2   FUSE: Filesystem in Userspace
 
   3   Copyright (C) 2001-2006  Miklos Szeredi <miklos@szeredi.hu>
 
   5   This program can be distributed under the terms of the GNU GPL.
 
  11 #include <linux/init.h>
 
  12 #include <linux/module.h>
 
  13 #include <linux/poll.h>
 
  14 #include <linux/uio.h>
 
  15 #include <linux/miscdevice.h>
 
  16 #include <linux/pagemap.h>
 
  17 #include <linux/file.h>
 
  18 #include <linux/slab.h>
 
  20 MODULE_ALIAS_MISCDEV(FUSE_MINOR);
 
  22 static struct kmem_cache *fuse_req_cachep;
 
  24 static struct fuse_conn *fuse_get_conn(struct file *file)
 
  27          * Lockless access is OK, because file->private data is set
 
  28          * once during mount and is valid until the file is released.
 
  30         return file->private_data;
 
  33 static void fuse_request_init(struct fuse_req *req)
 
  35         memset(req, 0, sizeof(*req));
 
  36         INIT_LIST_HEAD(&req->list);
 
  37         INIT_LIST_HEAD(&req->intr_entry);
 
  38         init_waitqueue_head(&req->waitq);
 
  39         atomic_set(&req->count, 1);
 
  42 struct fuse_req *fuse_request_alloc(void)
 
  44         struct fuse_req *req = kmem_cache_alloc(fuse_req_cachep, GFP_KERNEL);
 
  46                 fuse_request_init(req);
 
  50 void fuse_request_free(struct fuse_req *req)
 
  52         kmem_cache_free(fuse_req_cachep, req);
 
  55 static void block_sigs(sigset_t *oldset)
 
  59         siginitsetinv(&mask, sigmask(SIGKILL));
 
  60         sigprocmask(SIG_BLOCK, &mask, oldset);
 
  63 static void restore_sigs(sigset_t *oldset)
 
  65         sigprocmask(SIG_SETMASK, oldset, NULL);
 
  68 static void __fuse_get_request(struct fuse_req *req)
 
  70         atomic_inc(&req->count);
 
  73 /* Must be called with > 1 refcount */
 
  74 static void __fuse_put_request(struct fuse_req *req)
 
  76         BUG_ON(atomic_read(&req->count) < 2);
 
  77         atomic_dec(&req->count);
 
  80 static void fuse_req_init_context(struct fuse_req *req)
 
  82         req->in.h.uid = current->fsuid;
 
  83         req->in.h.gid = current->fsgid;
 
  84         req->in.h.pid = current->pid;
 
  87 struct fuse_req *fuse_get_req(struct fuse_conn *fc)
 
  94         atomic_inc(&fc->num_waiting);
 
  96         intr = wait_event_interruptible(fc->blocked_waitq, !fc->blocked);
 
  97         restore_sigs(&oldset);
 
 106         req = fuse_request_alloc();
 
 111         fuse_req_init_context(req);
 
 116         atomic_dec(&fc->num_waiting);
 
 121  * Return request in fuse_file->reserved_req.  However that may
 
 122  * currently be in use.  If that is the case, wait for it to become
 
 125 static struct fuse_req *get_reserved_req(struct fuse_conn *fc,
 
 128         struct fuse_req *req = NULL;
 
 129         struct fuse_file *ff = file->private_data;
 
 132                 wait_event(fc->reserved_req_waitq, ff->reserved_req);
 
 133                 spin_lock(&fc->lock);
 
 134                 if (ff->reserved_req) {
 
 135                         req = ff->reserved_req;
 
 136                         ff->reserved_req = NULL;
 
 138                         req->stolen_file = file;
 
 140                 spin_unlock(&fc->lock);
 
 147  * Put stolen request back into fuse_file->reserved_req
 
 149 static void put_reserved_req(struct fuse_conn *fc, struct fuse_req *req)
 
 151         struct file *file = req->stolen_file;
 
 152         struct fuse_file *ff = file->private_data;
 
 154         spin_lock(&fc->lock);
 
 155         fuse_request_init(req);
 
 156         BUG_ON(ff->reserved_req);
 
 157         ff->reserved_req = req;
 
 158         wake_up_all(&fc->reserved_req_waitq);
 
 159         spin_unlock(&fc->lock);
 
 164  * Gets a requests for a file operation, always succeeds
 
 166  * This is used for sending the FLUSH request, which must get to
 
 167  * userspace, due to POSIX locks which may need to be unlocked.
 
 169  * If allocation fails due to OOM, use the reserved request in
 
 172  * This is very unlikely to deadlock accidentally, since the
 
 173  * filesystem should not have it's own file open.  If deadlock is
 
 174  * intentional, it can still be broken by "aborting" the filesystem.
 
 176 struct fuse_req *fuse_get_req_nofail(struct fuse_conn *fc, struct file *file)
 
 178         struct fuse_req *req;
 
 180         atomic_inc(&fc->num_waiting);
 
 181         wait_event(fc->blocked_waitq, !fc->blocked);
 
 182         req = fuse_request_alloc();
 
 184                 req = get_reserved_req(fc, file);
 
 186         fuse_req_init_context(req);
 
 191 void fuse_put_request(struct fuse_conn *fc, struct fuse_req *req)
 
 193         if (atomic_dec_and_test(&req->count)) {
 
 195                         atomic_dec(&fc->num_waiting);
 
 197                 if (req->stolen_file)
 
 198                         put_reserved_req(fc, req);
 
 200                         fuse_request_free(req);
 
 204 static unsigned len_args(unsigned numargs, struct fuse_arg *args)
 
 209         for (i = 0; i < numargs; i++)
 
 210                 nbytes += args[i].size;
 
 215 static u64 fuse_get_unique(struct fuse_conn *fc)
 
 218         /* zero is special */
 
 225 static void queue_request(struct fuse_conn *fc, struct fuse_req *req)
 
 227         req->in.h.unique = fuse_get_unique(fc);
 
 228         req->in.h.len = sizeof(struct fuse_in_header) +
 
 229                 len_args(req->in.numargs, (struct fuse_arg *) req->in.args);
 
 230         list_add_tail(&req->list, &fc->pending);
 
 231         req->state = FUSE_REQ_PENDING;
 
 234                 atomic_inc(&fc->num_waiting);
 
 237         kill_fasync(&fc->fasync, SIGIO, POLL_IN);
 
 240 static void flush_bg_queue(struct fuse_conn *fc)
 
 242         while (fc->active_background < FUSE_MAX_BACKGROUND &&
 
 243                !list_empty(&fc->bg_queue)) {
 
 244                 struct fuse_req *req;
 
 246                 req = list_entry(fc->bg_queue.next, struct fuse_req, list);
 
 247                 list_del(&req->list);
 
 248                 fc->active_background++;
 
 249                 queue_request(fc, req);
 
 254  * This function is called when a request is finished.  Either a reply
 
 255  * has arrived or it was aborted (and not yet sent) or some error
 
 256  * occurred during communication with userspace, or the device file
 
 257  * was closed.  The requester thread is woken up (if still waiting),
 
 258  * the 'end' callback is called if given, else the reference to the
 
 259  * request is released
 
 261  * Called with fc->lock, unlocks it
 
 263 static void request_end(struct fuse_conn *fc, struct fuse_req *req)
 
 266         void (*end) (struct fuse_conn *, struct fuse_req *) = req->end;
 
 268         list_del(&req->list);
 
 269         list_del(&req->intr_entry);
 
 270         req->state = FUSE_REQ_FINISHED;
 
 271         if (req->background) {
 
 272                 if (fc->num_background == FUSE_MAX_BACKGROUND) {
 
 274                         wake_up_all(&fc->blocked_waitq);
 
 276                 if (fc->num_background == FUSE_CONGESTION_THRESHOLD) {
 
 277                         clear_bdi_congested(&fc->bdi, READ);
 
 278                         clear_bdi_congested(&fc->bdi, WRITE);
 
 280                 fc->num_background--;
 
 281                 fc->active_background--;
 
 284         spin_unlock(&fc->lock);
 
 285         wake_up(&req->waitq);
 
 289                 fuse_put_request(fc, req);
 
 292 static void wait_answer_interruptible(struct fuse_conn *fc,
 
 293                                       struct fuse_req *req)
 
 295         if (signal_pending(current))
 
 298         spin_unlock(&fc->lock);
 
 299         wait_event_interruptible(req->waitq, req->state == FUSE_REQ_FINISHED);
 
 300         spin_lock(&fc->lock);
 
 303 static void queue_interrupt(struct fuse_conn *fc, struct fuse_req *req)
 
 305         list_add_tail(&req->intr_entry, &fc->interrupts);
 
 307         kill_fasync(&fc->fasync, SIGIO, POLL_IN);
 
 310 /* Called with fc->lock held.  Releases, and then reacquires it. */
 
 311 static void request_wait_answer(struct fuse_conn *fc, struct fuse_req *req)
 
 313         if (!fc->no_interrupt) {
 
 314                 /* Any signal may interrupt this */
 
 315                 wait_answer_interruptible(fc, req);
 
 319                 if (req->state == FUSE_REQ_FINISHED)
 
 322                 req->interrupted = 1;
 
 323                 if (req->state == FUSE_REQ_SENT)
 
 324                         queue_interrupt(fc, req);
 
 330                 /* Only fatal signals may interrupt this */
 
 332                 wait_answer_interruptible(fc, req);
 
 333                 restore_sigs(&oldset);
 
 337                 if (req->state == FUSE_REQ_FINISHED)
 
 340                 /* Request is not yet in userspace, bail out */
 
 341                 if (req->state == FUSE_REQ_PENDING) {
 
 342                         list_del(&req->list);
 
 343                         __fuse_put_request(req);
 
 344                         req->out.h.error = -EINTR;
 
 350          * Either request is already in userspace, or it was forced.
 
 353         spin_unlock(&fc->lock);
 
 354         wait_event(req->waitq, req->state == FUSE_REQ_FINISHED);
 
 355         spin_lock(&fc->lock);
 
 361         BUG_ON(req->state != FUSE_REQ_FINISHED);
 
 363                 /* This is uninterruptible sleep, because data is
 
 364                    being copied to/from the buffers of req.  During
 
 365                    locked state, there mustn't be any filesystem
 
 366                    operation (e.g. page fault), since that could lead
 
 368                 spin_unlock(&fc->lock);
 
 369                 wait_event(req->waitq, !req->locked);
 
 370                 spin_lock(&fc->lock);
 
 374 void request_send(struct fuse_conn *fc, struct fuse_req *req)
 
 377         spin_lock(&fc->lock);
 
 379                 req->out.h.error = -ENOTCONN;
 
 380         else if (fc->conn_error)
 
 381                 req->out.h.error = -ECONNREFUSED;
 
 383                 queue_request(fc, req);
 
 384                 /* acquire extra reference, since request is still needed
 
 385                    after request_end() */
 
 386                 __fuse_get_request(req);
 
 388                 request_wait_answer(fc, req);
 
 390         spin_unlock(&fc->lock);
 
 393 static void request_send_nowait_locked(struct fuse_conn *fc,
 
 394                                        struct fuse_req *req)
 
 397         fc->num_background++;
 
 398         if (fc->num_background == FUSE_MAX_BACKGROUND)
 
 400         if (fc->num_background == FUSE_CONGESTION_THRESHOLD) {
 
 401                 set_bdi_congested(&fc->bdi, READ);
 
 402                 set_bdi_congested(&fc->bdi, WRITE);
 
 404         list_add_tail(&req->list, &fc->bg_queue);
 
 408 static void request_send_nowait(struct fuse_conn *fc, struct fuse_req *req)
 
 410         spin_lock(&fc->lock);
 
 412                 request_send_nowait_locked(fc, req);
 
 413                 spin_unlock(&fc->lock);
 
 415                 req->out.h.error = -ENOTCONN;
 
 416                 request_end(fc, req);
 
 420 void request_send_noreply(struct fuse_conn *fc, struct fuse_req *req)
 
 423         request_send_nowait(fc, req);
 
 426 void request_send_background(struct fuse_conn *fc, struct fuse_req *req)
 
 429         request_send_nowait(fc, req);
 
 433  * Lock the request.  Up to the next unlock_request() there mustn't be
 
 434  * anything that could cause a page-fault.  If the request was already
 
 437 static int lock_request(struct fuse_conn *fc, struct fuse_req *req)
 
 441                 spin_lock(&fc->lock);
 
 446                 spin_unlock(&fc->lock);
 
 452  * Unlock request.  If it was aborted during being locked, the
 
 453  * requester thread is currently waiting for it to be unlocked, so
 
 456 static void unlock_request(struct fuse_conn *fc, struct fuse_req *req)
 
 459                 spin_lock(&fc->lock);
 
 462                         wake_up(&req->waitq);
 
 463                 spin_unlock(&fc->lock);
 
 467 struct fuse_copy_state {
 
 468         struct fuse_conn *fc;
 
 470         struct fuse_req *req;
 
 471         const struct iovec *iov;
 
 472         unsigned long nr_segs;
 
 473         unsigned long seglen;
 
 481 static void fuse_copy_init(struct fuse_copy_state *cs, struct fuse_conn *fc,
 
 482                            int write, struct fuse_req *req,
 
 483                            const struct iovec *iov, unsigned long nr_segs)
 
 485         memset(cs, 0, sizeof(*cs));
 
 490         cs->nr_segs = nr_segs;
 
 493 /* Unmap and put previous page of userspace buffer */
 
 494 static void fuse_copy_finish(struct fuse_copy_state *cs)
 
 497                 kunmap_atomic(cs->mapaddr, KM_USER0);
 
 499                         flush_dcache_page(cs->pg);
 
 500                         set_page_dirty_lock(cs->pg);
 
 508  * Get another pagefull of userspace buffer, and map it to kernel
 
 509  * address space, and lock request
 
 511 static int fuse_copy_fill(struct fuse_copy_state *cs)
 
 513         unsigned long offset;
 
 516         unlock_request(cs->fc, cs->req);
 
 517         fuse_copy_finish(cs);
 
 519                 BUG_ON(!cs->nr_segs);
 
 520                 cs->seglen = cs->iov[0].iov_len;
 
 521                 cs->addr = (unsigned long) cs->iov[0].iov_base;
 
 525         down_read(¤t->mm->mmap_sem);
 
 526         err = get_user_pages(current, current->mm, cs->addr, 1, cs->write, 0,
 
 528         up_read(¤t->mm->mmap_sem);
 
 532         offset = cs->addr % PAGE_SIZE;
 
 533         cs->mapaddr = kmap_atomic(cs->pg, KM_USER0);
 
 534         cs->buf = cs->mapaddr + offset;
 
 535         cs->len = min(PAGE_SIZE - offset, cs->seglen);
 
 536         cs->seglen -= cs->len;
 
 539         return lock_request(cs->fc, cs->req);
 
 542 /* Do as much copy to/from userspace buffer as we can */
 
 543 static int fuse_copy_do(struct fuse_copy_state *cs, void **val, unsigned *size)
 
 545         unsigned ncpy = min(*size, cs->len);
 
 548                         memcpy(cs->buf, *val, ncpy);
 
 550                         memcpy(*val, cs->buf, ncpy);
 
 560  * Copy a page in the request to/from the userspace buffer.  Must be
 
 563 static int fuse_copy_page(struct fuse_copy_state *cs, struct page *page,
 
 564                           unsigned offset, unsigned count, int zeroing)
 
 566         if (page && zeroing && count < PAGE_SIZE) {
 
 567                 void *mapaddr = kmap_atomic(page, KM_USER1);
 
 568                 memset(mapaddr, 0, PAGE_SIZE);
 
 569                 kunmap_atomic(mapaddr, KM_USER1);
 
 573                 if (!cs->len && (err = fuse_copy_fill(cs)))
 
 576                         void *mapaddr = kmap_atomic(page, KM_USER1);
 
 577                         void *buf = mapaddr + offset;
 
 578                         offset += fuse_copy_do(cs, &buf, &count);
 
 579                         kunmap_atomic(mapaddr, KM_USER1);
 
 581                         offset += fuse_copy_do(cs, NULL, &count);
 
 583         if (page && !cs->write)
 
 584                 flush_dcache_page(page);
 
 588 /* Copy pages in the request to/from userspace buffer */
 
 589 static int fuse_copy_pages(struct fuse_copy_state *cs, unsigned nbytes,
 
 593         struct fuse_req *req = cs->req;
 
 594         unsigned offset = req->page_offset;
 
 595         unsigned count = min(nbytes, (unsigned) PAGE_SIZE - offset);
 
 597         for (i = 0; i < req->num_pages && (nbytes || zeroing); i++) {
 
 598                 struct page *page = req->pages[i];
 
 599                 int err = fuse_copy_page(cs, page, offset, count, zeroing);
 
 604                 count = min(nbytes, (unsigned) PAGE_SIZE);
 
 610 /* Copy a single argument in the request to/from userspace buffer */
 
 611 static int fuse_copy_one(struct fuse_copy_state *cs, void *val, unsigned size)
 
 615                 if (!cs->len && (err = fuse_copy_fill(cs)))
 
 617                 fuse_copy_do(cs, &val, &size);
 
 622 /* Copy request arguments to/from userspace buffer */
 
 623 static int fuse_copy_args(struct fuse_copy_state *cs, unsigned numargs,
 
 624                           unsigned argpages, struct fuse_arg *args,
 
 630         for (i = 0; !err && i < numargs; i++)  {
 
 631                 struct fuse_arg *arg = &args[i];
 
 632                 if (i == numargs - 1 && argpages)
 
 633                         err = fuse_copy_pages(cs, arg->size, zeroing);
 
 635                         err = fuse_copy_one(cs, arg->value, arg->size);
 
 640 static int request_pending(struct fuse_conn *fc)
 
 642         return !list_empty(&fc->pending) || !list_empty(&fc->interrupts);
 
 645 /* Wait until a request is available on the pending list */
 
 646 static void request_wait(struct fuse_conn *fc)
 
 648         DECLARE_WAITQUEUE(wait, current);
 
 650         add_wait_queue_exclusive(&fc->waitq, &wait);
 
 651         while (fc->connected && !request_pending(fc)) {
 
 652                 set_current_state(TASK_INTERRUPTIBLE);
 
 653                 if (signal_pending(current))
 
 656                 spin_unlock(&fc->lock);
 
 658                 spin_lock(&fc->lock);
 
 660         set_current_state(TASK_RUNNING);
 
 661         remove_wait_queue(&fc->waitq, &wait);
 
 665  * Transfer an interrupt request to userspace
 
 667  * Unlike other requests this is assembled on demand, without a need
 
 668  * to allocate a separate fuse_req structure.
 
 670  * Called with fc->lock held, releases it
 
 672 static int fuse_read_interrupt(struct fuse_conn *fc, struct fuse_req *req,
 
 673                                const struct iovec *iov, unsigned long nr_segs)
 
 676         struct fuse_copy_state cs;
 
 677         struct fuse_in_header ih;
 
 678         struct fuse_interrupt_in arg;
 
 679         unsigned reqsize = sizeof(ih) + sizeof(arg);
 
 682         list_del_init(&req->intr_entry);
 
 683         req->intr_unique = fuse_get_unique(fc);
 
 684         memset(&ih, 0, sizeof(ih));
 
 685         memset(&arg, 0, sizeof(arg));
 
 687         ih.opcode = FUSE_INTERRUPT;
 
 688         ih.unique = req->intr_unique;
 
 689         arg.unique = req->in.h.unique;
 
 691         spin_unlock(&fc->lock);
 
 692         if (iov_length(iov, nr_segs) < reqsize)
 
 695         fuse_copy_init(&cs, fc, 1, NULL, iov, nr_segs);
 
 696         err = fuse_copy_one(&cs, &ih, sizeof(ih));
 
 698                 err = fuse_copy_one(&cs, &arg, sizeof(arg));
 
 699         fuse_copy_finish(&cs);
 
 701         return err ? err : reqsize;
 
 705  * Read a single request into the userspace filesystem's buffer.  This
 
 706  * function waits until a request is available, then removes it from
 
 707  * the pending list and copies request data to userspace buffer.  If
 
 708  * no reply is needed (FORGET) or request has been aborted or there
 
 709  * was an error during the copying then it's finished by calling
 
 710  * request_end().  Otherwise add it to the processing list, and set
 
 713 static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
 
 714                               unsigned long nr_segs, loff_t pos)
 
 717         struct fuse_req *req;
 
 719         struct fuse_copy_state cs;
 
 721         struct file *file = iocb->ki_filp;
 
 722         struct fuse_conn *fc = fuse_get_conn(file);
 
 727         spin_lock(&fc->lock);
 
 729         if ((file->f_flags & O_NONBLOCK) && fc->connected &&
 
 730             !request_pending(fc))
 
 738         if (!request_pending(fc))
 
 741         if (!list_empty(&fc->interrupts)) {
 
 742                 req = list_entry(fc->interrupts.next, struct fuse_req,
 
 744                 return fuse_read_interrupt(fc, req, iov, nr_segs);
 
 747         req = list_entry(fc->pending.next, struct fuse_req, list);
 
 748         req->state = FUSE_REQ_READING;
 
 749         list_move(&req->list, &fc->io);
 
 753         /* If request is too large, reply with an error and restart the read */
 
 754         if (iov_length(iov, nr_segs) < reqsize) {
 
 755                 req->out.h.error = -EIO;
 
 756                 /* SETXATTR is special, since it may contain too large data */
 
 757                 if (in->h.opcode == FUSE_SETXATTR)
 
 758                         req->out.h.error = -E2BIG;
 
 759                 request_end(fc, req);
 
 762         spin_unlock(&fc->lock);
 
 763         fuse_copy_init(&cs, fc, 1, req, iov, nr_segs);
 
 764         err = fuse_copy_one(&cs, &in->h, sizeof(in->h));
 
 766                 err = fuse_copy_args(&cs, in->numargs, in->argpages,
 
 767                                      (struct fuse_arg *) in->args, 0);
 
 768         fuse_copy_finish(&cs);
 
 769         spin_lock(&fc->lock);
 
 772                 request_end(fc, req);
 
 776                 req->out.h.error = -EIO;
 
 777                 request_end(fc, req);
 
 781                 request_end(fc, req);
 
 783                 req->state = FUSE_REQ_SENT;
 
 784                 list_move_tail(&req->list, &fc->processing);
 
 785                 if (req->interrupted)
 
 786                         queue_interrupt(fc, req);
 
 787                 spin_unlock(&fc->lock);
 
 792         spin_unlock(&fc->lock);
 
 796 /* Look up request on processing list by unique ID */
 
 797 static struct fuse_req *request_find(struct fuse_conn *fc, u64 unique)
 
 799         struct list_head *entry;
 
 801         list_for_each(entry, &fc->processing) {
 
 802                 struct fuse_req *req;
 
 803                 req = list_entry(entry, struct fuse_req, list);
 
 804                 if (req->in.h.unique == unique || req->intr_unique == unique)
 
 810 static int copy_out_args(struct fuse_copy_state *cs, struct fuse_out *out,
 
 813         unsigned reqsize = sizeof(struct fuse_out_header);
 
 816                 return nbytes != reqsize ? -EINVAL : 0;
 
 818         reqsize += len_args(out->numargs, out->args);
 
 820         if (reqsize < nbytes || (reqsize > nbytes && !out->argvar))
 
 822         else if (reqsize > nbytes) {
 
 823                 struct fuse_arg *lastarg = &out->args[out->numargs-1];
 
 824                 unsigned diffsize = reqsize - nbytes;
 
 825                 if (diffsize > lastarg->size)
 
 827                 lastarg->size -= diffsize;
 
 829         return fuse_copy_args(cs, out->numargs, out->argpages, out->args,
 
 834  * Write a single reply to a request.  First the header is copied from
 
 835  * the write buffer.  The request is then searched on the processing
 
 836  * list by the unique ID found in the header.  If found, then remove
 
 837  * it from the list and copy the rest of the buffer to the request.
 
 838  * The request is finished by calling request_end()
 
 840 static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
 
 841                                unsigned long nr_segs, loff_t pos)
 
 844         unsigned nbytes = iov_length(iov, nr_segs);
 
 845         struct fuse_req *req;
 
 846         struct fuse_out_header oh;
 
 847         struct fuse_copy_state cs;
 
 848         struct fuse_conn *fc = fuse_get_conn(iocb->ki_filp);
 
 852         fuse_copy_init(&cs, fc, 0, NULL, iov, nr_segs);
 
 853         if (nbytes < sizeof(struct fuse_out_header))
 
 856         err = fuse_copy_one(&cs, &oh, sizeof(oh));
 
 860         if (!oh.unique || oh.error <= -1000 || oh.error > 0 ||
 
 864         spin_lock(&fc->lock);
 
 869         req = request_find(fc, oh.unique);
 
 874                 spin_unlock(&fc->lock);
 
 875                 fuse_copy_finish(&cs);
 
 876                 spin_lock(&fc->lock);
 
 877                 request_end(fc, req);
 
 880         /* Is it an interrupt reply? */
 
 881         if (req->intr_unique == oh.unique) {
 
 883                 if (nbytes != sizeof(struct fuse_out_header))
 
 886                 if (oh.error == -ENOSYS)
 
 887                         fc->no_interrupt = 1;
 
 888                 else if (oh.error == -EAGAIN)
 
 889                         queue_interrupt(fc, req);
 
 891                 spin_unlock(&fc->lock);
 
 892                 fuse_copy_finish(&cs);
 
 896         req->state = FUSE_REQ_WRITING;
 
 897         list_move(&req->list, &fc->io);
 
 901         spin_unlock(&fc->lock);
 
 903         err = copy_out_args(&cs, &req->out, nbytes);
 
 904         fuse_copy_finish(&cs);
 
 906         spin_lock(&fc->lock);
 
 911         } else if (!req->aborted)
 
 912                 req->out.h.error = -EIO;
 
 913         request_end(fc, req);
 
 915         return err ? err : nbytes;
 
 918         spin_unlock(&fc->lock);
 
 920         fuse_copy_finish(&cs);
 
 924 static unsigned fuse_dev_poll(struct file *file, poll_table *wait)
 
 926         unsigned mask = POLLOUT | POLLWRNORM;
 
 927         struct fuse_conn *fc = fuse_get_conn(file);
 
 931         poll_wait(file, &fc->waitq, wait);
 
 933         spin_lock(&fc->lock);
 
 936         else if (request_pending(fc))
 
 937                 mask |= POLLIN | POLLRDNORM;
 
 938         spin_unlock(&fc->lock);
 
 944  * Abort all requests on the given list (pending or processing)
 
 946  * This function releases and reacquires fc->lock
 
 948 static void end_requests(struct fuse_conn *fc, struct list_head *head)
 
 950         while (!list_empty(head)) {
 
 951                 struct fuse_req *req;
 
 952                 req = list_entry(head->next, struct fuse_req, list);
 
 953                 req->out.h.error = -ECONNABORTED;
 
 954                 request_end(fc, req);
 
 955                 spin_lock(&fc->lock);
 
 960  * Abort requests under I/O
 
 962  * The requests are set to aborted and finished, and the request
 
 963  * waiter is woken up.  This will make request_wait_answer() wait
 
 964  * until the request is unlocked and then return.
 
 966  * If the request is asynchronous, then the end function needs to be
 
 967  * called after waiting for the request to be unlocked (if it was
 
 970 static void end_io_requests(struct fuse_conn *fc)
 
 972         while (!list_empty(&fc->io)) {
 
 973                 struct fuse_req *req =
 
 974                         list_entry(fc->io.next, struct fuse_req, list);
 
 975                 void (*end) (struct fuse_conn *, struct fuse_req *) = req->end;
 
 978                 req->out.h.error = -ECONNABORTED;
 
 979                 req->state = FUSE_REQ_FINISHED;
 
 980                 list_del_init(&req->list);
 
 981                 wake_up(&req->waitq);
 
 984                         /* The end function will consume this reference */
 
 985                         __fuse_get_request(req);
 
 986                         spin_unlock(&fc->lock);
 
 987                         wait_event(req->waitq, !req->locked);
 
 989                         spin_lock(&fc->lock);
 
 995  * Abort all requests.
 
 997  * Emergency exit in case of a malicious or accidental deadlock, or
 
 998  * just a hung filesystem.
 
1000  * The same effect is usually achievable through killing the
 
1001  * filesystem daemon and all users of the filesystem.  The exception
 
1002  * is the combination of an asynchronous request and the tricky
 
1003  * deadlock (see Documentation/filesystems/fuse.txt).
 
1005  * During the aborting, progression of requests from the pending and
 
1006  * processing lists onto the io list, and progression of new requests
 
1007  * onto the pending list is prevented by req->connected being false.
 
1009  * Progression of requests under I/O to the processing list is
 
1010  * prevented by the req->aborted flag being true for these requests.
 
1011  * For this reason requests on the io list must be aborted first.
 
1013 void fuse_abort_conn(struct fuse_conn *fc)
 
1015         spin_lock(&fc->lock);
 
1016         if (fc->connected) {
 
1019                 end_io_requests(fc);
 
1020                 end_requests(fc, &fc->pending);
 
1021                 end_requests(fc, &fc->processing);
 
1022                 wake_up_all(&fc->waitq);
 
1023                 wake_up_all(&fc->blocked_waitq);
 
1024                 kill_fasync(&fc->fasync, SIGIO, POLL_IN);
 
1026         spin_unlock(&fc->lock);
 
1029 static int fuse_dev_release(struct inode *inode, struct file *file)
 
1031         struct fuse_conn *fc = fuse_get_conn(file);
 
1033                 spin_lock(&fc->lock);
 
1035                 end_requests(fc, &fc->pending);
 
1036                 end_requests(fc, &fc->processing);
 
1037                 spin_unlock(&fc->lock);
 
1038                 fasync_helper(-1, file, 0, &fc->fasync);
 
1045 static int fuse_dev_fasync(int fd, struct file *file, int on)
 
1047         struct fuse_conn *fc = fuse_get_conn(file);
 
1051         /* No locking - fasync_helper does its own locking */
 
1052         return fasync_helper(fd, file, on, &fc->fasync);
 
1055 const struct file_operations fuse_dev_operations = {
 
1056         .owner          = THIS_MODULE,
 
1057         .llseek         = no_llseek,
 
1058         .read           = do_sync_read,
 
1059         .aio_read       = fuse_dev_read,
 
1060         .write          = do_sync_write,
 
1061         .aio_write      = fuse_dev_write,
 
1062         .poll           = fuse_dev_poll,
 
1063         .release        = fuse_dev_release,
 
1064         .fasync         = fuse_dev_fasync,
 
1067 static struct miscdevice fuse_miscdevice = {
 
1068         .minor = FUSE_MINOR,
 
1070         .fops = &fuse_dev_operations,
 
1073 int __init fuse_dev_init(void)
 
1076         fuse_req_cachep = kmem_cache_create("fuse_request",
 
1077                                             sizeof(struct fuse_req),
 
1079         if (!fuse_req_cachep)
 
1082         err = misc_register(&fuse_miscdevice);
 
1084                 goto out_cache_clean;
 
1089         kmem_cache_destroy(fuse_req_cachep);
 
1094 void fuse_dev_cleanup(void)
 
1096         misc_deregister(&fuse_miscdevice);
 
1097         kmem_cache_destroy(fuse_req_cachep);