2005-04-17 06:20:36 +08:00
|
|
|
Changes since 2.5.0:
|
|
|
|
|
2008-02-03 23:59:17 +08:00
|
|
|
---
|
2005-04-17 06:20:36 +08:00
|
|
|
[recommended]
|
|
|
|
|
|
|
|
New helpers: sb_bread(), sb_getblk(), sb_find_get_block(), set_bh(),
|
|
|
|
sb_set_blocksize() and sb_min_blocksize().
|
|
|
|
|
|
|
|
Use them.
|
|
|
|
|
|
|
|
(sb_find_get_block() replaces 2.4's get_hash_table())
|
|
|
|
|
2008-02-03 23:59:17 +08:00
|
|
|
---
|
2005-04-17 06:20:36 +08:00
|
|
|
[recommended]
|
|
|
|
|
|
|
|
New methods: ->alloc_inode() and ->destroy_inode().
|
|
|
|
|
|
|
|
Remove inode->u.foo_inode_i
|
|
|
|
Declare
|
|
|
|
struct foo_inode_info {
|
|
|
|
/* fs-private stuff */
|
|
|
|
struct inode vfs_inode;
|
|
|
|
};
|
|
|
|
static inline struct foo_inode_info *FOO_I(struct inode *inode)
|
|
|
|
{
|
|
|
|
return list_entry(inode, struct foo_inode_info, vfs_inode);
|
|
|
|
}
|
|
|
|
|
|
|
|
Use FOO_I(inode) instead of &inode->u.foo_inode_i;
|
|
|
|
|
2008-02-03 23:59:17 +08:00
|
|
|
Add foo_alloc_inode() and foo_destroy_inode() - the former should allocate
|
2005-04-17 06:20:36 +08:00
|
|
|
foo_inode_info and return the address of ->vfs_inode, the latter should free
|
|
|
|
FOO_I(inode) (see in-tree filesystems for examples).
|
|
|
|
|
|
|
|
Make them ->alloc_inode and ->destroy_inode in your super_operations.
|
|
|
|
|
2008-02-07 16:15:52 +08:00
|
|
|
Keep in mind that now you need explicit initialization of private data
|
|
|
|
typically between calling iget_locked() and unlocking the inode.
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
At some point that will become mandatory.
|
|
|
|
|
|
|
|
---
|
|
|
|
[mandatory]
|
|
|
|
|
|
|
|
Change of file_system_type method (->read_super to ->get_sb)
|
|
|
|
|
|
|
|
->read_super() is no more. Ditto for DECLARE_FSTYPE and DECLARE_FSTYPE_DEV.
|
|
|
|
|
|
|
|
Turn your foo_read_super() into a function that would return 0 in case of
|
|
|
|
success and negative number in case of error (-EINVAL unless you have more
|
|
|
|
informative error value to report). Call it foo_fill_super(). Now declare
|
|
|
|
|
[PATCH] VFS: Permit filesystem to override root dentry on mount
Extend the get_sb() filesystem operation to take an extra argument that
permits the VFS to pass in the target vfsmount that defines the mountpoint.
The filesystem is then required to manually set the superblock and root dentry
pointers. For most filesystems, this should be done with simple_set_mnt()
which will set the superblock pointer and then set the root dentry to the
superblock's s_root (as per the old default behaviour).
The get_sb() op now returns an integer as there's now no need to return the
superblock pointer.
This patch permits a superblock to be implicitly shared amongst several mount
points, such as can be done with NFS to avoid potential inode aliasing. In
such a case, simple_set_mnt() would not be called, and instead the mnt_root
and mnt_sb would be set directly.
The patch also makes the following changes:
(*) the get_sb_*() convenience functions in the core kernel now take a vfsmount
pointer argument and return an integer, so most filesystems have to change
very little.
(*) If one of the convenience function is not used, then get_sb() should
normally call simple_set_mnt() to instantiate the vfsmount. This will
always return 0, and so can be tail-called from get_sb().
(*) generic_shutdown_super() now calls shrink_dcache_sb() to clean up the
dcache upon superblock destruction rather than shrink_dcache_anon().
This is required because the superblock may now have multiple trees that
aren't actually bound to s_root, but that still need to be cleaned up. The
currently called functions assume that the whole tree is rooted at s_root,
and that anonymous dentries are not the roots of trees which results in
dentries being left unculled.
However, with the way NFS superblock sharing are currently set to be
implemented, these assumptions are violated: the root of the filesystem is
simply a dummy dentry and inode (the real inode for '/' may well be
inaccessible), and all the vfsmounts are rooted on anonymous[*] dentries
with child trees.
[*] Anonymous until discovered from another tree.
(*) The documentation has been adjusted, including the additional bit of
changing ext2_* into foo_* in the documentation.
[akpm@osdl.org: convert ipath_fs, do other stuff]
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: Nathan Scott <nathans@sgi.com>
Cc: Roland Dreier <rolandd@cisco.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-23 17:02:57 +08:00
|
|
|
int foo_get_sb(struct file_system_type *fs_type,
|
|
|
|
int flags, const char *dev_name, void *data, struct vfsmount *mnt)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
[PATCH] VFS: Permit filesystem to override root dentry on mount
Extend the get_sb() filesystem operation to take an extra argument that
permits the VFS to pass in the target vfsmount that defines the mountpoint.
The filesystem is then required to manually set the superblock and root dentry
pointers. For most filesystems, this should be done with simple_set_mnt()
which will set the superblock pointer and then set the root dentry to the
superblock's s_root (as per the old default behaviour).
The get_sb() op now returns an integer as there's now no need to return the
superblock pointer.
This patch permits a superblock to be implicitly shared amongst several mount
points, such as can be done with NFS to avoid potential inode aliasing. In
such a case, simple_set_mnt() would not be called, and instead the mnt_root
and mnt_sb would be set directly.
The patch also makes the following changes:
(*) the get_sb_*() convenience functions in the core kernel now take a vfsmount
pointer argument and return an integer, so most filesystems have to change
very little.
(*) If one of the convenience function is not used, then get_sb() should
normally call simple_set_mnt() to instantiate the vfsmount. This will
always return 0, and so can be tail-called from get_sb().
(*) generic_shutdown_super() now calls shrink_dcache_sb() to clean up the
dcache upon superblock destruction rather than shrink_dcache_anon().
This is required because the superblock may now have multiple trees that
aren't actually bound to s_root, but that still need to be cleaned up. The
currently called functions assume that the whole tree is rooted at s_root,
and that anonymous dentries are not the roots of trees which results in
dentries being left unculled.
However, with the way NFS superblock sharing are currently set to be
implemented, these assumptions are violated: the root of the filesystem is
simply a dummy dentry and inode (the real inode for '/' may well be
inaccessible), and all the vfsmounts are rooted on anonymous[*] dentries
with child trees.
[*] Anonymous until discovered from another tree.
(*) The documentation has been adjusted, including the additional bit of
changing ext2_* into foo_* in the documentation.
[akpm@osdl.org: convert ipath_fs, do other stuff]
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: Nathan Scott <nathans@sgi.com>
Cc: Roland Dreier <rolandd@cisco.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-23 17:02:57 +08:00
|
|
|
return get_sb_bdev(fs_type, flags, dev_name, data, foo_fill_super,
|
|
|
|
mnt);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
(or similar with s/bdev/nodev/ or s/bdev/single/, depending on the kind of
|
|
|
|
filesystem).
|
|
|
|
|
|
|
|
Replace DECLARE_FSTYPE... with explicit initializer and have ->get_sb set as
|
|
|
|
foo_get_sb.
|
|
|
|
|
|
|
|
---
|
|
|
|
[mandatory]
|
|
|
|
|
|
|
|
Locking change: ->s_vfs_rename_sem is taken only by cross-directory renames.
|
|
|
|
Most likely there is no need to change anything, but if you relied on
|
|
|
|
global exclusion between renames for some internal purpose - you need to
|
|
|
|
change your internal locking. Otherwise exclusion warranties remain the
|
|
|
|
same (i.e. parents and victim are locked, etc.).
|
|
|
|
|
|
|
|
---
|
|
|
|
[informational]
|
|
|
|
|
|
|
|
Now we have the exclusion between ->lookup() and directory removal (by
|
|
|
|
->rmdir() and ->rename()). If you used to need that exclusion and do
|
|
|
|
it by internal locking (most of filesystems couldn't care less) - you
|
|
|
|
can relax your locking.
|
|
|
|
|
|
|
|
---
|
|
|
|
[mandatory]
|
|
|
|
|
|
|
|
->lookup(), ->truncate(), ->create(), ->unlink(), ->mknod(), ->mkdir(),
|
|
|
|
->rmdir(), ->link(), ->lseek(), ->symlink(), ->rename()
|
|
|
|
and ->readdir() are called without BKL now. Grab it on entry, drop upon return
|
|
|
|
- that will guarantee the same locking you used to have. If your method or its
|
|
|
|
parts do not need BKL - better yet, now you can shift lock_kernel() and
|
|
|
|
unlock_kernel() so that they would protect exactly what needs to be
|
|
|
|
protected.
|
|
|
|
|
|
|
|
---
|
|
|
|
[mandatory]
|
|
|
|
|
2012-07-25 23:12:00 +08:00
|
|
|
BKL is also moved from around sb operations. BKL should have been shifted into
|
|
|
|
individual fs sb_op functions. If you don't need it, remove it.
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
---
|
|
|
|
[informational]
|
|
|
|
|
|
|
|
check for ->link() target not being a directory is done by callers. Feel
|
|
|
|
free to drop it...
|
|
|
|
|
|
|
|
---
|
|
|
|
[informational]
|
|
|
|
|
2007-05-25 00:21:43 +08:00
|
|
|
->link() callers hold ->i_mutex on the object we are linking to. Some of your
|
2005-04-17 06:20:36 +08:00
|
|
|
problems might be over...
|
|
|
|
|
|
|
|
---
|
|
|
|
[mandatory]
|
|
|
|
|
|
|
|
new file_system_type method - kill_sb(superblock). If you are converting
|
|
|
|
an existing filesystem, set it according to ->fs_flags:
|
|
|
|
FS_REQUIRES_DEV - kill_block_super
|
|
|
|
FS_LITTER - kill_litter_super
|
|
|
|
neither - kill_anon_super
|
|
|
|
FS_LITTER is gone - just remove it from fs_flags.
|
|
|
|
|
|
|
|
---
|
|
|
|
[mandatory]
|
|
|
|
|
|
|
|
FS_SINGLE is gone (actually, that had happened back when ->get_sb()
|
|
|
|
went in - and hadn't been documented ;-/). Just remove it from fs_flags
|
|
|
|
(and see ->get_sb() entry for other actions).
|
|
|
|
|
|
|
|
---
|
|
|
|
[mandatory]
|
|
|
|
|
2007-05-25 00:21:43 +08:00
|
|
|
->setattr() is called without BKL now. Caller _always_ holds ->i_mutex, so
|
|
|
|
watch for ->i_mutex-grabbing code that might be used by your ->setattr().
|
|
|
|
Callers of notify_change() need ->i_mutex now.
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
---
|
|
|
|
[recommended]
|
|
|
|
|
|
|
|
New super_block field "struct export_operations *s_export_op" for
|
|
|
|
explicit support for exporting, e.g. via NFS. The structure is fully
|
|
|
|
documented at its declaration in include/linux/fs.h, and in
|
2009-10-28 02:41:35 +08:00
|
|
|
Documentation/filesystems/nfs/Exporting.
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
Briefly it allows for the definition of decode_fh and encode_fh operations
|
|
|
|
to encode and decode filehandles, and allows the filesystem to use
|
|
|
|
a standard helper function for decode_fh, and provide file-system specific
|
|
|
|
support for this helper, particularly get_parent.
|
|
|
|
|
|
|
|
It is planned that this will be required for exporting once the code
|
|
|
|
settles down a bit.
|
|
|
|
|
|
|
|
[mandatory]
|
|
|
|
|
|
|
|
s_export_op is now required for exporting a filesystem.
|
|
|
|
isofs, ext2, ext3, resierfs, fat
|
|
|
|
can be used as examples of very different filesystems.
|
|
|
|
|
|
|
|
---
|
|
|
|
[mandatory]
|
|
|
|
|
|
|
|
iget4() and the read_inode2 callback have been superseded by iget5_locked()
|
|
|
|
which has the following prototype,
|
|
|
|
|
|
|
|
struct inode *iget5_locked(struct super_block *sb, unsigned long ino,
|
|
|
|
int (*test)(struct inode *, void *),
|
|
|
|
int (*set)(struct inode *, void *),
|
|
|
|
void *data);
|
|
|
|
|
|
|
|
'test' is an additional function that can be used when the inode
|
|
|
|
number is not sufficient to identify the actual file object. 'set'
|
|
|
|
should be a non-blocking function that initializes those parts of a
|
|
|
|
newly created inode to allow the test function to succeed. 'data' is
|
|
|
|
passed as an opaque value to both test and set functions.
|
|
|
|
|
2008-02-07 16:15:52 +08:00
|
|
|
When the inode has been created by iget5_locked(), it will be returned with the
|
|
|
|
I_NEW flag set and will still be locked. The filesystem then needs to finalize
|
|
|
|
the initialization. Once the inode is initialized it must be unlocked by
|
|
|
|
calling unlock_new_inode().
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
The filesystem is responsible for setting (and possibly testing) i_ino
|
|
|
|
when appropriate. There is also a simpler iget_locked function that
|
|
|
|
just takes the superblock and inode number as arguments and does the
|
|
|
|
test and set for you.
|
|
|
|
|
|
|
|
e.g.
|
2008-02-07 16:15:27 +08:00
|
|
|
inode = iget_locked(sb, ino);
|
|
|
|
if (inode->i_state & I_NEW) {
|
|
|
|
err = read_inode_from_disk(inode);
|
|
|
|
if (err < 0) {
|
|
|
|
iget_failed(inode);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
unlock_new_inode(inode);
|
|
|
|
}
|
|
|
|
|
|
|
|
Note that if the process of setting up a new inode fails, then iget_failed()
|
|
|
|
should be called on the inode to render it dead, and an appropriate error
|
|
|
|
should be passed back to the caller.
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
---
|
|
|
|
[recommended]
|
|
|
|
|
|
|
|
->getattr() finally getting used. See instances in nfs, minix, etc.
|
|
|
|
|
|
|
|
---
|
|
|
|
[mandatory]
|
|
|
|
|
|
|
|
->revalidate() is gone. If your filesystem had it - provide ->getattr()
|
|
|
|
and let it call whatever you had as ->revlidate() + (for symlinks that
|
|
|
|
had ->revalidate()) add calls in ->follow_link()/->readlink().
|
|
|
|
|
|
|
|
---
|
|
|
|
[mandatory]
|
|
|
|
|
|
|
|
->d_parent changes are not protected by BKL anymore. Read access is safe
|
|
|
|
if at least one of the following is true:
|
|
|
|
* filesystem has no cross-directory rename()
|
|
|
|
* we know that parent had been locked (e.g. we are looking at
|
|
|
|
->d_parent of ->lookup() argument).
|
|
|
|
* we are called from ->rename().
|
|
|
|
* the child's ->d_lock is held
|
|
|
|
Audit your code and add locking if needed. Notice that any place that is
|
|
|
|
not protected by the conditions above is risky even in the old tree - you
|
|
|
|
had been relying on BKL and that's prone to screwups. Old tree had quite
|
|
|
|
a few holes of that kind - unprotected access to ->d_parent leading to
|
|
|
|
anything from oops to silent memory corruption.
|
|
|
|
|
|
|
|
---
|
|
|
|
[mandatory]
|
|
|
|
|
2017-07-17 15:45:35 +08:00
|
|
|
FS_NOMOUNT is gone. If you use it - just set SB_NOUSER in flags
|
2005-04-17 06:20:36 +08:00
|
|
|
(see rootfs for one kind of solution and bdev/socket/pipe for another).
|
|
|
|
|
|
|
|
---
|
|
|
|
[recommended]
|
|
|
|
|
|
|
|
Use bdev_read_only(bdev) instead of is_read_only(kdev). The latter
|
|
|
|
is still alive, but only because of the mess in drivers/s390/block/dasd.c.
|
|
|
|
As soon as it gets fixed is_read_only() will die.
|
|
|
|
|
|
|
|
---
|
|
|
|
[mandatory]
|
|
|
|
|
|
|
|
->permission() is called without BKL now. Grab it on entry, drop upon
|
|
|
|
return - that will guarantee the same locking you used to have. If
|
|
|
|
your method or its parts do not need BKL - better yet, now you can
|
|
|
|
shift lock_kernel() and unlock_kernel() so that they would protect
|
|
|
|
exactly what needs to be protected.
|
|
|
|
|
|
|
|
---
|
|
|
|
[mandatory]
|
|
|
|
|
|
|
|
->statfs() is now called without BKL held. BKL should have been
|
|
|
|
shifted into individual fs sb_op functions where it's not clear that
|
|
|
|
it's safe to remove it. If you don't need it, remove it.
|
|
|
|
|
|
|
|
---
|
|
|
|
[mandatory]
|
|
|
|
|
|
|
|
is_read_only() is gone; use bdev_read_only() instead.
|
|
|
|
|
|
|
|
---
|
|
|
|
[mandatory]
|
|
|
|
|
|
|
|
destroy_buffers() is gone; use invalidate_bdev().
|
|
|
|
|
|
|
|
---
|
|
|
|
[mandatory]
|
|
|
|
|
|
|
|
fsync_dev() is gone; use fsync_bdev(). NOTE: lvm breakage is
|
|
|
|
deliberate; as soon as struct block_device * is propagated in a reasonable
|
|
|
|
way by that code fixing will become trivial; until then nothing can be
|
|
|
|
done.
|
2010-06-07 15:29:20 +08:00
|
|
|
|
|
|
|
[mandatory]
|
|
|
|
|
|
|
|
block truncatation on error exit from ->write_begin, and ->direct_IO
|
|
|
|
moved from generic methods (block_write_begin, cont_write_begin,
|
|
|
|
nobh_write_begin, blockdev_direct_IO*) to callers. Take a look at
|
|
|
|
ext2_write_failed and callers for an example.
|
|
|
|
|
|
|
|
[mandatory]
|
|
|
|
|
2012-12-15 19:00:38 +08:00
|
|
|
->truncate is gone. The whole truncate sequence needs to be
|
2010-06-07 15:29:20 +08:00
|
|
|
implemented in ->setattr, which is now mandatory for filesystems
|
|
|
|
implementing on-disk size changes. Start with a copy of the old inode_setattr
|
|
|
|
and vmtruncate, and the reorder the vmtruncate + foofs_vmtruncate sequence to
|
|
|
|
be in order of zeroing blocks using block_truncate_page or similar helpers,
|
|
|
|
size update and on finally on-disk truncation which should not fail.
|
2016-05-26 22:55:18 +08:00
|
|
|
setattr_prepare (which used to be inode_change_ok) now includes the size checks
|
|
|
|
for ATTR_SIZE and must be called in the beginning of ->setattr unconditionally.
|
2010-06-08 12:37:12 +08:00
|
|
|
|
|
|
|
[mandatory]
|
|
|
|
|
|
|
|
->clear_inode() and ->delete_inode() are gone; ->evict_inode() should
|
|
|
|
be used instead. It gets called whenever the inode is evicted, whether it has
|
|
|
|
remaining links or not. Caller does *not* evict the pagecache or inode-associated
|
2014-04-04 05:47:49 +08:00
|
|
|
metadata buffers; the method has to use truncate_inode_pages_final() to get rid
|
|
|
|
of those. Caller makes sure async writeback cannot be running for the inode while
|
|
|
|
(or after) ->evict_inode() is called.
|
2011-03-22 19:23:39 +08:00
|
|
|
|
|
|
|
->drop_inode() returns int now; it's called on final iput() with
|
|
|
|
inode->i_lock held and it returns true if filesystems wants the inode to be
|
|
|
|
dropped. As before, generic_drop_inode() is still the default and it's been
|
|
|
|
updated appropriately. generic_delete_inode() is also alive and it consists
|
|
|
|
simply of return 1. Note that all actual eviction work is done by caller after
|
|
|
|
->drop_inode() returns.
|
|
|
|
|
2012-05-03 20:48:02 +08:00
|
|
|
As before, clear_inode() must be called exactly once on each call of
|
|
|
|
->evict_inode() (as it used to be for each call of ->delete_inode()). Unlike
|
|
|
|
before, if you are using inode-associated metadata buffers (i.e.
|
|
|
|
mark_buffer_dirty_inode()), it's your responsibility to call
|
|
|
|
invalidate_inode_buffers() before clear_inode().
|
2010-06-08 12:37:12 +08:00
|
|
|
|
|
|
|
NOTE: checking i_nlink in the beginning of ->write_inode() and bailing out
|
|
|
|
if it's zero is not *and* *never* *had* *been* enough. Final unlink() and iput()
|
|
|
|
may happen while the inode is in the middle of ->write_inode(); e.g. if you blindly
|
|
|
|
free the on-disk inode, you may end up doing that while ->write_inode() is writing
|
|
|
|
to it.
|
2011-01-07 14:49:23 +08:00
|
|
|
|
|
|
|
---
|
|
|
|
[mandatory]
|
|
|
|
|
|
|
|
.d_delete() now only advises the dcache as to whether or not to cache
|
|
|
|
unreferenced dentries, and is now only called when the dentry refcount goes to
|
|
|
|
0. Even on 0 refcount transition, it must be able to tolerate being called 0,
|
|
|
|
1, or more times (eg. constant, idempotent).
|
2011-01-07 14:49:27 +08:00
|
|
|
|
|
|
|
---
|
|
|
|
[mandatory]
|
|
|
|
|
|
|
|
.d_compare() calling convention and locking rules are significantly
|
|
|
|
changed. Read updated documentation in Documentation/filesystems/vfs.txt (and
|
|
|
|
look at examples of other filesystems) for guidance.
|
2011-01-07 14:49:28 +08:00
|
|
|
|
|
|
|
---
|
|
|
|
[mandatory]
|
|
|
|
|
|
|
|
.d_hash() calling convention and locking rules are significantly
|
|
|
|
changed. Read updated documentation in Documentation/filesystems/vfs.txt (and
|
|
|
|
look at examples of other filesystems) for guidance.
|
2011-01-07 14:49:38 +08:00
|
|
|
|
|
|
|
---
|
|
|
|
[mandatory]
|
|
|
|
dcache_lock is gone, replaced by fine grained locks. See fs/dcache.c
|
|
|
|
for details of what locks to replace dcache_lock with in order to protect
|
|
|
|
particular things. Most of the time, a filesystem only needs ->d_lock, which
|
|
|
|
protects *all* the dcache state of a given dentry.
|
2011-01-07 14:49:49 +08:00
|
|
|
|
|
|
|
--
|
|
|
|
[mandatory]
|
|
|
|
|
|
|
|
Filesystems must RCU-free their inodes, if they can have been accessed
|
|
|
|
via rcu-walk path walk (basically, if the file can have had a path name in the
|
|
|
|
vfs namespace).
|
|
|
|
|
2012-06-09 23:55:20 +08:00
|
|
|
Even though i_dentry and i_rcu share storage in a union, we will
|
|
|
|
initialize the former in inode_init_always(), so just leave it alone in
|
|
|
|
the callback. It used to be necessary to clean it there, but not anymore
|
|
|
|
(starting at 3.2).
|
2011-01-07 14:49:57 +08:00
|
|
|
|
|
|
|
--
|
|
|
|
[recommended]
|
|
|
|
vfs now tries to do path walking in "rcu-walk mode", which avoids
|
|
|
|
atomic operations and scalability hazards on dentries and inodes (see
|
2011-01-14 10:26:53 +08:00
|
|
|
Documentation/filesystems/path-lookup.txt). d_hash and d_compare changes
|
|
|
|
(above) are examples of the changes required to support this. For more complex
|
2011-01-07 14:49:57 +08:00
|
|
|
filesystem callbacks, the vfs drops out of rcu-walk mode before the fs call, so
|
|
|
|
no changes are required to the filesystem. However, this is costly and loses
|
|
|
|
the benefits of rcu-walk mode. We will begin to add filesystem callbacks that
|
|
|
|
are rcu-walk aware, shown below. Filesystems should take advantage of this
|
|
|
|
where possible.
|
|
|
|
|
|
|
|
--
|
|
|
|
[mandatory]
|
|
|
|
d_revalidate is a callback that is made on every path element (if
|
|
|
|
the filesystem provides it), which requires dropping out of rcu-walk mode. This
|
|
|
|
may now be called in rcu-walk mode (nd->flags & LOOKUP_RCU). -ECHILD should be
|
|
|
|
returned if the filesystem cannot handle rcu-walk. See
|
2011-01-07 14:49:58 +08:00
|
|
|
Documentation/filesystems/vfs.txt for more details.
|
|
|
|
|
2015-06-05 07:11:22 +08:00
|
|
|
permission is an inode permission check that is called on many or all
|
|
|
|
directory inodes on the way down a path walk (to check for exec permission). It
|
|
|
|
must now be rcu-walk aware (mask & MAY_NOT_BLOCK). See
|
|
|
|
Documentation/filesystems/vfs.txt for more details.
|
2011-01-06 04:00:07 +08:00
|
|
|
|
|
|
|
--
|
|
|
|
[mandatory]
|
|
|
|
In ->fallocate() you must check the mode option passed in. If your
|
|
|
|
filesystem does not support hole punching (deallocating space in the middle of a
|
|
|
|
file) you must return -EOPNOTSUPP if FALLOC_FL_PUNCH_HOLE is set in mode.
|
|
|
|
Currently you can only have FALLOC_FL_PUNCH_HOLE with FALLOC_FL_KEEP_SIZE set,
|
|
|
|
so the i_size should not change when hole punching, even when puching the end of
|
|
|
|
a file off.
|
2011-03-16 21:07:58 +08:00
|
|
|
|
|
|
|
--
|
|
|
|
[mandatory]
|
|
|
|
->get_sb() is gone. Switch to use of ->mount(). Typically it's just
|
|
|
|
a matter of switching from calling get_sb_... to mount_... and changing the
|
|
|
|
function type. If you were doing it manually, just switch from setting ->mnt_root
|
|
|
|
to some pointer to returning that pointer. On errors return ERR_PTR(...).
|
2011-06-21 09:56:31 +08:00
|
|
|
|
|
|
|
--
|
|
|
|
[mandatory]
|
2011-07-23 23:37:31 +08:00
|
|
|
->permission() and generic_permission()have lost flags
|
2011-06-21 09:56:31 +08:00
|
|
|
argument; instead of passing IPERM_FLAG_RCU we add MAY_NOT_BLOCK into mask.
|
2011-07-23 23:37:31 +08:00
|
|
|
generic_permission() has also lost the check_acl argument; ACL checking
|
|
|
|
has been taken to VFS and filesystems need to provide a non-NULL ->i_op->get_acl
|
|
|
|
to read an ACL from disk.
|
2011-07-19 01:21:35 +08:00
|
|
|
|
|
|
|
--
|
|
|
|
[mandatory]
|
|
|
|
If you implement your own ->llseek() you must handle SEEK_HOLE and
|
|
|
|
SEEK_DATA. You can hanle this by returning -EINVAL, but it would be nicer to
|
|
|
|
support it in some way. The generic handler assumes that the entire file is
|
|
|
|
data and there is a virtual hole at the end of the file. So if the provided
|
|
|
|
offset is less than i_size and SEEK_DATA is specified, return the same offset.
|
|
|
|
If the above is true for the offset and you are given SEEK_HOLE, return the end
|
|
|
|
of the file. If the offset is i_size or greater return -ENXIO in either case.
|
2011-07-17 08:44:56 +08:00
|
|
|
|
|
|
|
[mandatory]
|
|
|
|
If you have your own ->fsync() you must make sure to call
|
|
|
|
filemap_write_and_wait_range() so that all dirty pages are synced out properly.
|
|
|
|
You must also keep in mind that ->fsync() is not called with i_mutex held
|
|
|
|
anymore, so if you require i_mutex locking you must make sure to take it and
|
|
|
|
release it yourself.
|
2012-02-13 11:15:47 +08:00
|
|
|
|
|
|
|
--
|
|
|
|
[mandatory]
|
|
|
|
d_alloc_root() is gone, along with a lot of bugs caused by code
|
|
|
|
misusing it. Replacement: d_make_root(inode). The difference is,
|
|
|
|
d_make_root() drops the reference to inode if dentry allocation fails.
|
2012-06-11 04:03:43 +08:00
|
|
|
|
|
|
|
--
|
|
|
|
[mandatory]
|
2012-06-11 05:13:09 +08:00
|
|
|
The witch is dead! Well, 2/3 of it, anyway. ->d_revalidate() and
|
|
|
|
->lookup() do *not* take struct nameidata anymore; just the flags.
|
2012-06-11 06:05:36 +08:00
|
|
|
--
|
|
|
|
[mandatory]
|
|
|
|
->create() doesn't take struct nameidata *; unlike the previous
|
|
|
|
two, it gets "is it an O_EXCL or equivalent?" boolean argument. Note that
|
|
|
|
local filesystems can ignore tha argument - they are guaranteed that the
|
|
|
|
object doesn't exist. It's remote/distributed ones that might care...
|
2013-02-21 00:19:05 +08:00
|
|
|
--
|
|
|
|
[mandatory]
|
|
|
|
FS_REVAL_DOT is gone; if you used to have it, add ->d_weak_revalidate()
|
|
|
|
in your dentry operations instead.
|
2013-05-16 01:52:59 +08:00
|
|
|
--
|
|
|
|
[mandatory]
|
|
|
|
vfs_readdir() is gone; switch to iterate_dir() instead
|
2013-05-23 09:44:23 +08:00
|
|
|
--
|
|
|
|
[mandatory]
|
|
|
|
->readdir() is gone now; switch to ->iterate()
|
2013-09-09 22:16:41 +08:00
|
|
|
[mandatory]
|
|
|
|
vfs_follow_link has been removed. Filesystems must use nd_set_link
|
|
|
|
from ->follow_link for normal symlinks, or nd_jump_link for magic
|
|
|
|
/proc/<pid> style links.
|
2013-11-06 22:54:52 +08:00
|
|
|
--
|
|
|
|
[mandatory]
|
|
|
|
iget5_locked()/ilookup5()/ilookup5_nowait() test() callback used to be
|
|
|
|
called with both ->i_lock and inode_hash_lock held; the former is *not*
|
|
|
|
taken anymore, so verify that your callbacks do not rely on it (none
|
|
|
|
of the in-tree instances did). inode_hash_lock is still held,
|
|
|
|
of course, so they are still serialized wrt removal from inode hash,
|
|
|
|
as well as wrt set() callback of iget5_locked().
|
2014-10-13 10:24:21 +08:00
|
|
|
--
|
|
|
|
[mandatory]
|
|
|
|
d_materialise_unique() is gone; d_splice_alias() does everything you
|
|
|
|
need now. Remember that they have opposite orders of arguments ;-/
|
2014-10-31 13:22:04 +08:00
|
|
|
--
|
|
|
|
[mandatory]
|
|
|
|
f_dentry is gone; use f_path.dentry, or, better yet, see if you can avoid
|
|
|
|
it entirely.
|
2015-04-04 03:41:18 +08:00
|
|
|
--
|
|
|
|
[mandatory]
|
|
|
|
never call ->read() and ->write() directly; use __vfs_{read,write} or
|
|
|
|
wrappers; instead of checking for ->write or ->read being NULL, look for
|
|
|
|
FMODE_CAN_{WRITE,READ} in file->f_mode.
|
|
|
|
--
|
|
|
|
[mandatory]
|
|
|
|
do _not_ use new_sync_{read,write} for ->read/->write; leave it NULL
|
|
|
|
instead.
|
2015-04-04 13:14:53 +08:00
|
|
|
--
|
|
|
|
[mandatory]
|
|
|
|
->aio_read/->aio_write are gone. Use ->read_iter/->write_iter.
|
2015-05-11 20:29:30 +08:00
|
|
|
---
|
|
|
|
[recommended]
|
|
|
|
for embedded ("fast") symlinks just set inode->i_link to wherever the
|
|
|
|
symlink body is and use simple_follow_link() as ->follow_link().
|
|
|
|
--
|
|
|
|
[mandatory]
|
|
|
|
calling conventions for ->follow_link() have changed. Instead of returning
|
|
|
|
cookie and using nd_set_link() to store the body to traverse, we return
|
|
|
|
the body to traverse and store the cookie using explicit void ** argument.
|
|
|
|
nameidata isn't passed at all - nd_jump_link() doesn't need it and
|
|
|
|
nd_[gs]et_link() is gone.
|
|
|
|
--
|
|
|
|
[mandatory]
|
|
|
|
calling conventions for ->put_link() have changed. It gets inode instead of
|
|
|
|
dentry, it does not get nameidata at all and it gets called only when cookie
|
|
|
|
is non-NULL. Note that link body isn't available anymore, so if you need it,
|
|
|
|
store it as cookie.
|
2015-06-30 21:54:08 +08:00
|
|
|
--
|
2015-11-17 14:07:57 +08:00
|
|
|
[mandatory]
|
|
|
|
any symlink that might use page_follow_link_light/page_put_link() must
|
|
|
|
have inode_nohighmem(inode) called before anything might start playing with
|
2016-01-15 06:52:59 +08:00
|
|
|
its pagecache. No highmem pages should end up in the pagecache of such
|
|
|
|
symlinks. That includes any preseeding that might be done during symlink
|
|
|
|
creation. __page_symlink() will honour the mapping gfp flags, so once
|
|
|
|
you've done inode_nohighmem() it's safe to use, but if you allocate and
|
|
|
|
insert the page manually, make sure to use the right gfp flags.
|
2015-11-17 23:20:54 +08:00
|
|
|
--
|
|
|
|
[mandatory]
|
|
|
|
->follow_link() is replaced with ->get_link(); same API, except that
|
|
|
|
* ->get_link() gets inode as a separate argument
|
|
|
|
* ->get_link() may be called in RCU mode - in that case NULL
|
|
|
|
dentry is passed
|
2015-12-30 04:58:39 +08:00
|
|
|
--
|
|
|
|
[mandatory]
|
|
|
|
->get_link() gets struct delayed_call *done now, and should do
|
|
|
|
set_delayed_call() where it used to set *cookie.
|
|
|
|
->put_link() is gone - just give the destructor to set_delayed_call()
|
|
|
|
in ->get_link().
|
2016-04-11 12:48:00 +08:00
|
|
|
--
|
|
|
|
[mandatory]
|
|
|
|
->getxattr() and xattr_handler.get() get dentry and inode passed separately.
|
|
|
|
dentry might be yet to be attached to inode, so do _not_ use its ->d_inode
|
|
|
|
in the instances. Rationale: !@#!@# security_d_instantiate() needs to be
|
|
|
|
called before we attach dentry to inode.
|
parallel lookups machinery, part 2
We'll need to verify that there's neither a hashed nor in-lookup
dentry with desired parent/name before adding to in-lookup set.
One possible solution would be to hold the parent's ->d_lock through
both checks, but while the in-lookup set is relatively small at any
time, dcache is not. And holding the parent's ->d_lock through
something like __d_lookup_rcu() would suck too badly.
So we leave the parent's ->d_lock alone, which means that we watch
out for the following scenario:
* we verify that there's no hashed match
* existing in-lookup match gets hashed by another process
* we verify that there's no in-lookup matches and decide
that everything's fine.
Solution: per-directory kinda-sorta seqlock, bumped around the times
we hash something that used to be in-lookup or move (and hash)
something in place of in-lookup. Then the above would turn into
* read the counter
* do dcache lookup
* if no matches found, check for in-lookup matches
* if there had been none of those either, check if the
counter has changed; repeat if it has.
The "kinda-sorta" part is due to the fact that we don't have much spare
space in inode. There is a spare word (shared with i_bdev/i_cdev/i_pipe),
so the counter part is not a problem, but spinlock is a different story.
We could use the parent's ->d_lock, and it would be less painful in
terms of contention, for __d_add() it would be rather inconvenient to
grab; we could do that (using lock_parent()), but...
Fortunately, we can get serialization on the counter itself, and it
might be a good idea in general; we can use cmpxchg() in a loop to
get from even to odd and smp_store_release() from odd to even.
This commit adds the counter and updating logics; the readers will be
added in the next commit.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2016-04-15 12:58:55 +08:00
|
|
|
--
|
|
|
|
[mandatory]
|
|
|
|
symlinks are no longer the only inodes that do *not* have i_bdev/i_cdev/
|
|
|
|
i_pipe/i_link union zeroed out at inode eviction. As the result, you can't
|
|
|
|
assume that non-NULL value in ->i_nlink at ->destroy_inode() implies that
|
|
|
|
it's a symlink. Checking ->i_mode is really needed now. In-tree we had
|
|
|
|
to fix shmem_destroy_callback() that used to take that kind of shortcut;
|
|
|
|
watch out, since that shortcut is no longer valid.
|
2016-04-16 03:08:36 +08:00
|
|
|
--
|
|
|
|
[mandatory]
|
|
|
|
->i_mutex is replaced with ->i_rwsem now. inode_lock() et.al. work as
|
|
|
|
they used to - they just take it exclusive. However, ->lookup() may be
|
|
|
|
called with parent locked shared. Its instances must not
|
|
|
|
* use d_instantiate) and d_rehash() separately - use d_add() or
|
|
|
|
d_splice_alias() instead.
|
|
|
|
* use d_rehash() alone - call d_add(new_dentry, NULL) instead.
|
|
|
|
* in the unlikely case when (read-only) access to filesystem
|
|
|
|
data structures needs exclusion for some reason, arrange it
|
|
|
|
yourself. None of the in-tree filesystems needed that.
|
|
|
|
* rely on ->d_parent and ->d_name not changing after dentry has
|
|
|
|
been fed to d_add() or d_splice_alias(). Again, none of the
|
|
|
|
in-tree instances relied upon that.
|
|
|
|
We are guaranteed that lookups of the same name in the same directory
|
|
|
|
will not happen in parallel ("same" in the sense of your ->d_compare()).
|
|
|
|
Lookups on different names in the same directory can and do happen in
|
|
|
|
parallel now.
|
2016-04-21 11:08:32 +08:00
|
|
|
--
|
|
|
|
[recommended]
|
|
|
|
->iterate_shared() is added; it's a parallel variant of ->iterate().
|
|
|
|
Exclusion on struct file level is still provided (as well as that
|
|
|
|
between it and lseek on the same struct file), but if your directory
|
|
|
|
has been opened several times, you can get these called in parallel.
|
|
|
|
Exclusion between that method and all directory-modifying ones is
|
|
|
|
still provided, of course.
|
|
|
|
|
|
|
|
Often enough ->iterate() can serve as ->iterate_shared() without any
|
|
|
|
changes - it is a read-only operation, after all. If you have any
|
|
|
|
per-inode or per-dentry in-core data structures modified by ->iterate(),
|
|
|
|
you might need something to serialize the access to them. If you
|
|
|
|
do dcache pre-seeding, you'll need to switch to d_alloc_parallel() for
|
|
|
|
that; look for in-tree examples.
|
|
|
|
|
|
|
|
Old method is only used if the new one is absent; eventually it will
|
|
|
|
be removed. Switch while you still can; the old one won't stay.
|
2016-04-29 07:35:16 +08:00
|
|
|
--
|
|
|
|
[mandatory]
|
|
|
|
->atomic_open() calls without O_CREAT may happen in parallel.
|
2016-05-27 23:06:05 +08:00
|
|
|
--
|
|
|
|
[mandatory]
|
|
|
|
->setxattr() and xattr_handler.set() get dentry and inode passed separately.
|
|
|
|
dentry might be yet to be attached to inode, so do _not_ use its ->d_inode
|
|
|
|
in the instances. Rationale: !@#!@# security_d_instantiate() needs to be
|
|
|
|
called before we attach dentry to inode and !@#!@##!@$!$#!@#$!@$!@$ smack
|
|
|
|
->d_instantiate() uses not just ->getxattr() but ->setxattr() as well.
|
2016-08-01 04:37:25 +08:00
|
|
|
--
|
|
|
|
[mandatory]
|
|
|
|
->d_compare() doesn't get parent as a separate argument anymore. If you
|
|
|
|
used it for finding the struct super_block involved, dentry->d_sb will
|
|
|
|
work just as well; if it's something more complicated, use dentry->d_parent.
|
|
|
|
Just be careful not to assume that fetching it more than once will yield
|
|
|
|
the same value - in RCU mode it could change under you.
|
2016-09-27 17:03:58 +08:00
|
|
|
--
|
|
|
|
[mandatory]
|
|
|
|
->rename() has an added flags argument. Any flags not handled by the
|
|
|
|
filesystem should result in EINVAL being returned.
|
2016-12-09 23:45:04 +08:00
|
|
|
--
|
|
|
|
[recommended]
|
|
|
|
->readlink is optional for symlinks. Don't set, unless filesystem needs
|
|
|
|
to fake something for readlink(2).
|
2017-04-01 01:31:25 +08:00
|
|
|
--
|
|
|
|
[mandatory]
|
|
|
|
->getattr() is now passed a struct path rather than a vfsmount and
|
|
|
|
dentry separately, and it now has request_mask and query_flags arguments
|
|
|
|
to specify the fields and sync type requested by statx. Filesystems not
|
|
|
|
supporting any statx-specific features may ignore the new arguments.
|
2018-07-10 07:20:08 +08:00
|
|
|
--
|
|
|
|
[mandatory]
|
|
|
|
->atomic_open() calling conventions have changed. Gone is int *opened,
|
|
|
|
along with FILE_OPENED/FILE_CREATED. In place of those we have
|
|
|
|
FMODE_OPENED/FMODE_CREATED, set in file->f_mode. Additionally, return
|
|
|
|
value for 'called finish_no_open(), open it yourself' case has become
|
|
|
|
0, not 1. Since finish_no_open() itself is returning 0 now, that part
|
|
|
|
does not need any changes in ->atomic_open() instances.
|
2018-07-10 07:20:08 +08:00
|
|
|
--
|
|
|
|
[mandatory]
|
|
|
|
alloc_file() has become static now; two wrappers are to be used instead.
|
|
|
|
alloc_file_pseudo(inode, vfsmount, name, flags, ops) is for the cases
|
|
|
|
when dentry needs to be created; that's the majority of old alloc_file()
|
|
|
|
users. Calling conventions: on success a reference to new struct file
|
|
|
|
is returned and callers reference to inode is subsumed by that. On
|
|
|
|
failure, ERR_PTR() is returned and no caller's references are affected,
|
|
|
|
so the caller needs to drop the inode reference it held.
|
|
|
|
alloc_file_clone(file, flags, ops) does not affect any caller's references.
|
|
|
|
On success you get a new struct file sharing the mount/dentry with the
|
|
|
|
original, on failure - ERR_PTR().
|
2018-10-11 04:52:37 +08:00
|
|
|
--
|
2018-10-30 07:41:21 +08:00
|
|
|
[mandatory]
|
|
|
|
->clone_file_range() and ->dedupe_file_range have been replaced with
|
|
|
|
->remap_file_range(). See Documentation/filesystems/vfs.txt for more
|
|
|
|
information.
|
vfs: rework data cloning infrastructure
Rework the vfs_clone_file_range and vfs_dedupe_file_range infrastructure to use
a common .remap_file_range method and supply generic bounds and sanity checking
functions that are shared with the data write path. The current VFS
infrastructure has problems with rlimit, LFS file sizes, file time stamps,
maximum filesystem file sizes, stripping setuid bits, etc and so they are
addressed in these commits.
We also introduce the ability for the ->remap_file_range methods to return short
clones so that clones for vfs_copy_file_range() don't get rejected if the entire
range can't be cloned. It also allows filesystems to sliently skip deduplication
of partial EOF blocks if they are not capable of doing so without requiring
errors to be thrown to userspace.
All existing filesystems are converted to user the new .remap_file_range method,
and both XFS and ocfs2 are modified to make use of the new generic checking
infrastructure.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJb29gEAAoJEK3oKUf0dfodpOAQAL2VbHjvKXEwNMDTKscSRMmZ
Z0xXo3gamFKQ+VGOqy2g2lmAYQs9SAnTuCGTJ7zIAp7u+q8gzUy5FzKAwLS4Id6L
8siaY6nzlicfO04d0MdXnWz0f3xykChgzfdQfVUlUi7WrDioBUECLPmx4a+USsp1
DQGjLOZfoOAmn2rijdnH9RTEaHqg+8mcTaLN9TRav4gGqrWxldFKXw2y6ouFC7uo
/hxTRNXR9VI+EdbDelwBNXl9nU9gQA0WLOvRKwgUrtv6bSJohTPsmXt7EbBtNcVR
cl3zDNc1sLD1bLaRLEUAszI/33wXaaQgom1iB51obIcHHef+JxRNG/j6rUMfzxZI
VaauGv5EIvtaKN0LTAqVVLQ8t2MQFYfOr8TykmO+1UFog204aKRANdVMHDSjxD/0
dTGKJGcq+HnKQ+JHDbTdvuXEL8sUUl1FiLjOQbZPw63XmuddLKFUA2TOjXn6htbU
1h1MG5d9KjGLpabp2BQheczD08NuSmcrOBNt7IoeI3+nxr3HpMwprfB9TyaERy9X
iEgyVXmjjc9bLLRW7A2wm77aW64NvPs51wKMnvuNgNwnCewrGS6cB8WVj2zbQjH1
h3f3nku44s9ctNPSBzb/sJLnpqmZQ5t0oSmrMSN+5+En6rNTacoJCzxHRJBA7z/h
Z+C6y1GTZw0euY6Zjiwu
=CE/A
-----END PGP SIGNATURE-----
Merge tag 'xfs-4.20-merge-2' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux
Pull vfs dedup fixes from Dave Chinner:
"This reworks the vfs data cloning infrastructure.
We discovered many issues with these interfaces late in the 4.19 cycle
- the worst of them (data corruption, setuid stripping) were fixed for
XFS in 4.19-rc8, but a larger rework of the infrastructure fixing all
the problems was needed. That rework is the contents of this pull
request.
Rework the vfs_clone_file_range and vfs_dedupe_file_range
infrastructure to use a common .remap_file_range method and supply
generic bounds and sanity checking functions that are shared with the
data write path. The current VFS infrastructure has problems with
rlimit, LFS file sizes, file time stamps, maximum filesystem file
sizes, stripping setuid bits, etc and so they are addressed in these
commits.
We also introduce the ability for the ->remap_file_range methods to
return short clones so that clones for vfs_copy_file_range() don't get
rejected if the entire range can't be cloned. It also allows
filesystems to sliently skip deduplication of partial EOF blocks if
they are not capable of doing so without requiring errors to be thrown
to userspace.
Existing filesystems are converted to user the new remap_file_range
method, and both XFS and ocfs2 are modified to make use of the new
generic checking infrastructure"
* tag 'xfs-4.20-merge-2' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux: (28 commits)
xfs: remove [cm]time update from reflink calls
xfs: remove xfs_reflink_remap_range
xfs: remove redundant remap partial EOF block checks
xfs: support returning partial reflink results
xfs: clean up xfs_reflink_remap_blocks call site
xfs: fix pagecache truncation prior to reflink
ocfs2: remove ocfs2_reflink_remap_range
ocfs2: support partial clone range and dedupe range
ocfs2: fix pagecache truncation prior to reflink
ocfs2: truncate page cache for clone destination file before remapping
vfs: clean up generic_remap_file_range_prep return value
vfs: hide file range comparison function
vfs: enable remap callers that can handle short operations
vfs: plumb remap flags through the vfs dedupe functions
vfs: plumb remap flags through the vfs clone functions
vfs: make remap_file_range functions take and return bytes completed
vfs: remap helper should update destination inode metadata
vfs: pass remap flags to generic_remap_checks
vfs: pass remap flags to generic_remap_file_range_prep
vfs: combine the clone and dedupe into a single remap_file_range
...
2018-11-03 00:33:08 +08:00
|
|
|
--
|
2018-10-11 04:52:37 +08:00
|
|
|
[recommended]
|
|
|
|
->lookup() instances doing an equivalent of
|
|
|
|
if (IS_ERR(inode))
|
|
|
|
return ERR_CAST(inode);
|
|
|
|
return d_splice_alias(inode, dentry);
|
|
|
|
don't need to bother with the check - d_splice_alias() will do the
|
|
|
|
right thing when given ERR_PTR(...) as inode. Moreover, passing NULL
|
|
|
|
inode to d_splice_alias() will also do the right thing (equivalent of
|
|
|
|
d_add(dentry, NULL); return NULL;), so that kind of special cases
|
|
|
|
also doesn't need a separate treatment.
|
2019-04-11 02:43:44 +08:00
|
|
|
--
|
|
|
|
[strongly recommended]
|
|
|
|
take the RCU-delayed parts of ->destroy_inode() into a new method -
|
|
|
|
->free_inode(). If ->destroy_inode() becomes empty - all the better,
|
|
|
|
just get rid of it. Synchronous work (e.g. the stuff that can't
|
|
|
|
be done from an RCU callback, or any WARN_ON() where we want the
|
|
|
|
stack trace) *might* be movable to ->evict_inode(); however,
|
|
|
|
that goes only for the things that are not needed to balance something
|
|
|
|
done by ->alloc_inode(). IOW, if it's cleaning up the stuff that
|
|
|
|
might have accumulated over the life of in-core inode, ->evict_inode()
|
|
|
|
might be a fit.
|
|
|
|
|
|
|
|
Rules for inode destruction:
|
|
|
|
* if ->destroy_inode() is non-NULL, it gets called
|
|
|
|
* if ->free_inode() is non-NULL, it gets scheduled by call_rcu()
|
|
|
|
* combination of NULL ->destroy_inode and NULL ->free_inode is
|
|
|
|
treated as NULL/free_inode_nonrcu, to preserve the compatibility.
|
|
|
|
|
|
|
|
Note that the callback (be it via ->free_inode() or explicit call_rcu()
|
|
|
|
in ->destroy_inode()) is *NOT* ordered wrt superblock destruction;
|
|
|
|
as the matter of fact, the superblock and all associated structures
|
|
|
|
might be already gone. The filesystem driver is guaranteed to be still
|
|
|
|
there, but that's it. Freeing memory in the callback is fine; doing
|
|
|
|
more than that is possible, but requires a lot of care and is best
|
|
|
|
avoided.
|
2019-05-08 02:17:26 +08:00
|
|
|
--
|
dcache: sort the freeing-without-RCU-delay mess for good.
For lockless accesses to dentries we don't have pinned we rely
(among other things) upon having an RCU delay between dropping
the last reference and actually freeing the memory.
On the other hand, for things like pipes and sockets we neither
do that kind of lockless access, nor want to deal with the
overhead of an RCU delay every time a socket gets closed.
So delay was made optional - setting DCACHE_RCUACCESS in ->d_flags
made sure it would happen. We tried to avoid setting it unless
we knew we need it. Unfortunately, that had led to recurring
class of bugs, in which we missed the need to set it.
We only really need it for dentries that are created by
d_alloc_pseudo(), so let's not bother with trying to be smart -
just make having an RCU delay the default. The ones that do
*not* get it set the replacement flag (DCACHE_NORCU) and we'd
better use that sparingly. d_alloc_pseudo() is the only
such user right now.
FWIW, the race that finally prompted that switch had been
between __lock_parent() of immediate subdirectory of what's
currently the root of a disconnected tree (e.g. from
open-by-handle in progress) racing with d_splice_alias()
elsewhere picking another alias for the same inode, either
on outright corrupted fs image, or (in case of open-by-handle
on NFS) that subdirectory having been just moved on server.
It's not easy to hit, so the sky is not falling, but that's
not the first race on similar missed cases and the logics
for settinf DCACHE_RCUACCESS has gotten ridiculously
convoluted.
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2019-03-16 10:23:19 +08:00
|
|
|
[mandatory]
|
|
|
|
DCACHE_RCUACCESS is gone; having an RCU delay on dentry freeing is the
|
|
|
|
default. DCACHE_NORCU opts out, and only d_alloc_pseudo() has any
|
|
|
|
business doing so.
|
2019-03-16 10:58:11 +08:00
|
|
|
--
|
|
|
|
[mandatory]
|
|
|
|
d_alloc_pseudo() is internal-only; uses outside of alloc_file_pseudo() are
|
|
|
|
very suspect (and won't work in modules). Such uses are very likely to
|
|
|
|
be misspelled d_alloc_anon().
|