mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-12-22 18:44:44 +08:00
ecf3d1f1aa
The following set of operations on a NFS client and server will cause server# mkdir a client# cd a server# mv a a.bak client# sleep 30 # (or whatever the dir attrcache timeout is) client# stat . stat: cannot stat `.': Stale NFS file handle Obviously, we should not be getting an ESTALE error back there since the inode still exists on the server. The problem is that the lookup code will call d_revalidate on the dentry that "." refers to, because NFS has FS_REVAL_DOT set. nfs_lookup_revalidate will see that the parent directory has changed and will try to reverify the dentry by redoing a LOOKUP. That of course fails, so the lookup code returns ESTALE. The problem here is that d_revalidate is really a bad fit for this case. What we really want to know at this point is whether the inode is still good or not, but we don't really care what name it goes by or whether the dcache is still valid. Add a new d_op->d_weak_revalidate operation and have complete_walk call that instead of d_revalidate. The intent there is to allow for a "weaker" d_revalidate that just checks to see whether the inode is still good. This is also gives us an opportunity to kill off the FS_REVAL_DOT special casing. [AV: changed method name, added note in porting, fixed confusion re having it possibly called from RCU mode (it won't be)] Cc: NeilBrown <neilb@suse.de> Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
448 lines
16 KiB
Plaintext
448 lines
16 KiB
Plaintext
Changes since 2.5.0:
|
|
|
|
---
|
|
[recommended]
|
|
|
|
New helpers: sb_bread(), sb_getblk(), sb_find_get_block(), set_bh(),
|
|
sb_set_blocksize() and sb_min_blocksize().
|
|
|
|
Use them.
|
|
|
|
(sb_find_get_block() replaces 2.4's get_hash_table())
|
|
|
|
---
|
|
[recommended]
|
|
|
|
New methods: ->alloc_inode() and ->destroy_inode().
|
|
|
|
Remove inode->u.foo_inode_i
|
|
Declare
|
|
struct foo_inode_info {
|
|
/* fs-private stuff */
|
|
struct inode vfs_inode;
|
|
};
|
|
static inline struct foo_inode_info *FOO_I(struct inode *inode)
|
|
{
|
|
return list_entry(inode, struct foo_inode_info, vfs_inode);
|
|
}
|
|
|
|
Use FOO_I(inode) instead of &inode->u.foo_inode_i;
|
|
|
|
Add foo_alloc_inode() and foo_destroy_inode() - the former should allocate
|
|
foo_inode_info and return the address of ->vfs_inode, the latter should free
|
|
FOO_I(inode) (see in-tree filesystems for examples).
|
|
|
|
Make them ->alloc_inode and ->destroy_inode in your super_operations.
|
|
|
|
Keep in mind that now you need explicit initialization of private data
|
|
typically between calling iget_locked() and unlocking the inode.
|
|
|
|
At some point that will become mandatory.
|
|
|
|
---
|
|
[mandatory]
|
|
|
|
Change of file_system_type method (->read_super to ->get_sb)
|
|
|
|
->read_super() is no more. Ditto for DECLARE_FSTYPE and DECLARE_FSTYPE_DEV.
|
|
|
|
Turn your foo_read_super() into a function that would return 0 in case of
|
|
success and negative number in case of error (-EINVAL unless you have more
|
|
informative error value to report). Call it foo_fill_super(). Now declare
|
|
|
|
int foo_get_sb(struct file_system_type *fs_type,
|
|
int flags, const char *dev_name, void *data, struct vfsmount *mnt)
|
|
{
|
|
return get_sb_bdev(fs_type, flags, dev_name, data, foo_fill_super,
|
|
mnt);
|
|
}
|
|
|
|
(or similar with s/bdev/nodev/ or s/bdev/single/, depending on the kind of
|
|
filesystem).
|
|
|
|
Replace DECLARE_FSTYPE... with explicit initializer and have ->get_sb set as
|
|
foo_get_sb.
|
|
|
|
---
|
|
[mandatory]
|
|
|
|
Locking change: ->s_vfs_rename_sem is taken only by cross-directory renames.
|
|
Most likely there is no need to change anything, but if you relied on
|
|
global exclusion between renames for some internal purpose - you need to
|
|
change your internal locking. Otherwise exclusion warranties remain the
|
|
same (i.e. parents and victim are locked, etc.).
|
|
|
|
---
|
|
[informational]
|
|
|
|
Now we have the exclusion between ->lookup() and directory removal (by
|
|
->rmdir() and ->rename()). If you used to need that exclusion and do
|
|
it by internal locking (most of filesystems couldn't care less) - you
|
|
can relax your locking.
|
|
|
|
---
|
|
[mandatory]
|
|
|
|
->lookup(), ->truncate(), ->create(), ->unlink(), ->mknod(), ->mkdir(),
|
|
->rmdir(), ->link(), ->lseek(), ->symlink(), ->rename()
|
|
and ->readdir() are called without BKL now. Grab it on entry, drop upon return
|
|
- that will guarantee the same locking you used to have. If your method or its
|
|
parts do not need BKL - better yet, now you can shift lock_kernel() and
|
|
unlock_kernel() so that they would protect exactly what needs to be
|
|
protected.
|
|
|
|
---
|
|
[mandatory]
|
|
|
|
BKL is also moved from around sb operations. BKL should have been shifted into
|
|
individual fs sb_op functions. If you don't need it, remove it.
|
|
|
|
---
|
|
[informational]
|
|
|
|
check for ->link() target not being a directory is done by callers. Feel
|
|
free to drop it...
|
|
|
|
---
|
|
[informational]
|
|
|
|
->link() callers hold ->i_mutex on the object we are linking to. Some of your
|
|
problems might be over...
|
|
|
|
---
|
|
[mandatory]
|
|
|
|
new file_system_type method - kill_sb(superblock). If you are converting
|
|
an existing filesystem, set it according to ->fs_flags:
|
|
FS_REQUIRES_DEV - kill_block_super
|
|
FS_LITTER - kill_litter_super
|
|
neither - kill_anon_super
|
|
FS_LITTER is gone - just remove it from fs_flags.
|
|
|
|
---
|
|
[mandatory]
|
|
|
|
FS_SINGLE is gone (actually, that had happened back when ->get_sb()
|
|
went in - and hadn't been documented ;-/). Just remove it from fs_flags
|
|
(and see ->get_sb() entry for other actions).
|
|
|
|
---
|
|
[mandatory]
|
|
|
|
->setattr() is called without BKL now. Caller _always_ holds ->i_mutex, so
|
|
watch for ->i_mutex-grabbing code that might be used by your ->setattr().
|
|
Callers of notify_change() need ->i_mutex now.
|
|
|
|
---
|
|
[recommended]
|
|
|
|
New super_block field "struct export_operations *s_export_op" for
|
|
explicit support for exporting, e.g. via NFS. The structure is fully
|
|
documented at its declaration in include/linux/fs.h, and in
|
|
Documentation/filesystems/nfs/Exporting.
|
|
|
|
Briefly it allows for the definition of decode_fh and encode_fh operations
|
|
to encode and decode filehandles, and allows the filesystem to use
|
|
a standard helper function for decode_fh, and provide file-system specific
|
|
support for this helper, particularly get_parent.
|
|
|
|
It is planned that this will be required for exporting once the code
|
|
settles down a bit.
|
|
|
|
[mandatory]
|
|
|
|
s_export_op is now required for exporting a filesystem.
|
|
isofs, ext2, ext3, resierfs, fat
|
|
can be used as examples of very different filesystems.
|
|
|
|
---
|
|
[mandatory]
|
|
|
|
iget4() and the read_inode2 callback have been superseded by iget5_locked()
|
|
which has the following prototype,
|
|
|
|
struct inode *iget5_locked(struct super_block *sb, unsigned long ino,
|
|
int (*test)(struct inode *, void *),
|
|
int (*set)(struct inode *, void *),
|
|
void *data);
|
|
|
|
'test' is an additional function that can be used when the inode
|
|
number is not sufficient to identify the actual file object. 'set'
|
|
should be a non-blocking function that initializes those parts of a
|
|
newly created inode to allow the test function to succeed. 'data' is
|
|
passed as an opaque value to both test and set functions.
|
|
|
|
When the inode has been created by iget5_locked(), it will be returned with the
|
|
I_NEW flag set and will still be locked. The filesystem then needs to finalize
|
|
the initialization. Once the inode is initialized it must be unlocked by
|
|
calling unlock_new_inode().
|
|
|
|
The filesystem is responsible for setting (and possibly testing) i_ino
|
|
when appropriate. There is also a simpler iget_locked function that
|
|
just takes the superblock and inode number as arguments and does the
|
|
test and set for you.
|
|
|
|
e.g.
|
|
inode = iget_locked(sb, ino);
|
|
if (inode->i_state & I_NEW) {
|
|
err = read_inode_from_disk(inode);
|
|
if (err < 0) {
|
|
iget_failed(inode);
|
|
return err;
|
|
}
|
|
unlock_new_inode(inode);
|
|
}
|
|
|
|
Note that if the process of setting up a new inode fails, then iget_failed()
|
|
should be called on the inode to render it dead, and an appropriate error
|
|
should be passed back to the caller.
|
|
|
|
---
|
|
[recommended]
|
|
|
|
->getattr() finally getting used. See instances in nfs, minix, etc.
|
|
|
|
---
|
|
[mandatory]
|
|
|
|
->revalidate() is gone. If your filesystem had it - provide ->getattr()
|
|
and let it call whatever you had as ->revlidate() + (for symlinks that
|
|
had ->revalidate()) add calls in ->follow_link()/->readlink().
|
|
|
|
---
|
|
[mandatory]
|
|
|
|
->d_parent changes are not protected by BKL anymore. Read access is safe
|
|
if at least one of the following is true:
|
|
* filesystem has no cross-directory rename()
|
|
* we know that parent had been locked (e.g. we are looking at
|
|
->d_parent of ->lookup() argument).
|
|
* we are called from ->rename().
|
|
* the child's ->d_lock is held
|
|
Audit your code and add locking if needed. Notice that any place that is
|
|
not protected by the conditions above is risky even in the old tree - you
|
|
had been relying on BKL and that's prone to screwups. Old tree had quite
|
|
a few holes of that kind - unprotected access to ->d_parent leading to
|
|
anything from oops to silent memory corruption.
|
|
|
|
---
|
|
[mandatory]
|
|
|
|
FS_NOMOUNT is gone. If you use it - just set MS_NOUSER in flags
|
|
(see rootfs for one kind of solution and bdev/socket/pipe for another).
|
|
|
|
---
|
|
[recommended]
|
|
|
|
Use bdev_read_only(bdev) instead of is_read_only(kdev). The latter
|
|
is still alive, but only because of the mess in drivers/s390/block/dasd.c.
|
|
As soon as it gets fixed is_read_only() will die.
|
|
|
|
---
|
|
[mandatory]
|
|
|
|
->permission() is called without BKL now. Grab it on entry, drop upon
|
|
return - that will guarantee the same locking you used to have. If
|
|
your method or its parts do not need BKL - better yet, now you can
|
|
shift lock_kernel() and unlock_kernel() so that they would protect
|
|
exactly what needs to be protected.
|
|
|
|
---
|
|
[mandatory]
|
|
|
|
->statfs() is now called without BKL held. BKL should have been
|
|
shifted into individual fs sb_op functions where it's not clear that
|
|
it's safe to remove it. If you don't need it, remove it.
|
|
|
|
---
|
|
[mandatory]
|
|
|
|
is_read_only() is gone; use bdev_read_only() instead.
|
|
|
|
---
|
|
[mandatory]
|
|
|
|
destroy_buffers() is gone; use invalidate_bdev().
|
|
|
|
---
|
|
[mandatory]
|
|
|
|
fsync_dev() is gone; use fsync_bdev(). NOTE: lvm breakage is
|
|
deliberate; as soon as struct block_device * is propagated in a reasonable
|
|
way by that code fixing will become trivial; until then nothing can be
|
|
done.
|
|
|
|
[mandatory]
|
|
|
|
block truncatation on error exit from ->write_begin, and ->direct_IO
|
|
moved from generic methods (block_write_begin, cont_write_begin,
|
|
nobh_write_begin, blockdev_direct_IO*) to callers. Take a look at
|
|
ext2_write_failed and callers for an example.
|
|
|
|
[mandatory]
|
|
|
|
->truncate is gone. The whole truncate sequence needs to be
|
|
implemented in ->setattr, which is now mandatory for filesystems
|
|
implementing on-disk size changes. Start with a copy of the old inode_setattr
|
|
and vmtruncate, and the reorder the vmtruncate + foofs_vmtruncate sequence to
|
|
be in order of zeroing blocks using block_truncate_page or similar helpers,
|
|
size update and on finally on-disk truncation which should not fail.
|
|
inode_change_ok now includes the size checks for ATTR_SIZE and must be called
|
|
in the beginning of ->setattr unconditionally.
|
|
|
|
[mandatory]
|
|
|
|
->clear_inode() and ->delete_inode() are gone; ->evict_inode() should
|
|
be used instead. It gets called whenever the inode is evicted, whether it has
|
|
remaining links or not. Caller does *not* evict the pagecache or inode-associated
|
|
metadata buffers; getting rid of those is responsibility of method, as it had
|
|
been for ->delete_inode(). Caller makes sure async writeback cannot be running
|
|
for the inode while (or after) ->evict_inode() is called.
|
|
|
|
->drop_inode() returns int now; it's called on final iput() with
|
|
inode->i_lock held and it returns true if filesystems wants the inode to be
|
|
dropped. As before, generic_drop_inode() is still the default and it's been
|
|
updated appropriately. generic_delete_inode() is also alive and it consists
|
|
simply of return 1. Note that all actual eviction work is done by caller after
|
|
->drop_inode() returns.
|
|
|
|
As before, clear_inode() must be called exactly once on each call of
|
|
->evict_inode() (as it used to be for each call of ->delete_inode()). Unlike
|
|
before, if you are using inode-associated metadata buffers (i.e.
|
|
mark_buffer_dirty_inode()), it's your responsibility to call
|
|
invalidate_inode_buffers() before clear_inode().
|
|
|
|
NOTE: checking i_nlink in the beginning of ->write_inode() and bailing out
|
|
if it's zero is not *and* *never* *had* *been* enough. Final unlink() and iput()
|
|
may happen while the inode is in the middle of ->write_inode(); e.g. if you blindly
|
|
free the on-disk inode, you may end up doing that while ->write_inode() is writing
|
|
to it.
|
|
|
|
---
|
|
[mandatory]
|
|
|
|
.d_delete() now only advises the dcache as to whether or not to cache
|
|
unreferenced dentries, and is now only called when the dentry refcount goes to
|
|
0. Even on 0 refcount transition, it must be able to tolerate being called 0,
|
|
1, or more times (eg. constant, idempotent).
|
|
|
|
---
|
|
[mandatory]
|
|
|
|
.d_compare() calling convention and locking rules are significantly
|
|
changed. Read updated documentation in Documentation/filesystems/vfs.txt (and
|
|
look at examples of other filesystems) for guidance.
|
|
|
|
---
|
|
[mandatory]
|
|
|
|
.d_hash() calling convention and locking rules are significantly
|
|
changed. Read updated documentation in Documentation/filesystems/vfs.txt (and
|
|
look at examples of other filesystems) for guidance.
|
|
|
|
---
|
|
[mandatory]
|
|
dcache_lock is gone, replaced by fine grained locks. See fs/dcache.c
|
|
for details of what locks to replace dcache_lock with in order to protect
|
|
particular things. Most of the time, a filesystem only needs ->d_lock, which
|
|
protects *all* the dcache state of a given dentry.
|
|
|
|
--
|
|
[mandatory]
|
|
|
|
Filesystems must RCU-free their inodes, if they can have been accessed
|
|
via rcu-walk path walk (basically, if the file can have had a path name in the
|
|
vfs namespace).
|
|
|
|
Even though i_dentry and i_rcu share storage in a union, we will
|
|
initialize the former in inode_init_always(), so just leave it alone in
|
|
the callback. It used to be necessary to clean it there, but not anymore
|
|
(starting at 3.2).
|
|
|
|
--
|
|
[recommended]
|
|
vfs now tries to do path walking in "rcu-walk mode", which avoids
|
|
atomic operations and scalability hazards on dentries and inodes (see
|
|
Documentation/filesystems/path-lookup.txt). d_hash and d_compare changes
|
|
(above) are examples of the changes required to support this. For more complex
|
|
filesystem callbacks, the vfs drops out of rcu-walk mode before the fs call, so
|
|
no changes are required to the filesystem. However, this is costly and loses
|
|
the benefits of rcu-walk mode. We will begin to add filesystem callbacks that
|
|
are rcu-walk aware, shown below. Filesystems should take advantage of this
|
|
where possible.
|
|
|
|
--
|
|
[mandatory]
|
|
d_revalidate is a callback that is made on every path element (if
|
|
the filesystem provides it), which requires dropping out of rcu-walk mode. This
|
|
may now be called in rcu-walk mode (nd->flags & LOOKUP_RCU). -ECHILD should be
|
|
returned if the filesystem cannot handle rcu-walk. See
|
|
Documentation/filesystems/vfs.txt for more details.
|
|
|
|
permission and check_acl are inode permission checks that are called
|
|
on many or all directory inodes on the way down a path walk (to check for
|
|
exec permission). These must now be rcu-walk aware (flags & IPERM_FLAG_RCU).
|
|
See Documentation/filesystems/vfs.txt for more details.
|
|
|
|
--
|
|
[mandatory]
|
|
In ->fallocate() you must check the mode option passed in. If your
|
|
filesystem does not support hole punching (deallocating space in the middle of a
|
|
file) you must return -EOPNOTSUPP if FALLOC_FL_PUNCH_HOLE is set in mode.
|
|
Currently you can only have FALLOC_FL_PUNCH_HOLE with FALLOC_FL_KEEP_SIZE set,
|
|
so the i_size should not change when hole punching, even when puching the end of
|
|
a file off.
|
|
|
|
--
|
|
[mandatory]
|
|
->get_sb() is gone. Switch to use of ->mount(). Typically it's just
|
|
a matter of switching from calling get_sb_... to mount_... and changing the
|
|
function type. If you were doing it manually, just switch from setting ->mnt_root
|
|
to some pointer to returning that pointer. On errors return ERR_PTR(...).
|
|
|
|
--
|
|
[mandatory]
|
|
->permission() and generic_permission()have lost flags
|
|
argument; instead of passing IPERM_FLAG_RCU we add MAY_NOT_BLOCK into mask.
|
|
generic_permission() has also lost the check_acl argument; ACL checking
|
|
has been taken to VFS and filesystems need to provide a non-NULL ->i_op->get_acl
|
|
to read an ACL from disk.
|
|
|
|
--
|
|
[mandatory]
|
|
If you implement your own ->llseek() you must handle SEEK_HOLE and
|
|
SEEK_DATA. You can hanle this by returning -EINVAL, but it would be nicer to
|
|
support it in some way. The generic handler assumes that the entire file is
|
|
data and there is a virtual hole at the end of the file. So if the provided
|
|
offset is less than i_size and SEEK_DATA is specified, return the same offset.
|
|
If the above is true for the offset and you are given SEEK_HOLE, return the end
|
|
of the file. If the offset is i_size or greater return -ENXIO in either case.
|
|
|
|
[mandatory]
|
|
If you have your own ->fsync() you must make sure to call
|
|
filemap_write_and_wait_range() so that all dirty pages are synced out properly.
|
|
You must also keep in mind that ->fsync() is not called with i_mutex held
|
|
anymore, so if you require i_mutex locking you must make sure to take it and
|
|
release it yourself.
|
|
|
|
--
|
|
[mandatory]
|
|
d_alloc_root() is gone, along with a lot of bugs caused by code
|
|
misusing it. Replacement: d_make_root(inode). The difference is,
|
|
d_make_root() drops the reference to inode if dentry allocation fails.
|
|
|
|
--
|
|
[mandatory]
|
|
The witch is dead! Well, 2/3 of it, anyway. ->d_revalidate() and
|
|
->lookup() do *not* take struct nameidata anymore; just the flags.
|
|
--
|
|
[mandatory]
|
|
->create() doesn't take struct nameidata *; unlike the previous
|
|
two, it gets "is it an O_EXCL or equivalent?" boolean argument. Note that
|
|
local filesystems can ignore tha argument - they are guaranteed that the
|
|
object doesn't exist. It's remote/distributed ones that might care...
|
|
--
|
|
[mandatory]
|
|
FS_REVAL_DOT is gone; if you used to have it, add ->d_weak_revalidate()
|
|
in your dentry operations instead.
|