fs/fuse/dev.c at v2.6.17-rc2 · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / fs / fuse / dev.c
at v2.6.17-rc2 959 lines 24 kB view raw
  1/*
  2  FUSE: Filesystem in Userspace
  3  Copyright (C) 2001-2006  Miklos Szeredi <miklos@szeredi.hu>
  4
  5  This program can be distributed under the terms of the GNU GPL.
  6  See the file COPYING.
  7*/
  8
  9#include "fuse_i.h"
 10
 11#include <linux/init.h>
 12#include <linux/module.h>
 13#include <linux/poll.h>
 14#include <linux/uio.h>
 15#include <linux/miscdevice.h>
 16#include <linux/pagemap.h>
 17#include <linux/file.h>
 18#include <linux/slab.h>
 19
 20MODULE_ALIAS_MISCDEV(FUSE_MINOR);
 21
 22static kmem_cache_t *fuse_req_cachep;
 23
 24static struct fuse_conn *fuse_get_conn(struct file *file)
 25{
 26	/*
 27	 * Lockless access is OK, because file->private data is set
 28	 * once during mount and is valid until the file is released.
 29	 */
 30	return file->private_data;
 31}
 32
 33static void fuse_request_init(struct fuse_req *req)
 34{
 35	memset(req, 0, sizeof(*req));
 36	INIT_LIST_HEAD(&req->list);
 37	init_waitqueue_head(&req->waitq);
 38	atomic_set(&req->count, 1);
 39}
 40
 41struct fuse_req *fuse_request_alloc(void)
 42{
 43	struct fuse_req *req = kmem_cache_alloc(fuse_req_cachep, SLAB_KERNEL);
 44	if (req)
 45		fuse_request_init(req);
 46	return req;
 47}
 48
 49void fuse_request_free(struct fuse_req *req)
 50{
 51	kmem_cache_free(fuse_req_cachep, req);
 52}
 53
 54static void block_sigs(sigset_t *oldset)
 55{
 56	sigset_t mask;
 57
 58	siginitsetinv(&mask, sigmask(SIGKILL));
 59	sigprocmask(SIG_BLOCK, &mask, oldset);
 60}
 61
 62static void restore_sigs(sigset_t *oldset)
 63{
 64	sigprocmask(SIG_SETMASK, oldset, NULL);
 65}
 66
 67/*
 68 * Reset request, so that it can be reused
 69 *
 70 * The caller must be _very_ careful to make sure, that it is holding
 71 * the only reference to req
 72 */
 73void fuse_reset_request(struct fuse_req *req)
 74{
 75	BUG_ON(atomic_read(&req->count) != 1);
 76	fuse_request_init(req);
 77}
 78
 79static void __fuse_get_request(struct fuse_req *req)
 80{
 81	atomic_inc(&req->count);
 82}
 83
 84/* Must be called with > 1 refcount */
 85static void __fuse_put_request(struct fuse_req *req)
 86{
 87	BUG_ON(atomic_read(&req->count) < 2);
 88	atomic_dec(&req->count);
 89}
 90
 91struct fuse_req *fuse_get_req(struct fuse_conn *fc)
 92{
 93	struct fuse_req *req;
 94	sigset_t oldset;
 95	int intr;
 96	int err;
 97
 98	atomic_inc(&fc->num_waiting);
 99	block_sigs(&oldset);
100	intr = wait_event_interruptible(fc->blocked_waitq, !fc->blocked);
101	restore_sigs(&oldset);
102	err = -EINTR;
103	if (intr)
104		goto out;
105
106	req = fuse_request_alloc();
107	err = -ENOMEM;
108	if (!req)
109		goto out;
110
111	req->in.h.uid = current->fsuid;
112	req->in.h.gid = current->fsgid;
113	req->in.h.pid = current->pid;
114	req->waiting = 1;
115	return req;
116
117 out:
118	atomic_dec(&fc->num_waiting);
119	return ERR_PTR(err);
120}
121
122void fuse_put_request(struct fuse_conn *fc, struct fuse_req *req)
123{
124	if (atomic_dec_and_test(&req->count)) {
125		if (req->waiting)
126			atomic_dec(&fc->num_waiting);
127		fuse_request_free(req);
128	}
129}
130
131void fuse_remove_background(struct fuse_conn *fc, struct fuse_req *req)
132{
133	list_del_init(&req->bg_entry);
134	if (fc->num_background == FUSE_MAX_BACKGROUND) {
135		fc->blocked = 0;
136		wake_up_all(&fc->blocked_waitq);
137	}
138	fc->num_background--;
139}
140
141/*
142 * This function is called when a request is finished.  Either a reply
143 * has arrived or it was interrupted (and not yet sent) or some error
144 * occurred during communication with userspace, or the device file
145 * was closed.  In case of a background request the reference to the
146 * stored objects are released.  The requester thread is woken up (if
147 * still waiting), the 'end' callback is called if given, else the
148 * reference to the request is released
149 *
150 * Releasing extra reference for foreground requests must be done
151 * within the same locked region as setting state to finished.  This
152 * is because fuse_reset_request() may be called after request is
153 * finished and it must be the sole possessor.  If request is
154 * interrupted and put in the background, it will return with an error
155 * and hence never be reset and reused.
156 *
157 * Called with fc->lock, unlocks it
158 */
159static void request_end(struct fuse_conn *fc, struct fuse_req *req)
160{
161	list_del(&req->list);
162	req->state = FUSE_REQ_FINISHED;
163	if (!req->background) {
164		spin_unlock(&fc->lock);
165		wake_up(&req->waitq);
166		fuse_put_request(fc, req);
167	} else {
168		struct inode *inode = req->inode;
169		struct inode *inode2 = req->inode2;
170		struct file *file = req->file;
171		void (*end) (struct fuse_conn *, struct fuse_req *) = req->end;
172		req->end = NULL;
173		req->inode = NULL;
174		req->inode2 = NULL;
175		req->file = NULL;
176		if (!list_empty(&req->bg_entry))
177			fuse_remove_background(fc, req);
178		spin_unlock(&fc->lock);
179
180		if (end)
181			end(fc, req);
182		else
183			fuse_put_request(fc, req);
184
185		if (file)
186			fput(file);
187		iput(inode);
188		iput(inode2);
189	}
190}
191
192/*
193 * Unfortunately request interruption not just solves the deadlock
194 * problem, it causes problems too.  These stem from the fact, that an
195 * interrupted request is continued to be processed in userspace,
196 * while all the locks and object references (inode and file) held
197 * during the operation are released.
198 *
199 * To release the locks is exactly why there's a need to interrupt the
200 * request, so there's not a lot that can be done about this, except
201 * introduce additional locking in userspace.
202 *
203 * More important is to keep inode and file references until userspace
204 * has replied, otherwise FORGET and RELEASE could be sent while the
205 * inode/file is still used by the filesystem.
206 *
207 * For this reason the concept of "background" request is introduced.
208 * An interrupted request is backgrounded if it has been already sent
209 * to userspace.  Backgrounding involves getting an extra reference to
210 * inode(s) or file used in the request, and adding the request to
211 * fc->background list.  When a reply is received for a background
212 * request, the object references are released, and the request is
213 * removed from the list.  If the filesystem is unmounted while there
214 * are still background requests, the list is walked and references
215 * are released as if a reply was received.
216 *
217 * There's one more use for a background request.  The RELEASE message is
218 * always sent as background, since it doesn't return an error or
219 * data.
220 */
221static void background_request(struct fuse_conn *fc, struct fuse_req *req)
222{
223	req->background = 1;
224	list_add(&req->bg_entry, &fc->background);
225	fc->num_background++;
226	if (fc->num_background == FUSE_MAX_BACKGROUND)
227		fc->blocked = 1;
228	if (req->inode)
229		req->inode = igrab(req->inode);
230	if (req->inode2)
231		req->inode2 = igrab(req->inode2);
232	if (req->file)
233		get_file(req->file);
234}
235
236/* Called with fc->lock held.  Releases, and then reacquires it. */
237static void request_wait_answer(struct fuse_conn *fc, struct fuse_req *req)
238{
239	sigset_t oldset;
240
241	spin_unlock(&fc->lock);
242	block_sigs(&oldset);
243	wait_event_interruptible(req->waitq, req->state == FUSE_REQ_FINISHED);
244	restore_sigs(&oldset);
245	spin_lock(&fc->lock);
246	if (req->state == FUSE_REQ_FINISHED && !req->interrupted)
247		return;
248
249	if (!req->interrupted) {
250		req->out.h.error = -EINTR;
251		req->interrupted = 1;
252	}
253	if (req->locked) {
254		/* This is uninterruptible sleep, because data is
255		   being copied to/from the buffers of req.  During
256		   locked state, there mustn't be any filesystem
257		   operation (e.g. page fault), since that could lead
258		   to deadlock */
259		spin_unlock(&fc->lock);
260		wait_event(req->waitq, !req->locked);
261		spin_lock(&fc->lock);
262	}
263	if (req->state == FUSE_REQ_PENDING) {
264		list_del(&req->list);
265		__fuse_put_request(req);
266	} else if (req->state == FUSE_REQ_SENT)
267		background_request(fc, req);
268}
269
270static unsigned len_args(unsigned numargs, struct fuse_arg *args)
271{
272	unsigned nbytes = 0;
273	unsigned i;
274
275	for (i = 0; i < numargs; i++)
276		nbytes += args[i].size;
277
278	return nbytes;
279}
280
281static void queue_request(struct fuse_conn *fc, struct fuse_req *req)
282{
283	fc->reqctr++;
284	/* zero is special */
285	if (fc->reqctr == 0)
286		fc->reqctr = 1;
287	req->in.h.unique = fc->reqctr;
288	req->in.h.len = sizeof(struct fuse_in_header) +
289		len_args(req->in.numargs, (struct fuse_arg *) req->in.args);
290	list_add_tail(&req->list, &fc->pending);
291	req->state = FUSE_REQ_PENDING;
292	if (!req->waiting) {
293		req->waiting = 1;
294		atomic_inc(&fc->num_waiting);
295	}
296	wake_up(&fc->waitq);
297	kill_fasync(&fc->fasync, SIGIO, POLL_IN);
298}
299
300/*
301 * This can only be interrupted by a SIGKILL
302 */
303void request_send(struct fuse_conn *fc, struct fuse_req *req)
304{
305	req->isreply = 1;
306	spin_lock(&fc->lock);
307	if (!fc->connected)
308		req->out.h.error = -ENOTCONN;
309	else if (fc->conn_error)
310		req->out.h.error = -ECONNREFUSED;
311	else {
312		queue_request(fc, req);
313		/* acquire extra reference, since request is still needed
314		   after request_end() */
315		__fuse_get_request(req);
316
317		request_wait_answer(fc, req);
318	}
319	spin_unlock(&fc->lock);
320}
321
322static void request_send_nowait(struct fuse_conn *fc, struct fuse_req *req)
323{
324	spin_lock(&fc->lock);
325	background_request(fc, req);
326	if (fc->connected) {
327		queue_request(fc, req);
328		spin_unlock(&fc->lock);
329	} else {
330		req->out.h.error = -ENOTCONN;
331		request_end(fc, req);
332	}
333}
334
335void request_send_noreply(struct fuse_conn *fc, struct fuse_req *req)
336{
337	req->isreply = 0;
338	request_send_nowait(fc, req);
339}
340
341void request_send_background(struct fuse_conn *fc, struct fuse_req *req)
342{
343	req->isreply = 1;
344	request_send_nowait(fc, req);
345}
346
347/*
348 * Lock the request.  Up to the next unlock_request() there mustn't be
349 * anything that could cause a page-fault.  If the request was already
350 * interrupted bail out.
351 */
352static int lock_request(struct fuse_conn *fc, struct fuse_req *req)
353{
354	int err = 0;
355	if (req) {
356		spin_lock(&fc->lock);
357		if (req->interrupted)
358			err = -ENOENT;
359		else
360			req->locked = 1;
361		spin_unlock(&fc->lock);
362	}
363	return err;
364}
365
366/*
367 * Unlock request.  If it was interrupted during being locked, the
368 * requester thread is currently waiting for it to be unlocked, so
369 * wake it up.
370 */
371static void unlock_request(struct fuse_conn *fc, struct fuse_req *req)
372{
373	if (req) {
374		spin_lock(&fc->lock);
375		req->locked = 0;
376		if (req->interrupted)
377			wake_up(&req->waitq);
378		spin_unlock(&fc->lock);
379	}
380}
381
382struct fuse_copy_state {
383	struct fuse_conn *fc;
384	int write;
385	struct fuse_req *req;
386	const struct iovec *iov;
387	unsigned long nr_segs;
388	unsigned long seglen;
389	unsigned long addr;
390	struct page *pg;
391	void *mapaddr;
392	void *buf;
393	unsigned len;
394};
395
396static void fuse_copy_init(struct fuse_copy_state *cs, struct fuse_conn *fc,
397			   int write, struct fuse_req *req,
398			   const struct iovec *iov, unsigned long nr_segs)
399{
400	memset(cs, 0, sizeof(*cs));
401	cs->fc = fc;
402	cs->write = write;
403	cs->req = req;
404	cs->iov = iov;
405	cs->nr_segs = nr_segs;
406}
407
408/* Unmap and put previous page of userspace buffer */
409static void fuse_copy_finish(struct fuse_copy_state *cs)
410{
411	if (cs->mapaddr) {
412		kunmap_atomic(cs->mapaddr, KM_USER0);
413		if (cs->write) {
414			flush_dcache_page(cs->pg);
415			set_page_dirty_lock(cs->pg);
416		}
417		put_page(cs->pg);
418		cs->mapaddr = NULL;
419	}
420}
421
422/*
423 * Get another pagefull of userspace buffer, and map it to kernel
424 * address space, and lock request
425 */
426static int fuse_copy_fill(struct fuse_copy_state *cs)
427{
428	unsigned long offset;
429	int err;
430
431	unlock_request(cs->fc, cs->req);
432	fuse_copy_finish(cs);
433	if (!cs->seglen) {
434		BUG_ON(!cs->nr_segs);
435		cs->seglen = cs->iov[0].iov_len;
436		cs->addr = (unsigned long) cs->iov[0].iov_base;
437		cs->iov ++;
438		cs->nr_segs --;
439	}
440	down_read(&current->mm->mmap_sem);
441	err = get_user_pages(current, current->mm, cs->addr, 1, cs->write, 0,
442			     &cs->pg, NULL);
443	up_read(&current->mm->mmap_sem);
444	if (err < 0)
445		return err;
446	BUG_ON(err != 1);
447	offset = cs->addr % PAGE_SIZE;
448	cs->mapaddr = kmap_atomic(cs->pg, KM_USER0);
449	cs->buf = cs->mapaddr + offset;
450	cs->len = min(PAGE_SIZE - offset, cs->seglen);
451	cs->seglen -= cs->len;
452	cs->addr += cs->len;
453
454	return lock_request(cs->fc, cs->req);
455}
456
457/* Do as much copy to/from userspace buffer as we can */
458static int fuse_copy_do(struct fuse_copy_state *cs, void **val, unsigned *size)
459{
460	unsigned ncpy = min(*size, cs->len);
461	if (val) {
462		if (cs->write)
463			memcpy(cs->buf, *val, ncpy);
464		else
465			memcpy(*val, cs->buf, ncpy);
466		*val += ncpy;
467	}
468	*size -= ncpy;
469	cs->len -= ncpy;
470	cs->buf += ncpy;
471	return ncpy;
472}
473
474/*
475 * Copy a page in the request to/from the userspace buffer.  Must be
476 * done atomically
477 */
478static int fuse_copy_page(struct fuse_copy_state *cs, struct page *page,
479			  unsigned offset, unsigned count, int zeroing)
480{
481	if (page && zeroing && count < PAGE_SIZE) {
482		void *mapaddr = kmap_atomic(page, KM_USER1);
483		memset(mapaddr, 0, PAGE_SIZE);
484		kunmap_atomic(mapaddr, KM_USER1);
485	}
486	while (count) {
487		int err;
488		if (!cs->len && (err = fuse_copy_fill(cs)))
489			return err;
490		if (page) {
491			void *mapaddr = kmap_atomic(page, KM_USER1);
492			void *buf = mapaddr + offset;
493			offset += fuse_copy_do(cs, &buf, &count);
494			kunmap_atomic(mapaddr, KM_USER1);
495		} else
496			offset += fuse_copy_do(cs, NULL, &count);
497	}
498	if (page && !cs->write)
499		flush_dcache_page(page);
500	return 0;
501}
502
503/* Copy pages in the request to/from userspace buffer */
504static int fuse_copy_pages(struct fuse_copy_state *cs, unsigned nbytes,
505			   int zeroing)
506{
507	unsigned i;
508	struct fuse_req *req = cs->req;
509	unsigned offset = req->page_offset;
510	unsigned count = min(nbytes, (unsigned) PAGE_SIZE - offset);
511
512	for (i = 0; i < req->num_pages && (nbytes || zeroing); i++) {
513		struct page *page = req->pages[i];
514		int err = fuse_copy_page(cs, page, offset, count, zeroing);
515		if (err)
516			return err;
517
518		nbytes -= count;
519		count = min(nbytes, (unsigned) PAGE_SIZE);
520		offset = 0;
521	}
522	return 0;
523}
524
525/* Copy a single argument in the request to/from userspace buffer */
526static int fuse_copy_one(struct fuse_copy_state *cs, void *val, unsigned size)
527{
528	while (size) {
529		int err;
530		if (!cs->len && (err = fuse_copy_fill(cs)))
531			return err;
532		fuse_copy_do(cs, &val, &size);
533	}
534	return 0;
535}
536
537/* Copy request arguments to/from userspace buffer */
538static int fuse_copy_args(struct fuse_copy_state *cs, unsigned numargs,
539			  unsigned argpages, struct fuse_arg *args,
540			  int zeroing)
541{
542	int err = 0;
543	unsigned i;
544
545	for (i = 0; !err && i < numargs; i++)  {
546		struct fuse_arg *arg = &args[i];
547		if (i == numargs - 1 && argpages)
548			err = fuse_copy_pages(cs, arg->size, zeroing);
549		else
550			err = fuse_copy_one(cs, arg->value, arg->size);
551	}
552	return err;
553}
554
555/* Wait until a request is available on the pending list */
556static void request_wait(struct fuse_conn *fc)
557{
558	DECLARE_WAITQUEUE(wait, current);
559
560	add_wait_queue_exclusive(&fc->waitq, &wait);
561	while (fc->connected && list_empty(&fc->pending)) {
562		set_current_state(TASK_INTERRUPTIBLE);
563		if (signal_pending(current))
564			break;
565
566		spin_unlock(&fc->lock);
567		schedule();
568		spin_lock(&fc->lock);
569	}
570	set_current_state(TASK_RUNNING);
571	remove_wait_queue(&fc->waitq, &wait);
572}
573
574/*
575 * Read a single request into the userspace filesystem's buffer.  This
576 * function waits until a request is available, then removes it from
577 * the pending list and copies request data to userspace buffer.  If
578 * no reply is needed (FORGET) or request has been interrupted or
579 * there was an error during the copying then it's finished by calling
580 * request_end().  Otherwise add it to the processing list, and set
581 * the 'sent' flag.
582 */
583static ssize_t fuse_dev_readv(struct file *file, const struct iovec *iov,
584			      unsigned long nr_segs, loff_t *off)
585{
586	int err;
587	struct fuse_req *req;
588	struct fuse_in *in;
589	struct fuse_copy_state cs;
590	unsigned reqsize;
591	struct fuse_conn *fc = fuse_get_conn(file);
592	if (!fc)
593		return -EPERM;
594
595 restart:
596	spin_lock(&fc->lock);
597	err = -EAGAIN;
598	if ((file->f_flags & O_NONBLOCK) && fc->connected &&
599	    list_empty(&fc->pending))
600		goto err_unlock;
601
602	request_wait(fc);
603	err = -ENODEV;
604	if (!fc->connected)
605		goto err_unlock;
606	err = -ERESTARTSYS;
607	if (list_empty(&fc->pending))
608		goto err_unlock;
609
610	req = list_entry(fc->pending.next, struct fuse_req, list);
611	req->state = FUSE_REQ_READING;
612	list_move(&req->list, &fc->io);
613
614	in = &req->in;
615	reqsize = in->h.len;
616	/* If request is too large, reply with an error and restart the read */
617	if (iov_length(iov, nr_segs) < reqsize) {
618		req->out.h.error = -EIO;
619		/* SETXATTR is special, since it may contain too large data */
620		if (in->h.opcode == FUSE_SETXATTR)
621			req->out.h.error = -E2BIG;
622		request_end(fc, req);
623		goto restart;
624	}
625	spin_unlock(&fc->lock);
626	fuse_copy_init(&cs, fc, 1, req, iov, nr_segs);
627	err = fuse_copy_one(&cs, &in->h, sizeof(in->h));
628	if (!err)
629		err = fuse_copy_args(&cs, in->numargs, in->argpages,
630				     (struct fuse_arg *) in->args, 0);
631	fuse_copy_finish(&cs);
632	spin_lock(&fc->lock);
633	req->locked = 0;
634	if (!err && req->interrupted)
635		err = -ENOENT;
636	if (err) {
637		if (!req->interrupted)
638			req->out.h.error = -EIO;
639		request_end(fc, req);
640		return err;
641	}
642	if (!req->isreply)
643		request_end(fc, req);
644	else {
645		req->state = FUSE_REQ_SENT;
646		list_move_tail(&req->list, &fc->processing);
647		spin_unlock(&fc->lock);
648	}
649	return reqsize;
650
651 err_unlock:
652	spin_unlock(&fc->lock);
653	return err;
654}
655
656static ssize_t fuse_dev_read(struct file *file, char __user *buf,
657			     size_t nbytes, loff_t *off)
658{
659	struct iovec iov;
660	iov.iov_len = nbytes;
661	iov.iov_base = buf;
662	return fuse_dev_readv(file, &iov, 1, off);
663}
664
665/* Look up request on processing list by unique ID */
666static struct fuse_req *request_find(struct fuse_conn *fc, u64 unique)
667{
668	struct list_head *entry;
669
670	list_for_each(entry, &fc->processing) {
671		struct fuse_req *req;
672		req = list_entry(entry, struct fuse_req, list);
673		if (req->in.h.unique == unique)
674			return req;
675	}
676	return NULL;
677}
678
679static int copy_out_args(struct fuse_copy_state *cs, struct fuse_out *out,
680			 unsigned nbytes)
681{
682	unsigned reqsize = sizeof(struct fuse_out_header);
683
684	if (out->h.error)
685		return nbytes != reqsize ? -EINVAL : 0;
686
687	reqsize += len_args(out->numargs, out->args);
688
689	if (reqsize < nbytes || (reqsize > nbytes && !out->argvar))
690		return -EINVAL;
691	else if (reqsize > nbytes) {
692		struct fuse_arg *lastarg = &out->args[out->numargs-1];
693		unsigned diffsize = reqsize - nbytes;
694		if (diffsize > lastarg->size)
695			return -EINVAL;
696		lastarg->size -= diffsize;
697	}
698	return fuse_copy_args(cs, out->numargs, out->argpages, out->args,
699			      out->page_zeroing);
700}
701
702/*
703 * Write a single reply to a request.  First the header is copied from
704 * the write buffer.  The request is then searched on the processing
705 * list by the unique ID found in the header.  If found, then remove
706 * it from the list and copy the rest of the buffer to the request.
707 * The request is finished by calling request_end()
708 */
709static ssize_t fuse_dev_writev(struct file *file, const struct iovec *iov,
710			       unsigned long nr_segs, loff_t *off)
711{
712	int err;
713	unsigned nbytes = iov_length(iov, nr_segs);
714	struct fuse_req *req;
715	struct fuse_out_header oh;
716	struct fuse_copy_state cs;
717	struct fuse_conn *fc = fuse_get_conn(file);
718	if (!fc)
719		return -EPERM;
720
721	fuse_copy_init(&cs, fc, 0, NULL, iov, nr_segs);
722	if (nbytes < sizeof(struct fuse_out_header))
723		return -EINVAL;
724
725	err = fuse_copy_one(&cs, &oh, sizeof(oh));
726	if (err)
727		goto err_finish;
728	err = -EINVAL;
729	if (!oh.unique || oh.error <= -1000 || oh.error > 0 ||
730	    oh.len != nbytes)
731		goto err_finish;
732
733	spin_lock(&fc->lock);
734	err = -ENOENT;
735	if (!fc->connected)
736		goto err_unlock;
737
738	req = request_find(fc, oh.unique);
739	err = -EINVAL;
740	if (!req)
741		goto err_unlock;
742
743	if (req->interrupted) {
744		spin_unlock(&fc->lock);
745		fuse_copy_finish(&cs);
746		spin_lock(&fc->lock);
747		request_end(fc, req);
748		return -ENOENT;
749	}
750	list_move(&req->list, &fc->io);
751	req->out.h = oh;
752	req->locked = 1;
753	cs.req = req;
754	spin_unlock(&fc->lock);
755
756	err = copy_out_args(&cs, &req->out, nbytes);
757	fuse_copy_finish(&cs);
758
759	spin_lock(&fc->lock);
760	req->locked = 0;
761	if (!err) {
762		if (req->interrupted)
763			err = -ENOENT;
764	} else if (!req->interrupted)
765		req->out.h.error = -EIO;
766	request_end(fc, req);
767
768	return err ? err : nbytes;
769
770 err_unlock:
771	spin_unlock(&fc->lock);
772 err_finish:
773	fuse_copy_finish(&cs);
774	return err;
775}
776
777static ssize_t fuse_dev_write(struct file *file, const char __user *buf,
778			      size_t nbytes, loff_t *off)
779{
780	struct iovec iov;
781	iov.iov_len = nbytes;
782	iov.iov_base = (char __user *) buf;
783	return fuse_dev_writev(file, &iov, 1, off);
784}
785
786static unsigned fuse_dev_poll(struct file *file, poll_table *wait)
787{
788	unsigned mask = POLLOUT | POLLWRNORM;
789	struct fuse_conn *fc = fuse_get_conn(file);
790	if (!fc)
791		return POLLERR;
792
793	poll_wait(file, &fc->waitq, wait);
794
795	spin_lock(&fc->lock);
796	if (!fc->connected)
797		mask = POLLERR;
798	else if (!list_empty(&fc->pending))
799		mask |= POLLIN | POLLRDNORM;
800	spin_unlock(&fc->lock);
801
802	return mask;
803}
804
805/*
806 * Abort all requests on the given list (pending or processing)
807 *
808 * This function releases and reacquires fc->lock
809 */
810static void end_requests(struct fuse_conn *fc, struct list_head *head)
811{
812	while (!list_empty(head)) {
813		struct fuse_req *req;
814		req = list_entry(head->next, struct fuse_req, list);
815		req->out.h.error = -ECONNABORTED;
816		request_end(fc, req);
817		spin_lock(&fc->lock);
818	}
819}
820
821/*
822 * Abort requests under I/O
823 *
824 * The requests are set to interrupted and finished, and the request
825 * waiter is woken up.  This will make request_wait_answer() wait
826 * until the request is unlocked and then return.
827 *
828 * If the request is asynchronous, then the end function needs to be
829 * called after waiting for the request to be unlocked (if it was
830 * locked).
831 */
832static void end_io_requests(struct fuse_conn *fc)
833{
834	while (!list_empty(&fc->io)) {
835		struct fuse_req *req =
836			list_entry(fc->io.next, struct fuse_req, list);
837		void (*end) (struct fuse_conn *, struct fuse_req *) = req->end;
838
839		req->interrupted = 1;
840		req->out.h.error = -ECONNABORTED;
841		req->state = FUSE_REQ_FINISHED;
842		list_del_init(&req->list);
843		wake_up(&req->waitq);
844		if (end) {
845			req->end = NULL;
846			/* The end function will consume this reference */
847			__fuse_get_request(req);
848			spin_unlock(&fc->lock);
849			wait_event(req->waitq, !req->locked);
850			end(fc, req);
851			spin_lock(&fc->lock);
852		}
853	}
854}
855
856/*
857 * Abort all requests.
858 *
859 * Emergency exit in case of a malicious or accidental deadlock, or
860 * just a hung filesystem.
861 *
862 * The same effect is usually achievable through killing the
863 * filesystem daemon and all users of the filesystem.  The exception
864 * is the combination of an asynchronous request and the tricky
865 * deadlock (see Documentation/filesystems/fuse.txt).
866 *
867 * During the aborting, progression of requests from the pending and
868 * processing lists onto the io list, and progression of new requests
869 * onto the pending list is prevented by req->connected being false.
870 *
871 * Progression of requests under I/O to the processing list is
872 * prevented by the req->interrupted flag being true for these
873 * requests.  For this reason requests on the io list must be aborted
874 * first.
875 */
876void fuse_abort_conn(struct fuse_conn *fc)
877{
878	spin_lock(&fc->lock);
879	if (fc->connected) {
880		fc->connected = 0;
881		end_io_requests(fc);
882		end_requests(fc, &fc->pending);
883		end_requests(fc, &fc->processing);
884		wake_up_all(&fc->waitq);
885		kill_fasync(&fc->fasync, SIGIO, POLL_IN);
886	}
887	spin_unlock(&fc->lock);
888}
889
890static int fuse_dev_release(struct inode *inode, struct file *file)
891{
892	struct fuse_conn *fc = fuse_get_conn(file);
893	if (fc) {
894		spin_lock(&fc->lock);
895		fc->connected = 0;
896		end_requests(fc, &fc->pending);
897		end_requests(fc, &fc->processing);
898		spin_unlock(&fc->lock);
899		fasync_helper(-1, file, 0, &fc->fasync);
900		kobject_put(&fc->kobj);
901	}
902
903	return 0;
904}
905
906static int fuse_dev_fasync(int fd, struct file *file, int on)
907{
908	struct fuse_conn *fc = fuse_get_conn(file);
909	if (!fc)
910		return -EPERM;
911
912	/* No locking - fasync_helper does its own locking */
913	return fasync_helper(fd, file, on, &fc->fasync);
914}
915
916const struct file_operations fuse_dev_operations = {
917	.owner		= THIS_MODULE,
918	.llseek		= no_llseek,
919	.read		= fuse_dev_read,
920	.readv		= fuse_dev_readv,
921	.write		= fuse_dev_write,
922	.writev		= fuse_dev_writev,
923	.poll		= fuse_dev_poll,
924	.release	= fuse_dev_release,
925	.fasync		= fuse_dev_fasync,
926};
927
928static struct miscdevice fuse_miscdevice = {
929	.minor = FUSE_MINOR,
930	.name  = "fuse",
931	.fops = &fuse_dev_operations,
932};
933
934int __init fuse_dev_init(void)
935{
936	int err = -ENOMEM;
937	fuse_req_cachep = kmem_cache_create("fuse_request",
938					    sizeof(struct fuse_req),
939					    0, 0, NULL, NULL);
940	if (!fuse_req_cachep)
941		goto out;
942
943	err = misc_register(&fuse_miscdevice);
944	if (err)
945		goto out_cache_clean;
946
947	return 0;
948
949 out_cache_clean:
950	kmem_cache_destroy(fuse_req_cachep);
951 out:
952	return err;
953}
954
955void fuse_dev_cleanup(void)
956{
957	misc_deregister(&fuse_miscdevice);
958	kmem_cache_destroy(fuse_req_cachep);
959}