1503 struct qstr name;
1504
1505 buf = kzalloc(FUSE_NAME_MAX + 1, GFP_KERNEL);
1506 if (!buf)
1507 goto err;
1508
1509 err = -EINVAL;
1510 if (size < sizeof(outarg))
1511 goto err;
1512
1513 err = fuse_copy_one(cs, &outarg, sizeof(outarg));
1514 if (err)
1515 goto err;
1516
1517 err = -ENAMETOOLONG;
1518 if (outarg.namelen > FUSE_NAME_MAX)
1519 goto err;
1520
1521 err = -EINVAL;
1522 if (size != sizeof(outarg) + outarg.namelen + 1)
1523 goto err;
1524
1525 name.name = buf;
1526 name.len = outarg.namelen;
1527 err = fuse_copy_one(cs, buf, outarg.namelen + 1);
1528 if (err)
1529 goto err;
1530 fuse_copy_finish(cs);
1531 buf[outarg.namelen] = 0;
1532
1533 down_read(&fc->killsb);
1534 err = -ENOENT;
1535 if (fc->sb)
1536 err = fuse_reverse_inval_entry(fc->sb, outarg.parent, 0, &name);
1537 up_read(&fc->killsb);
1538 kfree(buf);
1539 return err;
1540
1541 err:
1542 kfree(buf);
1543 fuse_copy_finish(cs);
1544 return err;
1545 }
1546
fuse_notify_delete(struct fuse_conn * fc,unsigned int size,struct fuse_copy_state * cs)1547 static int fuse_notify_delete(struct fuse_conn *fc, unsigned int size,
1548 struct fuse_copy_state *cs)
1549 {
1550 struct fuse_notify_delete_out outarg;
1551 int err = -ENOMEM;
1552 char *buf;
1553 struct qstr name;
1554
1555 buf = kzalloc(FUSE_NAME_MAX + 1, GFP_KERNEL);
1556 if (!buf)
1557 goto err;
1558
1559 err = -EINVAL;
1560 if (size < sizeof(outarg))
1561 goto err;
1562
1563 err = fuse_copy_one(cs, &outarg, sizeof(outarg));
1564 if (err)
1565 goto err;
1566
1567 err = -ENAMETOOLONG;
1568 if (outarg.namelen > FUSE_NAME_MAX)
1569 goto err;
1570
1571 err = -EINVAL;
1572 if (size != sizeof(outarg) + outarg.namelen + 1)
1573 goto err;
1574
1575 name.name = buf;
1576 name.len = outarg.namelen;
1577 err = fuse_copy_one(cs, buf, outarg.namelen + 1);
1578 if (err)
1579 goto err;
1580 fuse_copy_finish(cs);
1581 buf[outarg.namelen] = 0;
1582
1583 down_read(&fc->killsb);
1584 err = -ENOENT;
1585 if (fc->sb)
1586 err = fuse_reverse_inval_entry(fc->sb, outarg.parent,
1587 outarg.child, &name);
1588 up_read(&fc->killsb);
1589 kfree(buf);
1590 return err;
1591
1592 err:
1593 kfree(buf);
1594 fuse_copy_finish(cs);
1595 return err;
1596 }
1597
fuse_notify_store(struct fuse_conn * fc,unsigned int size,struct fuse_copy_state * cs)1598 static int fuse_notify_store(struct fuse_conn *fc, unsigned int size,
1599 struct fuse_copy_state *cs)
1600 {
1601 struct fuse_notify_store_out outarg;
1602 struct inode *inode;
1603 struct address_space *mapping;
1604 u64 nodeid;
1605 int err;
1606 pgoff_t index;
1607 unsigned int offset;
1608 unsigned int num;
1609 loff_t file_size;
1610 loff_t end;
1611
1612 err = -EINVAL;
1613 if (size < sizeof(outarg))
1614 goto out_finish;
1615
1616 err = fuse_copy_one(cs, &outarg, sizeof(outarg));
1617 if (err)
1618 goto out_finish;
1619
1620 err = -EINVAL;
1621 if (size - sizeof(outarg) != outarg.size)
1622 goto out_finish;
1623
1624 nodeid = outarg.nodeid;
1625
1626 down_read(&fc->killsb);
1627
1628 err = -ENOENT;
1629 if (!fc->sb)
1630 goto out_up_killsb;
1631
1632 inode = ilookup5(fc->sb, nodeid, fuse_inode_eq, &nodeid);
1633 if (!inode)
1634 goto out_up_killsb;
1635
1636 mapping = inode->i_mapping;
1637 index = outarg.offset >> PAGE_SHIFT;
1638 offset = outarg.offset & ~PAGE_MASK;
1639 file_size = i_size_read(inode);
1640 end = outarg.offset + outarg.size;
1641 if (end > file_size) {
1642 file_size = end;
1643 fuse_write_update_size(inode, file_size);
1644 }
1645
1646 num = outarg.size;
1647 while (num) {
1648 struct page *page;
1649 unsigned int this_num;
1650
1651 err = -ENOMEM;
1652 page = find_or_create_page(mapping, index,
1653 mapping_gfp_mask(mapping));
1654 if (!page)
1655 goto out_iput;
1656
1657 this_num = min_t(unsigned, num, PAGE_SIZE - offset);
1658 err = fuse_copy_page(cs, &page, offset, this_num, 0);
1659 if (!err && offset == 0 &&
1660 (this_num == PAGE_SIZE || file_size == end))
1661 SetPageUptodate(page);
1662 unlock_page(page);
1663 put_page(page);
1664
1665 if (err)
1666 goto out_iput;
1667
1668 num -= this_num;
1669 offset = 0;
1670 index++;
1671 }
1672
1673 err = 0;
1674
1675 out_iput:
1676 iput(inode);
1677 out_up_killsb:
1678 up_read(&fc->killsb);
1679 out_finish:
1680 fuse_copy_finish(cs);
1681 return err;
1682 }
1683
fuse_retrieve_end(struct fuse_conn * fc,struct fuse_req * req)1684 static void fuse_retrieve_end(struct fuse_conn *fc, struct fuse_req *req)
1685 {
1686 release_pages(req->pages, req->num_pages);
1687 }
1688
fuse_retrieve(struct fuse_conn * fc,struct inode * inode,struct fuse_notify_retrieve_out * outarg)1689 static int fuse_retrieve(struct fuse_conn *fc, struct inode *inode,
1690 struct fuse_notify_retrieve_out *outarg)
1691 {
1692 int err;
1693 struct address_space *mapping = inode->i_mapping;
1694 struct fuse_req *req;
1695 pgoff_t index;
1696 loff_t file_size;
1697 unsigned int num;
1698 unsigned int offset;
1699 size_t total_len = 0;
1700 int num_pages;
1701
1702 offset = outarg->offset & ~PAGE_MASK;
1703 file_size = i_size_read(inode);
1704
1705 num = min(outarg->size, fc->max_write);
1706 if (outarg->offset > file_size)
1707 num = 0;
1708 else if (outarg->offset + num > file_size)
1709 num = file_size - outarg->offset;
1710
1711 num_pages = (num + offset + PAGE_SIZE - 1) >> PAGE_SHIFT;
1712 num_pages = min(num_pages, FUSE_MAX_PAGES_PER_REQ);
1713
1714 req = fuse_get_req(fc, num_pages);
1715 if (IS_ERR(req))
1716 return PTR_ERR(req);
1717
1718 req->in.h.opcode = FUSE_NOTIFY_REPLY;
1719 req->in.h.nodeid = outarg->nodeid;
1720 req->in.numargs = 2;
1721 req->in.argpages = 1;
1722 req->end = fuse_retrieve_end;
1723
1724 index = outarg->offset >> PAGE_SHIFT;
1725
1726 while (num && req->num_pages < num_pages) {
1727 struct page *page;
1728 unsigned int this_num;
1729
1730 page = find_get_page(mapping, index);
1731 if (!page)
1732 break;
1733
1734 this_num = min_t(unsigned, num, PAGE_SIZE - offset);
1735 req->pages[req->num_pages] = page;
1736 req->page_descs[req->num_pages].offset = offset;
1737 req->page_descs[req->num_pages].length = this_num;
1738 req->num_pages++;
1739
1740 offset = 0;
1741 num -= this_num;
1742 total_len += this_num;
1743 index++;
1744 }
1745 req->misc.retrieve_in.offset = outarg->offset;
1746 req->misc.retrieve_in.size = total_len;
1747 req->in.args[0].size = sizeof(req->misc.retrieve_in);
1748 req->in.args[0].value = &req->misc.retrieve_in;
1749 req->in.args[1].size = total_len;
1750
1751 err = fuse_request_send_notify_reply(fc, req, outarg->notify_unique);
1752 if (err) {
1753 fuse_retrieve_end(fc, req);
1754 fuse_put_request(fc, req);
1755 }
1756
1757 return err;
1758 }
1759
fuse_notify_retrieve(struct fuse_conn * fc,unsigned int size,struct fuse_copy_state * cs)1760 static int fuse_notify_retrieve(struct fuse_conn *fc, unsigned int size,
1761 struct fuse_copy_state *cs)
1762 {
1763 struct fuse_notify_retrieve_out outarg;
1764 struct inode *inode;
1765 int err;
1766
1767 err = -EINVAL;
1768 if (size != sizeof(outarg))
1769 goto copy_finish;
1770
1771 err = fuse_copy_one(cs, &outarg, sizeof(outarg));
1772 if (err)
1773 goto copy_finish;
1774
1775 fuse_copy_finish(cs);
1776
1777 down_read(&fc->killsb);
1778 err = -ENOENT;
1779 if (fc->sb) {
1780 u64 nodeid = outarg.nodeid;
1781
1782 inode = ilookup5(fc->sb, nodeid, fuse_inode_eq, &nodeid);
1783 if (inode) {
1784 err = fuse_retrieve(fc, inode, &outarg);
1785 iput(inode);
1786 }
1787 }
1788 up_read(&fc->killsb);
1789
1790 return err;
1791
1792 copy_finish:
1793 fuse_copy_finish(cs);
1794 return err;
1795 }
1796
fuse_notify(struct fuse_conn * fc,enum fuse_notify_code code,unsigned int size,struct fuse_copy_state * cs)1797 static int fuse_notify(struct fuse_conn *fc, enum fuse_notify_code code,
1798 unsigned int size, struct fuse_copy_state *cs)
1799 {
1800 /* Don't try to move pages (yet) */
1801 cs->move_pages = 0;
1802
1803 switch (code) {
1804 case FUSE_NOTIFY_POLL:
1805 return fuse_notify_poll(fc, size, cs);
1806
1807 case FUSE_NOTIFY_INVAL_INODE:
1808 return fuse_notify_inval_inode(fc, size, cs);
1809
1810 case FUSE_NOTIFY_INVAL_ENTRY:
1811 return fuse_notify_inval_entry(fc, size, cs);
1812
1813 case FUSE_NOTIFY_STORE:
1814 return fuse_notify_store(fc, size, cs);
1815
1816 case FUSE_NOTIFY_RETRIEVE:
1817 return fuse_notify_retrieve(fc, size, cs);
1818
1819 case FUSE_NOTIFY_DELETE:
1820 return fuse_notify_delete(fc, size, cs);
1821
1822 default:
1823 fuse_copy_finish(cs);
1824 return -EINVAL;
1825 }
1826 }
1827
1828 /* Look up request on processing list by unique ID */
request_find(struct fuse_pqueue * fpq,u64 unique)1829 static struct fuse_req *request_find(struct fuse_pqueue *fpq, u64 unique)
1830 {
1831 struct fuse_req *req;
1832
1833 list_for_each_entry(req, &fpq->processing, list) {
1834 if (req->in.h.unique == unique || req->intr_unique == unique)
1835 return req;
1836 }
1837 return NULL;
1838 }
1839
copy_out_args(struct fuse_copy_state * cs,struct fuse_out * out,unsigned nbytes)1840 static int copy_out_args(struct fuse_copy_state *cs, struct fuse_out *out,
1841 unsigned nbytes)
1842 {
1843 unsigned reqsize = sizeof(struct fuse_out_header);
1844
1845 if (out->h.error)
1846 return nbytes != reqsize ? -EINVAL : 0;
1847
1848 reqsize += len_args(out->numargs, out->args);
1849
1850 if (reqsize < nbytes || (reqsize > nbytes && !out->argvar))
1851 return -EINVAL;
1852 else if (reqsize > nbytes) {
1853 struct fuse_arg *lastarg = &out->args[out->numargs-1];
1854 unsigned diffsize = reqsize - nbytes;
1855 if (diffsize > lastarg->size)
1856 return -EINVAL;
1857 lastarg->size -= diffsize;
1858 }
1859 return fuse_copy_args(cs, out->numargs, out->argpages, out->args,
1860 out->page_zeroing);
1861 }
1862
1863 /*
1864 * Write a single reply to a request. First the header is copied from
1865 * the write buffer. The request is then searched on the processing
1866 * list by the unique ID found in the header. If found, then remove
1867 * it from the list and copy the rest of the buffer to the request.
1868 * The request is finished by calling request_end()
1869 */
fuse_dev_do_write(struct fuse_dev * fud,struct fuse_copy_state * cs,size_t nbytes)1870 static ssize_t fuse_dev_do_write(struct fuse_dev *fud,
1871 struct fuse_copy_state *cs, size_t nbytes)
1872 {
1873 int err;
1874 struct fuse_conn *fc = fud->fc;
1875 struct fuse_pqueue *fpq = &fud->pq;
1876 struct fuse_req *req;
1877 struct fuse_out_header oh;
1878
1879 if (nbytes < sizeof(struct fuse_out_header))
1880 return -EINVAL;
1881
1882 err = fuse_copy_one(cs, &oh, sizeof(oh));
1883 if (err)
1884 goto err_finish;
1885
1886 err = -EINVAL;
1887 if (oh.len != nbytes)
1888 goto err_finish;
1889
1890 /*
1891 * Zero oh.unique indicates unsolicited notification message
1892 * and error contains notification code.
1893 */
1894 if (!oh.unique) {
1895 err = fuse_notify(fc, oh.error, nbytes - sizeof(oh), cs);
1896 return err ? err : nbytes;
1897 }
1898
1899 err = -EINVAL;
1900 if (oh.error <= -1000 || oh.error > 0)
1901 goto err_finish;
1902
1903 spin_lock(&fpq->lock);
1904 err = -ENOENT;
1905 if (!fpq->connected)
1906 goto err_unlock_pq;
1907
1908 req = request_find(fpq, oh.unique);
1909 if (!req)
1910 goto err_unlock_pq;
1911
1912 /* Is it an interrupt reply? */
1913 if (req->intr_unique == oh.unique) {
1914 __fuse_get_request(req);
1915 spin_unlock(&fpq->lock);
1916
1917 err = -EINVAL;
1918 if (nbytes != sizeof(struct fuse_out_header)) {
1919 fuse_put_request(fc, req);
1920 goto err_finish;
1921 }
1922
1923 if (oh.error == -ENOSYS)
1924 fc->no_interrupt = 1;
1925 else if (oh.error == -EAGAIN)
1926 queue_interrupt(&fc->iq, req);
1927 fuse_put_request(fc, req);
1928
1929 fuse_copy_finish(cs);
1930 return nbytes;
1931 }
1932
1933 clear_bit(FR_SENT, &req->flags);
1934 list_move(&req->list, &fpq->io);
1935 req->out.h = oh;
1936 set_bit(FR_LOCKED, &req->flags);
1937 spin_unlock(&fpq->lock);
1938 cs->req = req;
1939 if (!req->out.page_replace)
1940 cs->move_pages = 0;
1941
1942 err = copy_out_args(cs, &req->out, nbytes);
1943 fuse_copy_finish(cs);
1944
1945 spin_lock(&fpq->lock);
1946 clear_bit(FR_LOCKED, &req->flags);
1947 if (!fpq->connected)
1948 err = -ENOENT;
1949 else if (err)
1950 req->out.h.error = -EIO;
1951 if (!test_bit(FR_PRIVATE, &req->flags))
1952 list_del_init(&req->list);
1953 spin_unlock(&fpq->lock);
1954
1955 request_end(fc, req);
1956
1957 return err ? err : nbytes;
1958
1959 err_unlock_pq:
1960 spin_unlock(&fpq->lock);
1961 err_finish:
1962 fuse_copy_finish(cs);
1963 return err;
1964 }
1965
fuse_dev_write(struct kiocb * iocb,struct iov_iter * from)1966 static ssize_t fuse_dev_write(struct kiocb *iocb, struct iov_iter *from)
1967 {
1968 struct fuse_copy_state cs;
1969 struct fuse_dev *fud = fuse_get_dev(iocb->ki_filp);
1970
1971 if (!fud)
1972 return -EPERM;
1973
1974 if (!iter_is_iovec(from))
1975 return -EINVAL;
1976
1977 fuse_copy_init(&cs, 0, from);
1978
1979 return fuse_dev_do_write(fud, &cs, iov_iter_count(from));
1980 }
1981
fuse_dev_splice_write(struct pipe_inode_info * pipe,struct file * out,loff_t * ppos,size_t len,unsigned int flags)1982 static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
1983 struct file *out, loff_t *ppos,
1984 size_t len, unsigned int flags)
1985 {
1986 unsigned nbuf;
1987 unsigned idx;
1988 struct pipe_buffer *bufs;
1989 struct fuse_copy_state cs;
1990 struct fuse_dev *fud;
1991 size_t rem;
1992 ssize_t ret;
1993
1994 fud = fuse_get_dev(out);
1995 if (!fud)
1996 return -EPERM;
1997
1998 pipe_lock(pipe);
1999
2000 bufs = kvmalloc_array(pipe->nrbufs, sizeof(struct pipe_buffer),
2001 GFP_KERNEL);
2002 if (!bufs) {
2003 pipe_unlock(pipe);
2004 return -ENOMEM;
2005 }
2006
2007 nbuf = 0;
2008 rem = 0;
2009 for (idx = 0; idx < pipe->nrbufs && rem < len; idx++)
2010 rem += pipe->bufs[(pipe->curbuf + idx) & (pipe->buffers - 1)].len;
2011
2012 ret = -EINVAL;
2013 if (rem < len)
2014 goto out_free;
2015
2016 rem = len;
2017 while (rem) {
2018 struct pipe_buffer *ibuf;
2019 struct pipe_buffer *obuf;
2020
2021 BUG_ON(nbuf >= pipe->buffers);
2022 BUG_ON(!pipe->nrbufs);
2023 ibuf = &pipe->bufs[pipe->curbuf];
2024 obuf = &bufs[nbuf];
2025
2026 if (rem >= ibuf->len) {
2027 *obuf = *ibuf;
2028 ibuf->ops = NULL;
2029 pipe->curbuf = (pipe->curbuf + 1) & (pipe->buffers - 1);
2030 pipe->nrbufs--;
2031 } else {
2032 if (!pipe_buf_get(pipe, ibuf))
2033 goto out_free;
2034
2035 *obuf = *ibuf;
2036 obuf->flags &= ~PIPE_BUF_FLAG_GIFT;
2037 obuf->len = rem;
2038 ibuf->offset += obuf->len;
2039 ibuf->len -= obuf->len;
2040 }
2041 nbuf++;
2042 rem -= obuf->len;
2043 }
2044 pipe_unlock(pipe);
2045
2046 fuse_copy_init(&cs, 0, NULL);
2047 cs.pipebufs = bufs;
2048 cs.nr_segs = nbuf;
2049 cs.pipe = pipe;
2050
2051 if (flags & SPLICE_F_MOVE)
2052 cs.move_pages = 1;
2053
2054 ret = fuse_dev_do_write(fud, &cs, len);
2055
2056 pipe_lock(pipe);
2057 out_free:
2058 for (idx = 0; idx < nbuf; idx++)
2059 pipe_buf_release(pipe, &bufs[idx]);
2060 pipe_unlock(pipe);
2061
2062 kvfree(bufs);
2063 return ret;
2064 }
2065
fuse_dev_poll(struct file * file,poll_table * wait)2066 static __poll_t fuse_dev_poll(struct file *file, poll_table *wait)
2067 {
2068 __poll_t mask = EPOLLOUT | EPOLLWRNORM;
2069 struct fuse_iqueue *fiq;
2070 struct fuse_dev *fud = fuse_get_dev(file);
2071
2072 if (!fud)
2073 return EPOLLERR;
2074
2075 fiq = &fud->fc->iq;
2076 poll_wait(file, &fiq->waitq, wait);
2077
2078 spin_lock(&fiq->lock);
2079 if (!fiq->connected)
2080 mask = EPOLLERR;
2081 else if (request_pending(fiq))
2082 mask |= EPOLLIN | EPOLLRDNORM;
2083 spin_unlock(&fiq->lock);
2084
2085 return mask;
2086 }
2087
2088 /*
2089 * Abort all requests on the given list (pending or processing)
2090 *
2091 * This function releases and reacquires fc->lock
2092 */
end_requests(struct fuse_conn * fc,struct list_head * head)2093 static void end_requests(struct fuse_conn *fc, struct list_head *head)
2094 {
2095 while (!list_empty(head)) {
2096 struct fuse_req *req;
2097 req = list_entry(head->next, struct fuse_req, list);
2098 req->out.h.error = -ECONNABORTED;
2099 clear_bit(FR_SENT, &req->flags);
2100 list_del_init(&req->list);
2101 request_end(fc, req);
2102 }
2103 }
2104
end_polls(struct fuse_conn * fc)2105 static void end_polls(struct fuse_conn *fc)
2106 {
2107 struct rb_node *p;
2108
2109 p = rb_first(&fc->polled_files);
2110
2111 while (p) {
2112 struct fuse_file *ff;
2113 ff = rb_entry(p, struct fuse_file, polled_node);
2114 wake_up_interruptible_all(&ff->poll_wait);
2115
2116 p = rb_next(p);
2117 }
2118 }
2119
2120 /*
2121 * Abort all requests.
2122 *
2123 * Emergency exit in case of a malicious or accidental deadlock, or just a hung
2124 * filesystem.
2125 *
2126 * The same effect is usually achievable through killing the filesystem daemon
2127 * and all users of the filesystem. The exception is the combination of an
2128 * asynchronous request and the tricky deadlock (see
2129 * Documentation/filesystems/fuse.txt).
2130 *
2131 * Aborting requests under I/O goes as follows: 1: Separate out unlocked
2132 * requests, they should be finished off immediately. Locked requests will be
2133 * finished after unlock; see unlock_request(). 2: Finish off the unlocked
2134 * requests. It is possible that some request will finish before we can. This
2135 * is OK, the request will in that case be removed from the list before we touch
2136 * it.
2137 */
fuse_abort_conn(struct fuse_conn * fc,bool is_abort)2138 void fuse_abort_conn(struct fuse_conn *fc, bool is_abort)
2139 {
2140 struct fuse_iqueue *fiq = &fc->iq;
2141
2142 spin_lock(&fc->lock);
2143 if (fc->connected) {
2144 struct fuse_dev *fud;
2145 struct fuse_req *req, *next;
2146 LIST_HEAD(to_end);
2147
2148 fc->connected = 0;
2149 fc->blocked = 0;
2150 fc->aborted = is_abort;
2151 fuse_set_initialized(fc);
2152 list_for_each_entry(fud, &fc->devices, entry) {
2153 struct fuse_pqueue *fpq = &fud->pq;
2154
2155 spin_lock(&fpq->lock);
2156 fpq->connected = 0;
2157 list_for_each_entry_safe(req, next, &fpq->io, list) {
2158 req->out.h.error = -ECONNABORTED;
2159 spin_lock(&req->waitq.lock);
2160 set_bit(FR_ABORTED, &req->flags);
2161 if (!test_bit(FR_LOCKED, &req->flags)) {
2162 set_bit(FR_PRIVATE, &req->flags);
2163 __fuse_get_request(req);
2164 list_move(&req->list, &to_end);
2165 }
2166 spin_unlock(&req->waitq.lock);
2167 }
2168 list_splice_tail_init(&fpq->processing, &to_end);
2169 spin_unlock(&fpq->lock);
2170 }
2171 fc->max_background = UINT_MAX;
2172 flush_bg_queue(fc);
2173
2174 spin_lock(&fiq->lock);
2175 fiq->connected = 0;
2176 list_for_each_entry(req, &fiq->pending, list)
2177 clear_bit(FR_PENDING, &req->flags);
2178 list_splice_tail_init(&fiq->pending, &to_end);
2179 while (forget_pending(fiq))
2180 kfree(dequeue_forget(fiq, 1, NULL));
2181 wake_up_all(&fiq->waitq);
2182 spin_unlock(&fiq->lock);
2183 kill_fasync(&fiq->fasync, SIGIO, POLL_IN);
2184 end_polls(fc);
2185 wake_up_all(&fc->blocked_waitq);
2186 spin_unlock(&fc->lock);
2187
2188 end_requests(fc, &to_end);
2189 } else {
2190 spin_unlock(&fc->lock);
2191 }
2192 }
2193 EXPORT_SYMBOL_GPL(fuse_abort_conn);
2194
fuse_wait_aborted(struct fuse_conn * fc)2195 void fuse_wait_aborted(struct fuse_conn *fc)
2196 {
2197 /* matches implicit memory barrier in fuse_drop_waiting() */
2198 smp_mb();
2199 wait_event(fc->blocked_waitq, atomic_read(&fc->num_waiting) == 0);
2200 }
2201
fuse_dev_release(struct inode * inode,struct file * file)2202 int fuse_dev_release(struct inode *inode, struct file *file)
2203 {
2204 struct fuse_dev *fud = fuse_get_dev(file);
2205
2206 if (fud) {
2207 struct fuse_conn *fc = fud->fc;
2208 struct fuse_pqueue *fpq = &fud->pq;
2209 LIST_HEAD(to_end);
2210
2211 spin_lock(&fpq->lock);
2212 WARN_ON(!list_empty(&fpq->io));
2213 list_splice_init(&fpq->processing, &to_end);
2214 spin_unlock(&fpq->lock);
2215
2216 end_requests(fc, &to_end);
2217
2218 /* Are we the last open device? */
2219 if (atomic_dec_and_test(&fc->dev_count)) {
2220 WARN_ON(fc->iq.fasync != NULL);
2221 fuse_abort_conn(fc, false);
2222 }
2223 fuse_dev_free(fud);
2224 }
2225 return 0;
2226 }
2227 EXPORT_SYMBOL_GPL(fuse_dev_release);
2228
fuse_dev_fasync(int fd,struct file * file,int on)2229 static int fuse_dev_fasync(int fd, struct file *file, int on)
2230 {
2231 struct fuse_dev *fud = fuse_get_dev(file);
2232
2233 if (!fud)
2234 return -EPERM;
2235
2236 /* No locking - fasync_helper does its own locking */
2237 return fasync_helper(fd, file, on, &fud->fc->iq.fasync);
2238 }
2239
fuse_device_clone(struct fuse_conn * fc,struct file * new)2240 static int fuse_device_clone(struct fuse_conn *fc, struct file *new)
2241 {
2242 struct fuse_dev *fud;
2243
2244 if (new->private_data)
2245 return -EINVAL;
2246
2247 fud = fuse_dev_alloc(fc);
2248 if (!fud)
2249 return -ENOMEM;
2250
2251 new->private_data = fud;
2252 atomic_inc(&fc->dev_count);
2253
2254 return 0;
2255 }
2256
fuse_dev_ioctl(struct file * file,unsigned int cmd,unsigned long arg)2257 static long fuse_dev_ioctl(struct file *file, unsigned int cmd,
2258 unsigned long arg)
2259 {
2260 int err = -ENOTTY;
2261
2262 if (cmd == FUSE_DEV_IOC_CLONE) {
2263 int oldfd;
2264
2265 err = -EFAULT;
2266 if (!get_user(oldfd, (__u32 __user *) arg)) {
2267 struct file *old = fget(oldfd);
2268
2269 err = -EINVAL;
2270 if (old) {
2271 struct fuse_dev *fud = NULL;
2272
2273 /*
2274 * Check against file->f_op because CUSE
2275 * uses the same ioctl handler.
2276 */
2277 if (old->f_op == file->f_op &&
2278 old->f_cred->user_ns == file->f_cred->user_ns)
2279 fud = fuse_get_dev(old);
2280
2281 if (fud) {
2282 mutex_lock(&fuse_mutex);
2283 err = fuse_device_clone(fud->fc, file);
2284 mutex_unlock(&fuse_mutex);
2285 }
2286 fput(old);
2287 }
2288 }
2289 }
2290 return err;
2291 }
2292
2293 const struct file_operations fuse_dev_operations = {
2294 .owner = THIS_MODULE,
2295 .open = fuse_dev_open,
2296 .llseek = no_llseek,
2297 .read_iter = fuse_dev_read,
2298 .splice_read = fuse_dev_splice_read,
2299 .write_iter = fuse_dev_write,
2300 .splice_write = fuse_dev_splice_write,
2301 .poll = fuse_dev_poll,
2302 .release = fuse_dev_release,
2303 .fasync = fuse_dev_fasync,
2304 .unlocked_ioctl = fuse_dev_ioctl,
2305 .compat_ioctl = fuse_dev_ioctl,
2306 };
2307 EXPORT_SYMBOL_GPL(fuse_dev_operations);
2308
2309 static struct miscdevice fuse_miscdevice = {
2310 .minor = FUSE_MINOR,
2311 .name = "fuse",
2312 .fops = &fuse_dev_operations,
2313 };
2314
fuse_dev_init(void)2315 int __init fuse_dev_init(void)
2316 {
2317 int err = -ENOMEM;
2318 fuse_req_cachep = kmem_cache_create("fuse_request",
2319 sizeof(struct fuse_req),
2320 0, 0, NULL);
2321 if (!fuse_req_cachep)
2322 goto out;
2323
2324 err = misc_register(&fuse_miscdevice);
2325 if (err)
2326 goto out_cache_clean;
2327
2328 return 0;
2329
2330 out_cache_clean:
2331 kmem_cache_destroy(fuse_req_cachep);
2332 out:
2333 return err;
2334 }
2335
fuse_dev_cleanup(void)2336 void fuse_dev_cleanup(void)
2337 {
2338 misc_deregister(&fuse_miscdevice);
2339 kmem_cache_destroy(fuse_req_cachep);
2340 }
2341