2005-04-17 06:20:36 +08:00
|
|
|
#ifndef __LINUX_DCACHE_H
|
|
|
|
#define __LINUX_DCACHE_H
|
|
|
|
|
2011-07-27 07:09:06 +08:00
|
|
|
#include <linux/atomic.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
#include <linux/list.h>
|
2008-05-13 03:21:05 +08:00
|
|
|
#include <linux/rculist.h>
|
2011-01-07 14:50:05 +08:00
|
|
|
#include <linux/rculist_bl.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
#include <linux/spinlock.h>
|
fs: rcu-walk for path lookup
Perform common cases of path lookups without any stores or locking in the
ancestor dentry elements. This is called rcu-walk, as opposed to the current
algorithm which is a refcount based walk, or ref-walk.
This results in far fewer atomic operations on every path element,
significantly improving path lookup performance. It also avoids cacheline
bouncing on common dentries, significantly improving scalability.
The overall design is like this:
* LOOKUP_RCU is set in nd->flags, which distinguishes rcu-walk from ref-walk.
* Take the RCU lock for the entire path walk, starting with the acquiring
of the starting path (eg. root/cwd/fd-path). So now dentry refcounts are
not required for dentry persistence.
* synchronize_rcu is called when unregistering a filesystem, so we can
access d_ops and i_ops during rcu-walk.
* Similarly take the vfsmount lock for the entire path walk. So now mnt
refcounts are not required for persistence. Also we are free to perform mount
lookups, and to assume dentry mount points and mount roots are stable up and
down the path.
* Have a per-dentry seqlock to protect the dentry name, parent, and inode,
so we can load this tuple atomically, and also check whether any of its
members have changed.
* Dentry lookups (based on parent, candidate string tuple) recheck the parent
sequence after the child is found in case anything changed in the parent
during the path walk.
* inode is also RCU protected so we can load d_inode and use the inode for
limited things.
* i_mode, i_uid, i_gid can be tested for exec permissions during path walk.
* i_op can be loaded.
When we reach the destination dentry, we lock it, recheck lookup sequence,
and increment its refcount and mountpoint refcount. RCU and vfsmount locks
are dropped. This is termed "dropping rcu-walk". If the dentry refcount does
not match, we can not drop rcu-walk gracefully at the current point in the
lokup, so instead return -ECHILD (for want of a better errno). This signals the
path walking code to re-do the entire lookup with a ref-walk.
Aside from the final dentry, there are other situations that may be encounted
where we cannot continue rcu-walk. In that case, we drop rcu-walk (ie. take
a reference on the last good dentry) and continue with a ref-walk. Again, if
we can drop rcu-walk gracefully, we return -ECHILD and do the whole lookup
using ref-walk. But it is very important that we can continue with ref-walk
for most cases, particularly to avoid the overhead of double lookups, and to
gain the scalability advantages on common path elements (like cwd and root).
The cases where rcu-walk cannot continue are:
* NULL dentry (ie. any uncached path element)
* parent with d_inode->i_op->permission or ACLs
* dentries with d_revalidate
* Following links
In future patches, permission checks and d_revalidate become rcu-walk aware. It
may be possible eventually to make following links rcu-walk aware.
Uncached path elements will always require dropping to ref-walk mode, at the
very least because i_mutex needs to be grabbed, and objects allocated.
Signed-off-by: Nick Piggin <npiggin@kernel.dk>
2011-01-07 14:49:52 +08:00
|
|
|
#include <linux/seqlock.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
#include <linux/cache.h>
|
|
|
|
#include <linux/rcupdate.h>
|
|
|
|
|
|
|
|
struct nameidata;
|
2008-02-15 11:38:44 +08:00
|
|
|
struct path;
|
2005-04-17 06:20:36 +08:00
|
|
|
struct vfsmount;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* linux/include/linux/dcache.h
|
|
|
|
*
|
|
|
|
* Dirent cache data structures
|
|
|
|
*
|
|
|
|
* (C) Copyright 1997 Thomas Schoebel-Theuer,
|
|
|
|
* with heavy changes by Linus Torvalds
|
|
|
|
*/
|
|
|
|
|
|
|
|
#define IS_ROOT(x) ((x) == (x)->d_parent)
|
|
|
|
|
|
|
|
/*
|
|
|
|
* "quick string" -- eases parameter passing, but more importantly
|
|
|
|
* saves "metadata" about the string (ie length and the hash).
|
|
|
|
*
|
|
|
|
* hash comes first so it snuggles against d_parent in the
|
|
|
|
* dentry.
|
|
|
|
*/
|
|
|
|
struct qstr {
|
|
|
|
unsigned int hash;
|
|
|
|
unsigned int len;
|
|
|
|
const unsigned char *name;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct dentry_stat_t {
|
|
|
|
int nr_dentry;
|
|
|
|
int nr_unused;
|
|
|
|
int age_limit; /* age in seconds */
|
|
|
|
int want_pages; /* pages requested by system */
|
|
|
|
int dummy[2];
|
|
|
|
};
|
|
|
|
extern struct dentry_stat_t dentry_stat;
|
|
|
|
|
2011-01-07 14:50:09 +08:00
|
|
|
/*
|
|
|
|
* Compare 2 name strings, return 0 if they match, otherwise non-zero.
|
|
|
|
* The strings are both count bytes long, and count is non-zero.
|
|
|
|
*/
|
|
|
|
static inline int dentry_cmp(const unsigned char *cs, size_t scount,
|
|
|
|
const unsigned char *ct, size_t tcount)
|
|
|
|
{
|
|
|
|
int ret;
|
|
|
|
if (scount != tcount)
|
|
|
|
return 1;
|
|
|
|
do {
|
|
|
|
ret = (*cs != *ct);
|
|
|
|
if (ret)
|
|
|
|
break;
|
|
|
|
cs++;
|
|
|
|
ct++;
|
|
|
|
tcount--;
|
|
|
|
} while (tcount);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/* Name hashing routines. Initial hash value */
|
|
|
|
/* Hash courtesy of the R5 hash in reiserfs modulo sign bits */
|
|
|
|
#define init_name_hash() 0
|
|
|
|
|
|
|
|
/* partial hash update function. Assume roughly 4 bits per character */
|
|
|
|
static inline unsigned long
|
|
|
|
partial_name_hash(unsigned long c, unsigned long prevhash)
|
|
|
|
{
|
|
|
|
return (prevhash + (c << 4) + (c >> 4)) * 11;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Finally: cut down the number of bits to a int value (and try to avoid
|
|
|
|
* losing bits)
|
|
|
|
*/
|
|
|
|
static inline unsigned long end_name_hash(unsigned long hash)
|
|
|
|
{
|
|
|
|
return (unsigned int) hash;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Compute the hash for a name string. */
|
|
|
|
static inline unsigned int
|
|
|
|
full_name_hash(const unsigned char *name, unsigned int len)
|
|
|
|
{
|
|
|
|
unsigned long hash = init_name_hash();
|
|
|
|
while (len--)
|
|
|
|
hash = partial_name_hash(*name++, hash);
|
|
|
|
return end_name_hash(hash);
|
|
|
|
}
|
|
|
|
|
2008-12-01 16:33:43 +08:00
|
|
|
/*
|
|
|
|
* Try to keep struct dentry aligned on 64 byte cachelines (this will
|
|
|
|
* give reasonable cacheline footprint with larger lines without the
|
|
|
|
* large memory footprint increase).
|
|
|
|
*/
|
|
|
|
#ifdef CONFIG_64BIT
|
2011-01-07 14:49:56 +08:00
|
|
|
# define DNAME_INLINE_LEN 32 /* 192 bytes */
|
2008-12-01 16:33:43 +08:00
|
|
|
#else
|
2011-01-07 14:49:56 +08:00
|
|
|
# ifdef CONFIG_SMP
|
|
|
|
# define DNAME_INLINE_LEN 36 /* 128 bytes */
|
|
|
|
# else
|
|
|
|
# define DNAME_INLINE_LEN 40 /* 128 bytes */
|
|
|
|
# endif
|
2008-12-01 16:33:43 +08:00
|
|
|
#endif
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
struct dentry {
|
2011-01-07 14:49:56 +08:00
|
|
|
/* RCU lookup touched fields */
|
2005-04-17 06:20:36 +08:00
|
|
|
unsigned int d_flags; /* protected by d_lock */
|
fs: rcu-walk for path lookup
Perform common cases of path lookups without any stores or locking in the
ancestor dentry elements. This is called rcu-walk, as opposed to the current
algorithm which is a refcount based walk, or ref-walk.
This results in far fewer atomic operations on every path element,
significantly improving path lookup performance. It also avoids cacheline
bouncing on common dentries, significantly improving scalability.
The overall design is like this:
* LOOKUP_RCU is set in nd->flags, which distinguishes rcu-walk from ref-walk.
* Take the RCU lock for the entire path walk, starting with the acquiring
of the starting path (eg. root/cwd/fd-path). So now dentry refcounts are
not required for dentry persistence.
* synchronize_rcu is called when unregistering a filesystem, so we can
access d_ops and i_ops during rcu-walk.
* Similarly take the vfsmount lock for the entire path walk. So now mnt
refcounts are not required for persistence. Also we are free to perform mount
lookups, and to assume dentry mount points and mount roots are stable up and
down the path.
* Have a per-dentry seqlock to protect the dentry name, parent, and inode,
so we can load this tuple atomically, and also check whether any of its
members have changed.
* Dentry lookups (based on parent, candidate string tuple) recheck the parent
sequence after the child is found in case anything changed in the parent
during the path walk.
* inode is also RCU protected so we can load d_inode and use the inode for
limited things.
* i_mode, i_uid, i_gid can be tested for exec permissions during path walk.
* i_op can be loaded.
When we reach the destination dentry, we lock it, recheck lookup sequence,
and increment its refcount and mountpoint refcount. RCU and vfsmount locks
are dropped. This is termed "dropping rcu-walk". If the dentry refcount does
not match, we can not drop rcu-walk gracefully at the current point in the
lokup, so instead return -ECHILD (for want of a better errno). This signals the
path walking code to re-do the entire lookup with a ref-walk.
Aside from the final dentry, there are other situations that may be encounted
where we cannot continue rcu-walk. In that case, we drop rcu-walk (ie. take
a reference on the last good dentry) and continue with a ref-walk. Again, if
we can drop rcu-walk gracefully, we return -ECHILD and do the whole lookup
using ref-walk. But it is very important that we can continue with ref-walk
for most cases, particularly to avoid the overhead of double lookups, and to
gain the scalability advantages on common path elements (like cwd and root).
The cases where rcu-walk cannot continue are:
* NULL dentry (ie. any uncached path element)
* parent with d_inode->i_op->permission or ACLs
* dentries with d_revalidate
* Following links
In future patches, permission checks and d_revalidate become rcu-walk aware. It
may be possible eventually to make following links rcu-walk aware.
Uncached path elements will always require dropping to ref-walk mode, at the
very least because i_mutex needs to be grabbed, and objects allocated.
Signed-off-by: Nick Piggin <npiggin@kernel.dk>
2011-01-07 14:49:52 +08:00
|
|
|
seqcount_t d_seq; /* per dentry seqlock */
|
2011-01-07 14:50:05 +08:00
|
|
|
struct hlist_bl_node d_hash; /* lookup hash list */
|
2005-04-17 06:20:36 +08:00
|
|
|
struct dentry *d_parent; /* parent directory */
|
|
|
|
struct qstr d_name;
|
2011-01-07 14:49:56 +08:00
|
|
|
struct inode *d_inode; /* Where the name belongs to - NULL is
|
|
|
|
* negative */
|
|
|
|
unsigned char d_iname[DNAME_INLINE_LEN]; /* small names */
|
|
|
|
|
|
|
|
/* Ref lookup also touches following */
|
|
|
|
unsigned int d_count; /* protected by d_lock */
|
|
|
|
spinlock_t d_lock; /* per dentry lock */
|
|
|
|
const struct dentry_operations *d_op;
|
|
|
|
struct super_block *d_sb; /* The root of the dentry tree */
|
|
|
|
unsigned long d_time; /* used by d_revalidate */
|
|
|
|
void *d_fsdata; /* fs-specific data */
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
struct list_head d_lru; /* LRU list */
|
[PATCH] shrink dentry struct
Some long time ago, dentry struct was carefully tuned so that on 32 bits
UP, sizeof(struct dentry) was exactly 128, ie a power of 2, and a multiple
of memory cache lines.
Then RCU was added and dentry struct enlarged by two pointers, with nice
results for SMP, but not so good on UP, because breaking the above tuning
(128 + 8 = 136 bytes)
This patch reverts this unwanted side effect, by using an union (d_u),
where d_rcu and d_child are placed so that these two fields can share their
memory needs.
At the time d_free() is called (and d_rcu is really used), d_child is known
to be empty and not touched by the dentry freeing.
Lockless lookups only access d_name, d_parent, d_lock, d_op, d_flags (so
the previous content of d_child is not needed if said dentry was unhashed
but still accessed by a CPU because of RCU constraints)
As dentry cache easily contains millions of entries, a size reduction is
worth the extra complexity of the ugly C union.
Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
Cc: Dipankar Sarma <dipankar@in.ibm.com>
Cc: Maneesh Soni <maneesh@in.ibm.com>
Cc: Miklos Szeredi <miklos@szeredi.hu>
Cc: "Paul E. McKenney" <paulmck@us.ibm.com>
Cc: Ian Kent <raven@themaw.net>
Cc: Paul Jackson <pj@sgi.com>
Cc: Al Viro <viro@ftp.linux.org.uk>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Trond Myklebust <trond.myklebust@fys.uio.no>
Cc: Neil Brown <neilb@cse.unsw.edu.au>
Cc: James Morris <jmorris@namei.org>
Cc: Stephen Smalley <sds@epoch.ncsc.mil>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-01-08 17:03:32 +08:00
|
|
|
/*
|
|
|
|
* d_child and d_rcu can share memory
|
|
|
|
*/
|
|
|
|
union {
|
|
|
|
struct list_head d_child; /* child of parent list */
|
|
|
|
struct rcu_head d_rcu;
|
|
|
|
} d_u;
|
2005-04-17 06:20:36 +08:00
|
|
|
struct list_head d_subdirs; /* our children */
|
|
|
|
struct list_head d_alias; /* inode alias list */
|
|
|
|
};
|
|
|
|
|
2006-07-03 15:25:04 +08:00
|
|
|
/*
|
|
|
|
* dentry->d_lock spinlock nesting subclasses:
|
|
|
|
*
|
|
|
|
* 0: normal
|
|
|
|
* 1: nested
|
|
|
|
*/
|
|
|
|
enum dentry_d_lock_class
|
|
|
|
{
|
|
|
|
DENTRY_D_LOCK_NORMAL, /* implicitly used by plain spin_lock() APIs. */
|
|
|
|
DENTRY_D_LOCK_NESTED
|
|
|
|
};
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
struct dentry_operations {
|
|
|
|
int (*d_revalidate)(struct dentry *, struct nameidata *);
|
2011-01-07 14:49:28 +08:00
|
|
|
int (*d_hash)(const struct dentry *, const struct inode *,
|
|
|
|
struct qstr *);
|
2011-01-07 14:49:27 +08:00
|
|
|
int (*d_compare)(const struct dentry *, const struct inode *,
|
|
|
|
const struct dentry *, const struct inode *,
|
|
|
|
unsigned int, const char *, const struct qstr *);
|
2011-01-07 14:49:23 +08:00
|
|
|
int (*d_delete)(const struct dentry *);
|
2005-04-17 06:20:36 +08:00
|
|
|
void (*d_release)(struct dentry *);
|
2011-10-29 01:02:42 +08:00
|
|
|
void (*d_prune)(struct dentry *);
|
2005-04-17 06:20:36 +08:00
|
|
|
void (*d_iput)(struct dentry *, struct inode *);
|
2007-05-08 15:26:18 +08:00
|
|
|
char *(*d_dname)(struct dentry *, char *, int);
|
Add a dentry op to handle automounting rather than abusing follow_link()
Add a dentry op (d_automount) to handle automounting directories rather than
abusing the follow_link() inode operation. The operation is keyed off a new
dentry flag (DCACHE_NEED_AUTOMOUNT).
This also makes it easier to add an AT_ flag to suppress terminal segment
automount during pathwalk and removes the need for the kludge code in the
pathwalk algorithm to handle directories with follow_link() semantics.
The ->d_automount() dentry operation:
struct vfsmount *(*d_automount)(struct path *mountpoint);
takes a pointer to the directory to be mounted upon, which is expected to
provide sufficient data to determine what should be mounted. If successful, it
should return the vfsmount struct it creates (which it should also have added
to the namespace using do_add_mount() or similar). If there's a collision with
another automount attempt, NULL should be returned. If the directory specified
by the parameter should be used directly rather than being mounted upon,
-EISDIR should be returned. In any other case, an error code should be
returned.
The ->d_automount() operation is called with no locks held and may sleep. At
this point the pathwalk algorithm will be in ref-walk mode.
Within fs/namei.c itself, a new pathwalk subroutine (follow_automount()) is
added to handle mountpoints. It will return -EREMOTE if the automount flag was
set, but no d_automount() op was supplied, -ELOOP if we've encountered too many
symlinks or mountpoints, -EISDIR if the walk point should be used without
mounting and 0 if successful. The path will be updated to point to the mounted
filesystem if a successful automount took place.
__follow_mount() is replaced by follow_managed() which is more generic
(especially with the patch that adds ->d_manage()). This handles transits from
directories during pathwalk, including automounting and skipping over
mountpoints (and holding processes with the next patch).
__follow_mount_rcu() will jump out of RCU-walk mode if it encounters an
automount point with nothing mounted on it.
follow_dotdot*() does not handle automounts as you don't want to trigger them
whilst following "..".
I've also extracted the mount/don't-mount logic from autofs4 and included it
here. It makes the mount go ahead anyway if someone calls open() or creat(),
tries to traverse the directory, tries to chdir/chroot/etc. into the directory,
or sticks a '/' on the end of the pathname. If they do a stat(), however,
they'll only trigger the automount if they didn't also say O_NOFOLLOW.
I've also added an inode flag (S_AUTOMOUNT) so that filesystems can mark their
inodes as automount points. This flag is automatically propagated to the
dentry as DCACHE_NEED_AUTOMOUNT by __d_instantiate(). This saves NFS and could
save AFS a private flag bit apiece, but is not strictly necessary. It would be
preferable to do the propagation in d_set_d_op(), but that doesn't normally
have access to the inode.
[AV: fixed breakage in case if __follow_mount_rcu() fails and nameidata_drop_rcu()
succeeds in RCU case of do_lookup(); we need to fall through to non-RCU case after
that, rather than just returning with ungrabbed *path]
Signed-off-by: David Howells <dhowells@redhat.com>
Was-Acked-by: Ian Kent <raven@themaw.net>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2011-01-15 02:45:21 +08:00
|
|
|
struct vfsmount *(*d_automount)(struct path *);
|
2011-03-18 21:09:02 +08:00
|
|
|
int (*d_manage)(struct dentry *, bool);
|
2011-01-07 14:49:56 +08:00
|
|
|
} ____cacheline_aligned;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-01-07 14:49:22 +08:00
|
|
|
/*
|
|
|
|
* Locking rules for dentry_operations callbacks are to be found in
|
|
|
|
* Documentation/filesystems/Locking. Keep it updated!
|
|
|
|
*
|
2011-01-07 14:49:27 +08:00
|
|
|
* FUrther descriptions are found in Documentation/filesystems/vfs.txt.
|
|
|
|
* Keep it updated too!
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
|
|
|
|
|
|
|
/* d_flags entries */
|
2011-08-07 13:41:50 +08:00
|
|
|
#define DCACHE_OP_HASH 0x0001
|
|
|
|
#define DCACHE_OP_COMPARE 0x0002
|
|
|
|
#define DCACHE_OP_REVALIDATE 0x0004
|
|
|
|
#define DCACHE_OP_DELETE 0x0008
|
2011-10-29 01:02:42 +08:00
|
|
|
#define DCACHE_OP_PRUNE 0x0010
|
2011-01-07 14:49:54 +08:00
|
|
|
|
2011-10-29 01:02:42 +08:00
|
|
|
#define DCACHE_DISCONNECTED 0x0020
|
2011-01-07 14:49:54 +08:00
|
|
|
/* This dentry is possibly not currently connected to the dcache tree, in
|
|
|
|
* which case its parent will either be itself, or will have this flag as
|
|
|
|
* well. nfsd will not use a dentry with this bit set, but will first
|
|
|
|
* endeavour to clear the bit either by discovering that it is connected,
|
|
|
|
* or by performing lookup operations. Any filesystem which supports
|
|
|
|
* nfsd_operations MUST have a lookup function which, if it finds a
|
|
|
|
* directory inode with a DCACHE_DISCONNECTED dentry, will d_move that
|
|
|
|
* dentry into place and return that dentry rather than the passed one,
|
|
|
|
* typically using d_splice_alias. */
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-10-29 01:02:42 +08:00
|
|
|
#define DCACHE_REFERENCED 0x0040 /* Recently used, don't discard. */
|
|
|
|
#define DCACHE_RCUACCESS 0x0080 /* Entry has ever been RCU-visible */
|
2009-05-22 05:01:29 +08:00
|
|
|
|
2010-05-01 05:17:09 +08:00
|
|
|
#define DCACHE_CANT_MOUNT 0x0100
|
2011-01-07 14:49:37 +08:00
|
|
|
#define DCACHE_GENOCIDE 0x0200
|
2011-01-07 14:49:54 +08:00
|
|
|
|
2011-08-07 13:41:50 +08:00
|
|
|
#define DCACHE_NFSFS_RENAMED 0x1000
|
|
|
|
/* this dentry has been "silly renamed" and has to be deleted on the last
|
|
|
|
* dput() */
|
|
|
|
#define DCACHE_COOKIE 0x2000 /* For use by dcookie subsystem */
|
|
|
|
#define DCACHE_FSNOTIFY_PARENT_WATCHED 0x4000
|
|
|
|
/* Parent inode is watched by some fsnotify listener */
|
2011-01-07 14:49:55 +08:00
|
|
|
|
Add a dentry op to handle automounting rather than abusing follow_link()
Add a dentry op (d_automount) to handle automounting directories rather than
abusing the follow_link() inode operation. The operation is keyed off a new
dentry flag (DCACHE_NEED_AUTOMOUNT).
This also makes it easier to add an AT_ flag to suppress terminal segment
automount during pathwalk and removes the need for the kludge code in the
pathwalk algorithm to handle directories with follow_link() semantics.
The ->d_automount() dentry operation:
struct vfsmount *(*d_automount)(struct path *mountpoint);
takes a pointer to the directory to be mounted upon, which is expected to
provide sufficient data to determine what should be mounted. If successful, it
should return the vfsmount struct it creates (which it should also have added
to the namespace using do_add_mount() or similar). If there's a collision with
another automount attempt, NULL should be returned. If the directory specified
by the parameter should be used directly rather than being mounted upon,
-EISDIR should be returned. In any other case, an error code should be
returned.
The ->d_automount() operation is called with no locks held and may sleep. At
this point the pathwalk algorithm will be in ref-walk mode.
Within fs/namei.c itself, a new pathwalk subroutine (follow_automount()) is
added to handle mountpoints. It will return -EREMOTE if the automount flag was
set, but no d_automount() op was supplied, -ELOOP if we've encountered too many
symlinks or mountpoints, -EISDIR if the walk point should be used without
mounting and 0 if successful. The path will be updated to point to the mounted
filesystem if a successful automount took place.
__follow_mount() is replaced by follow_managed() which is more generic
(especially with the patch that adds ->d_manage()). This handles transits from
directories during pathwalk, including automounting and skipping over
mountpoints (and holding processes with the next patch).
__follow_mount_rcu() will jump out of RCU-walk mode if it encounters an
automount point with nothing mounted on it.
follow_dotdot*() does not handle automounts as you don't want to trigger them
whilst following "..".
I've also extracted the mount/don't-mount logic from autofs4 and included it
here. It makes the mount go ahead anyway if someone calls open() or creat(),
tries to traverse the directory, tries to chdir/chroot/etc. into the directory,
or sticks a '/' on the end of the pathname. If they do a stat(), however,
they'll only trigger the automount if they didn't also say O_NOFOLLOW.
I've also added an inode flag (S_AUTOMOUNT) so that filesystems can mark their
inodes as automount points. This flag is automatically propagated to the
dentry as DCACHE_NEED_AUTOMOUNT by __d_instantiate(). This saves NFS and could
save AFS a private flag bit apiece, but is not strictly necessary. It would be
preferable to do the propagation in d_set_d_op(), but that doesn't normally
have access to the inode.
[AV: fixed breakage in case if __follow_mount_rcu() fails and nameidata_drop_rcu()
succeeds in RCU case of do_lookup(); we need to fall through to non-RCU case after
that, rather than just returning with ungrabbed *path]
Signed-off-by: David Howells <dhowells@redhat.com>
Was-Acked-by: Ian Kent <raven@themaw.net>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2011-01-15 02:45:21 +08:00
|
|
|
#define DCACHE_MOUNTED 0x10000 /* is a mountpoint */
|
|
|
|
#define DCACHE_NEED_AUTOMOUNT 0x20000 /* handle automount on this dir */
|
Add a dentry op to allow processes to be held during pathwalk transit
Add a dentry op (d_manage) to permit a filesystem to hold a process and make it
sleep when it tries to transit away from one of that filesystem's directories
during a pathwalk. The operation is keyed off a new dentry flag
(DCACHE_MANAGE_TRANSIT).
The filesystem is allowed to be selective about which processes it holds and
which it permits to continue on or prohibits from transiting from each flagged
directory. This will allow autofs to hold up client processes whilst letting
its userspace daemon through to maintain the directory or the stuff behind it
or mounted upon it.
The ->d_manage() dentry operation:
int (*d_manage)(struct path *path, bool mounting_here);
takes a pointer to the directory about to be transited away from and a flag
indicating whether the transit is undertaken by do_add_mount() or
do_move_mount() skipping through a pile of filesystems mounted on a mountpoint.
It should return 0 if successful and to let the process continue on its way;
-EISDIR to prohibit the caller from skipping to overmounted filesystems or
automounting, and to use this directory; or some other error code to return to
the user.
->d_manage() is called with namespace_sem writelocked if mounting_here is true
and no other locks held, so it may sleep. However, if mounting_here is true,
it may not initiate or wait for a mount or unmount upon the parameter
directory, even if the act is actually performed by userspace.
Within fs/namei.c, follow_managed() is extended to check with d_manage() first
on each managed directory, before transiting away from it or attempting to
automount upon it.
follow_down() is renamed follow_down_one() and should only be used where the
filesystem deliberately intends to avoid management steps (e.g. autofs).
A new follow_down() is added that incorporates the loop done by all other
callers of follow_down() (do_add/move_mount(), autofs and NFSD; whilst AFS, NFS
and CIFS do use it, their use is removed by converting them to use
d_automount()). The new follow_down() calls d_manage() as appropriate. It
also takes an extra parameter to indicate if it is being called from mount code
(with namespace_sem writelocked) which it passes to d_manage(). follow_down()
ignores automount points so that it can be used to mount on them.
__follow_mount_rcu() is made to abort rcu-walk mode if it hits a directory with
DCACHE_MANAGE_TRANSIT set on the basis that we're probably going to have to
sleep. It would be possible to enter d_manage() in rcu-walk mode too, and have
that determine whether to abort or not itself. That would allow the autofs
daemon to continue on in rcu-walk mode.
Note that DCACHE_MANAGE_TRANSIT on a directory should be cleared when it isn't
required as every tranist from that directory will cause d_manage() to be
invoked. It can always be set again when necessary.
==========================
WHAT THIS MEANS FOR AUTOFS
==========================
Autofs currently uses the lookup() inode op and the d_revalidate() dentry op to
trigger the automounting of indirect mounts, and both of these can be called
with i_mutex held.
autofs knows that the i_mutex will be held by the caller in lookup(), and so
can drop it before invoking the daemon - but this isn't so for d_revalidate(),
since the lock is only held on _some_ of the code paths that call it. This
means that autofs can't risk dropping i_mutex from its d_revalidate() function
before it calls the daemon.
The bug could manifest itself as, for example, a process that's trying to
validate an automount dentry that gets made to wait because that dentry is
expired and needs cleaning up:
mkdir S ffffffff8014e05a 0 32580 24956
Call Trace:
[<ffffffff885371fd>] :autofs4:autofs4_wait+0x674/0x897
[<ffffffff80127f7d>] avc_has_perm+0x46/0x58
[<ffffffff8009fdcf>] autoremove_wake_function+0x0/0x2e
[<ffffffff88537be6>] :autofs4:autofs4_expire_wait+0x41/0x6b
[<ffffffff88535cfc>] :autofs4:autofs4_revalidate+0x91/0x149
[<ffffffff80036d96>] __lookup_hash+0xa0/0x12f
[<ffffffff80057a2f>] lookup_create+0x46/0x80
[<ffffffff800e6e31>] sys_mkdirat+0x56/0xe4
versus the automount daemon which wants to remove that dentry, but can't
because the normal process is holding the i_mutex lock:
automount D ffffffff8014e05a 0 32581 1 32561
Call Trace:
[<ffffffff80063c3f>] __mutex_lock_slowpath+0x60/0x9b
[<ffffffff8000ccf1>] do_path_lookup+0x2ca/0x2f1
[<ffffffff80063c89>] .text.lock.mutex+0xf/0x14
[<ffffffff800e6d55>] do_rmdir+0x77/0xde
[<ffffffff8005d229>] tracesys+0x71/0xe0
[<ffffffff8005d28d>] tracesys+0xd5/0xe0
which means that the system is deadlocked.
This patch allows autofs to hold up normal processes whilst the daemon goes
ahead and does things to the dentry tree behind the automouter point without
risking a deadlock as almost no locks are held in d_manage() and none in
d_automount().
Signed-off-by: David Howells <dhowells@redhat.com>
Was-Acked-by: Ian Kent <raven@themaw.net>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2011-01-15 02:45:26 +08:00
|
|
|
#define DCACHE_MANAGE_TRANSIT 0x40000 /* manage transit from this dirent */
|
2011-05-31 23:58:49 +08:00
|
|
|
#define DCACHE_NEED_LOOKUP 0x80000 /* dentry requires i_op->lookup */
|
Add a dentry op to handle automounting rather than abusing follow_link()
Add a dentry op (d_automount) to handle automounting directories rather than
abusing the follow_link() inode operation. The operation is keyed off a new
dentry flag (DCACHE_NEED_AUTOMOUNT).
This also makes it easier to add an AT_ flag to suppress terminal segment
automount during pathwalk and removes the need for the kludge code in the
pathwalk algorithm to handle directories with follow_link() semantics.
The ->d_automount() dentry operation:
struct vfsmount *(*d_automount)(struct path *mountpoint);
takes a pointer to the directory to be mounted upon, which is expected to
provide sufficient data to determine what should be mounted. If successful, it
should return the vfsmount struct it creates (which it should also have added
to the namespace using do_add_mount() or similar). If there's a collision with
another automount attempt, NULL should be returned. If the directory specified
by the parameter should be used directly rather than being mounted upon,
-EISDIR should be returned. In any other case, an error code should be
returned.
The ->d_automount() operation is called with no locks held and may sleep. At
this point the pathwalk algorithm will be in ref-walk mode.
Within fs/namei.c itself, a new pathwalk subroutine (follow_automount()) is
added to handle mountpoints. It will return -EREMOTE if the automount flag was
set, but no d_automount() op was supplied, -ELOOP if we've encountered too many
symlinks or mountpoints, -EISDIR if the walk point should be used without
mounting and 0 if successful. The path will be updated to point to the mounted
filesystem if a successful automount took place.
__follow_mount() is replaced by follow_managed() which is more generic
(especially with the patch that adds ->d_manage()). This handles transits from
directories during pathwalk, including automounting and skipping over
mountpoints (and holding processes with the next patch).
__follow_mount_rcu() will jump out of RCU-walk mode if it encounters an
automount point with nothing mounted on it.
follow_dotdot*() does not handle automounts as you don't want to trigger them
whilst following "..".
I've also extracted the mount/don't-mount logic from autofs4 and included it
here. It makes the mount go ahead anyway if someone calls open() or creat(),
tries to traverse the directory, tries to chdir/chroot/etc. into the directory,
or sticks a '/' on the end of the pathname. If they do a stat(), however,
they'll only trigger the automount if they didn't also say O_NOFOLLOW.
I've also added an inode flag (S_AUTOMOUNT) so that filesystems can mark their
inodes as automount points. This flag is automatically propagated to the
dentry as DCACHE_NEED_AUTOMOUNT by __d_instantiate(). This saves NFS and could
save AFS a private flag bit apiece, but is not strictly necessary. It would be
preferable to do the propagation in d_set_d_op(), but that doesn't normally
have access to the inode.
[AV: fixed breakage in case if __follow_mount_rcu() fails and nameidata_drop_rcu()
succeeds in RCU case of do_lookup(); we need to fall through to non-RCU case after
that, rather than just returning with ungrabbed *path]
Signed-off-by: David Howells <dhowells@redhat.com>
Was-Acked-by: Ian Kent <raven@themaw.net>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2011-01-15 02:45:21 +08:00
|
|
|
#define DCACHE_MANAGED_DENTRY \
|
Add a dentry op to allow processes to be held during pathwalk transit
Add a dentry op (d_manage) to permit a filesystem to hold a process and make it
sleep when it tries to transit away from one of that filesystem's directories
during a pathwalk. The operation is keyed off a new dentry flag
(DCACHE_MANAGE_TRANSIT).
The filesystem is allowed to be selective about which processes it holds and
which it permits to continue on or prohibits from transiting from each flagged
directory. This will allow autofs to hold up client processes whilst letting
its userspace daemon through to maintain the directory or the stuff behind it
or mounted upon it.
The ->d_manage() dentry operation:
int (*d_manage)(struct path *path, bool mounting_here);
takes a pointer to the directory about to be transited away from and a flag
indicating whether the transit is undertaken by do_add_mount() or
do_move_mount() skipping through a pile of filesystems mounted on a mountpoint.
It should return 0 if successful and to let the process continue on its way;
-EISDIR to prohibit the caller from skipping to overmounted filesystems or
automounting, and to use this directory; or some other error code to return to
the user.
->d_manage() is called with namespace_sem writelocked if mounting_here is true
and no other locks held, so it may sleep. However, if mounting_here is true,
it may not initiate or wait for a mount or unmount upon the parameter
directory, even if the act is actually performed by userspace.
Within fs/namei.c, follow_managed() is extended to check with d_manage() first
on each managed directory, before transiting away from it or attempting to
automount upon it.
follow_down() is renamed follow_down_one() and should only be used where the
filesystem deliberately intends to avoid management steps (e.g. autofs).
A new follow_down() is added that incorporates the loop done by all other
callers of follow_down() (do_add/move_mount(), autofs and NFSD; whilst AFS, NFS
and CIFS do use it, their use is removed by converting them to use
d_automount()). The new follow_down() calls d_manage() as appropriate. It
also takes an extra parameter to indicate if it is being called from mount code
(with namespace_sem writelocked) which it passes to d_manage(). follow_down()
ignores automount points so that it can be used to mount on them.
__follow_mount_rcu() is made to abort rcu-walk mode if it hits a directory with
DCACHE_MANAGE_TRANSIT set on the basis that we're probably going to have to
sleep. It would be possible to enter d_manage() in rcu-walk mode too, and have
that determine whether to abort or not itself. That would allow the autofs
daemon to continue on in rcu-walk mode.
Note that DCACHE_MANAGE_TRANSIT on a directory should be cleared when it isn't
required as every tranist from that directory will cause d_manage() to be
invoked. It can always be set again when necessary.
==========================
WHAT THIS MEANS FOR AUTOFS
==========================
Autofs currently uses the lookup() inode op and the d_revalidate() dentry op to
trigger the automounting of indirect mounts, and both of these can be called
with i_mutex held.
autofs knows that the i_mutex will be held by the caller in lookup(), and so
can drop it before invoking the daemon - but this isn't so for d_revalidate(),
since the lock is only held on _some_ of the code paths that call it. This
means that autofs can't risk dropping i_mutex from its d_revalidate() function
before it calls the daemon.
The bug could manifest itself as, for example, a process that's trying to
validate an automount dentry that gets made to wait because that dentry is
expired and needs cleaning up:
mkdir S ffffffff8014e05a 0 32580 24956
Call Trace:
[<ffffffff885371fd>] :autofs4:autofs4_wait+0x674/0x897
[<ffffffff80127f7d>] avc_has_perm+0x46/0x58
[<ffffffff8009fdcf>] autoremove_wake_function+0x0/0x2e
[<ffffffff88537be6>] :autofs4:autofs4_expire_wait+0x41/0x6b
[<ffffffff88535cfc>] :autofs4:autofs4_revalidate+0x91/0x149
[<ffffffff80036d96>] __lookup_hash+0xa0/0x12f
[<ffffffff80057a2f>] lookup_create+0x46/0x80
[<ffffffff800e6e31>] sys_mkdirat+0x56/0xe4
versus the automount daemon which wants to remove that dentry, but can't
because the normal process is holding the i_mutex lock:
automount D ffffffff8014e05a 0 32581 1 32561
Call Trace:
[<ffffffff80063c3f>] __mutex_lock_slowpath+0x60/0x9b
[<ffffffff8000ccf1>] do_path_lookup+0x2ca/0x2f1
[<ffffffff80063c89>] .text.lock.mutex+0xf/0x14
[<ffffffff800e6d55>] do_rmdir+0x77/0xde
[<ffffffff8005d229>] tracesys+0x71/0xe0
[<ffffffff8005d28d>] tracesys+0xd5/0xe0
which means that the system is deadlocked.
This patch allows autofs to hold up normal processes whilst the daemon goes
ahead and does things to the dentry tree behind the automouter point without
risking a deadlock as almost no locks are held in d_manage() and none in
d_automount().
Signed-off-by: David Howells <dhowells@redhat.com>
Was-Acked-by: Ian Kent <raven@themaw.net>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2011-01-15 02:45:26 +08:00
|
|
|
(DCACHE_MOUNTED|DCACHE_NEED_AUTOMOUNT|DCACHE_MANAGE_TRANSIT)
|
Add a dentry op to handle automounting rather than abusing follow_link()
Add a dentry op (d_automount) to handle automounting directories rather than
abusing the follow_link() inode operation. The operation is keyed off a new
dentry flag (DCACHE_NEED_AUTOMOUNT).
This also makes it easier to add an AT_ flag to suppress terminal segment
automount during pathwalk and removes the need for the kludge code in the
pathwalk algorithm to handle directories with follow_link() semantics.
The ->d_automount() dentry operation:
struct vfsmount *(*d_automount)(struct path *mountpoint);
takes a pointer to the directory to be mounted upon, which is expected to
provide sufficient data to determine what should be mounted. If successful, it
should return the vfsmount struct it creates (which it should also have added
to the namespace using do_add_mount() or similar). If there's a collision with
another automount attempt, NULL should be returned. If the directory specified
by the parameter should be used directly rather than being mounted upon,
-EISDIR should be returned. In any other case, an error code should be
returned.
The ->d_automount() operation is called with no locks held and may sleep. At
this point the pathwalk algorithm will be in ref-walk mode.
Within fs/namei.c itself, a new pathwalk subroutine (follow_automount()) is
added to handle mountpoints. It will return -EREMOTE if the automount flag was
set, but no d_automount() op was supplied, -ELOOP if we've encountered too many
symlinks or mountpoints, -EISDIR if the walk point should be used without
mounting and 0 if successful. The path will be updated to point to the mounted
filesystem if a successful automount took place.
__follow_mount() is replaced by follow_managed() which is more generic
(especially with the patch that adds ->d_manage()). This handles transits from
directories during pathwalk, including automounting and skipping over
mountpoints (and holding processes with the next patch).
__follow_mount_rcu() will jump out of RCU-walk mode if it encounters an
automount point with nothing mounted on it.
follow_dotdot*() does not handle automounts as you don't want to trigger them
whilst following "..".
I've also extracted the mount/don't-mount logic from autofs4 and included it
here. It makes the mount go ahead anyway if someone calls open() or creat(),
tries to traverse the directory, tries to chdir/chroot/etc. into the directory,
or sticks a '/' on the end of the pathname. If they do a stat(), however,
they'll only trigger the automount if they didn't also say O_NOFOLLOW.
I've also added an inode flag (S_AUTOMOUNT) so that filesystems can mark their
inodes as automount points. This flag is automatically propagated to the
dentry as DCACHE_NEED_AUTOMOUNT by __d_instantiate(). This saves NFS and could
save AFS a private flag bit apiece, but is not strictly necessary. It would be
preferable to do the propagation in d_set_d_op(), but that doesn't normally
have access to the inode.
[AV: fixed breakage in case if __follow_mount_rcu() fails and nameidata_drop_rcu()
succeeds in RCU case of do_lookup(); we need to fall through to non-RCU case after
that, rather than just returning with ungrabbed *path]
Signed-off-by: David Howells <dhowells@redhat.com>
Was-Acked-by: Ian Kent <raven@themaw.net>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2011-01-15 02:45:21 +08:00
|
|
|
|
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is. Limitations:
* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there. New command
tells audit to recalculate the trees, trimming such sources of false
positives.
Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2007-07-22 20:04:18 +08:00
|
|
|
extern seqlock_t rename_lock;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
static inline int dname_external(struct dentry *dentry)
|
|
|
|
{
|
|
|
|
return dentry->d_name.name != dentry->d_iname;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* These are the low-level FS interfaces to the dcache..
|
|
|
|
*/
|
|
|
|
extern void d_instantiate(struct dentry *, struct inode *);
|
|
|
|
extern struct dentry * d_instantiate_unique(struct dentry *, struct inode *);
|
2006-08-23 08:06:07 +08:00
|
|
|
extern struct dentry * d_materialise_unique(struct dentry *, struct inode *);
|
2011-01-07 14:49:30 +08:00
|
|
|
extern void __d_drop(struct dentry *dentry);
|
|
|
|
extern void d_drop(struct dentry *dentry);
|
2005-04-17 06:20:36 +08:00
|
|
|
extern void d_delete(struct dentry *);
|
2011-01-07 14:49:55 +08:00
|
|
|
extern void d_set_d_op(struct dentry *dentry, const struct dentry_operations *op);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/* allocate/de-allocate */
|
|
|
|
extern struct dentry * d_alloc(struct dentry *, const struct qstr *);
|
2011-01-07 14:50:07 +08:00
|
|
|
extern struct dentry * d_alloc_pseudo(struct super_block *, const struct qstr *);
|
2005-04-17 06:20:36 +08:00
|
|
|
extern struct dentry * d_splice_alias(struct inode *, struct dentry *);
|
2008-08-08 05:49:07 +08:00
|
|
|
extern struct dentry * d_add_ci(struct dentry *, struct inode *, struct qstr *);
|
2008-08-11 21:48:57 +08:00
|
|
|
extern struct dentry * d_obtain_alias(struct inode *);
|
2005-04-17 06:20:36 +08:00
|
|
|
extern void shrink_dcache_sb(struct super_block *);
|
|
|
|
extern void shrink_dcache_parent(struct dentry *);
|
2006-10-11 16:22:19 +08:00
|
|
|
extern void shrink_dcache_for_umount(struct super_block *);
|
2005-04-17 06:20:36 +08:00
|
|
|
extern int d_invalidate(struct dentry *);
|
|
|
|
|
|
|
|
/* only used at mount-time */
|
|
|
|
extern struct dentry * d_alloc_root(struct inode *);
|
2012-01-09 05:49:21 +08:00
|
|
|
extern struct dentry * d_make_root(struct inode *);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/* <clickety>-<click> the ramfs-type tree */
|
|
|
|
extern void d_genocide(struct dentry *);
|
|
|
|
|
|
|
|
extern struct dentry *d_find_alias(struct inode *);
|
|
|
|
extern void d_prune_aliases(struct inode *);
|
|
|
|
|
|
|
|
/* test whether we have any submounts in a subdir tree */
|
|
|
|
extern int have_submounts(struct dentry *);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This adds the entry to the hash queues.
|
|
|
|
*/
|
|
|
|
extern void d_rehash(struct dentry *);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* d_add - add dentry to hash queues
|
|
|
|
* @entry: dentry to add
|
|
|
|
* @inode: The inode to attach to this dentry
|
|
|
|
*
|
|
|
|
* This adds the entry to the hash queues and initializes @inode.
|
|
|
|
* The entry was actually filled in earlier during d_alloc().
|
|
|
|
*/
|
|
|
|
|
|
|
|
static inline void d_add(struct dentry *entry, struct inode *inode)
|
|
|
|
{
|
|
|
|
d_instantiate(entry, inode);
|
|
|
|
d_rehash(entry);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* d_add_unique - add dentry to hash queues without aliasing
|
|
|
|
* @entry: dentry to add
|
|
|
|
* @inode: The inode to attach to this dentry
|
|
|
|
*
|
|
|
|
* This adds the entry to the hash queues and initializes @inode.
|
|
|
|
* The entry was actually filled in earlier during d_alloc().
|
|
|
|
*/
|
|
|
|
static inline struct dentry *d_add_unique(struct dentry *entry, struct inode *inode)
|
|
|
|
{
|
|
|
|
struct dentry *res;
|
|
|
|
|
|
|
|
res = d_instantiate_unique(entry, inode);
|
|
|
|
d_rehash(res != NULL ? res : entry);
|
|
|
|
return res;
|
|
|
|
}
|
|
|
|
|
2011-01-07 14:49:26 +08:00
|
|
|
extern void dentry_update_name_case(struct dentry *, struct qstr *);
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/* used for rename() and baskets */
|
|
|
|
extern void d_move(struct dentry *, struct dentry *);
|
2008-10-16 06:50:28 +08:00
|
|
|
extern struct dentry *d_ancestor(struct dentry *, struct dentry *);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/* appendix may either be NULL or be used for transname suffixes */
|
fs: rcu-walk for path lookup
Perform common cases of path lookups without any stores or locking in the
ancestor dentry elements. This is called rcu-walk, as opposed to the current
algorithm which is a refcount based walk, or ref-walk.
This results in far fewer atomic operations on every path element,
significantly improving path lookup performance. It also avoids cacheline
bouncing on common dentries, significantly improving scalability.
The overall design is like this:
* LOOKUP_RCU is set in nd->flags, which distinguishes rcu-walk from ref-walk.
* Take the RCU lock for the entire path walk, starting with the acquiring
of the starting path (eg. root/cwd/fd-path). So now dentry refcounts are
not required for dentry persistence.
* synchronize_rcu is called when unregistering a filesystem, so we can
access d_ops and i_ops during rcu-walk.
* Similarly take the vfsmount lock for the entire path walk. So now mnt
refcounts are not required for persistence. Also we are free to perform mount
lookups, and to assume dentry mount points and mount roots are stable up and
down the path.
* Have a per-dentry seqlock to protect the dentry name, parent, and inode,
so we can load this tuple atomically, and also check whether any of its
members have changed.
* Dentry lookups (based on parent, candidate string tuple) recheck the parent
sequence after the child is found in case anything changed in the parent
during the path walk.
* inode is also RCU protected so we can load d_inode and use the inode for
limited things.
* i_mode, i_uid, i_gid can be tested for exec permissions during path walk.
* i_op can be loaded.
When we reach the destination dentry, we lock it, recheck lookup sequence,
and increment its refcount and mountpoint refcount. RCU and vfsmount locks
are dropped. This is termed "dropping rcu-walk". If the dentry refcount does
not match, we can not drop rcu-walk gracefully at the current point in the
lokup, so instead return -ECHILD (for want of a better errno). This signals the
path walking code to re-do the entire lookup with a ref-walk.
Aside from the final dentry, there are other situations that may be encounted
where we cannot continue rcu-walk. In that case, we drop rcu-walk (ie. take
a reference on the last good dentry) and continue with a ref-walk. Again, if
we can drop rcu-walk gracefully, we return -ECHILD and do the whole lookup
using ref-walk. But it is very important that we can continue with ref-walk
for most cases, particularly to avoid the overhead of double lookups, and to
gain the scalability advantages on common path elements (like cwd and root).
The cases where rcu-walk cannot continue are:
* NULL dentry (ie. any uncached path element)
* parent with d_inode->i_op->permission or ACLs
* dentries with d_revalidate
* Following links
In future patches, permission checks and d_revalidate become rcu-walk aware. It
may be possible eventually to make following links rcu-walk aware.
Uncached path elements will always require dropping to ref-walk mode, at the
very least because i_mutex needs to be grabbed, and objects allocated.
Signed-off-by: Nick Piggin <npiggin@kernel.dk>
2011-01-07 14:49:52 +08:00
|
|
|
extern struct dentry *d_lookup(struct dentry *, struct qstr *);
|
|
|
|
extern struct dentry *d_hash_and_lookup(struct dentry *, struct qstr *);
|
|
|
|
extern struct dentry *__d_lookup(struct dentry *, struct qstr *);
|
|
|
|
extern struct dentry *__d_lookup_rcu(struct dentry *parent, struct qstr *name,
|
|
|
|
unsigned *seq, struct inode **inode);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* __d_rcu_to_refcount - take a refcount on dentry if sequence check is ok
|
|
|
|
* @dentry: dentry to take a ref on
|
|
|
|
* @seq: seqcount to verify against
|
2011-01-09 11:37:20 +08:00
|
|
|
* Returns: 0 on failure, else 1.
|
fs: rcu-walk for path lookup
Perform common cases of path lookups without any stores or locking in the
ancestor dentry elements. This is called rcu-walk, as opposed to the current
algorithm which is a refcount based walk, or ref-walk.
This results in far fewer atomic operations on every path element,
significantly improving path lookup performance. It also avoids cacheline
bouncing on common dentries, significantly improving scalability.
The overall design is like this:
* LOOKUP_RCU is set in nd->flags, which distinguishes rcu-walk from ref-walk.
* Take the RCU lock for the entire path walk, starting with the acquiring
of the starting path (eg. root/cwd/fd-path). So now dentry refcounts are
not required for dentry persistence.
* synchronize_rcu is called when unregistering a filesystem, so we can
access d_ops and i_ops during rcu-walk.
* Similarly take the vfsmount lock for the entire path walk. So now mnt
refcounts are not required for persistence. Also we are free to perform mount
lookups, and to assume dentry mount points and mount roots are stable up and
down the path.
* Have a per-dentry seqlock to protect the dentry name, parent, and inode,
so we can load this tuple atomically, and also check whether any of its
members have changed.
* Dentry lookups (based on parent, candidate string tuple) recheck the parent
sequence after the child is found in case anything changed in the parent
during the path walk.
* inode is also RCU protected so we can load d_inode and use the inode for
limited things.
* i_mode, i_uid, i_gid can be tested for exec permissions during path walk.
* i_op can be loaded.
When we reach the destination dentry, we lock it, recheck lookup sequence,
and increment its refcount and mountpoint refcount. RCU and vfsmount locks
are dropped. This is termed "dropping rcu-walk". If the dentry refcount does
not match, we can not drop rcu-walk gracefully at the current point in the
lokup, so instead return -ECHILD (for want of a better errno). This signals the
path walking code to re-do the entire lookup with a ref-walk.
Aside from the final dentry, there are other situations that may be encounted
where we cannot continue rcu-walk. In that case, we drop rcu-walk (ie. take
a reference on the last good dentry) and continue with a ref-walk. Again, if
we can drop rcu-walk gracefully, we return -ECHILD and do the whole lookup
using ref-walk. But it is very important that we can continue with ref-walk
for most cases, particularly to avoid the overhead of double lookups, and to
gain the scalability advantages on common path elements (like cwd and root).
The cases where rcu-walk cannot continue are:
* NULL dentry (ie. any uncached path element)
* parent with d_inode->i_op->permission or ACLs
* dentries with d_revalidate
* Following links
In future patches, permission checks and d_revalidate become rcu-walk aware. It
may be possible eventually to make following links rcu-walk aware.
Uncached path elements will always require dropping to ref-walk mode, at the
very least because i_mutex needs to be grabbed, and objects allocated.
Signed-off-by: Nick Piggin <npiggin@kernel.dk>
2011-01-07 14:49:52 +08:00
|
|
|
*
|
|
|
|
* __d_rcu_to_refcount operates on a dentry,seq pair that was returned
|
|
|
|
* by __d_lookup_rcu, to get a reference on an rcu-walk dentry.
|
|
|
|
*/
|
|
|
|
static inline int __d_rcu_to_refcount(struct dentry *dentry, unsigned seq)
|
|
|
|
{
|
|
|
|
int ret = 0;
|
|
|
|
|
|
|
|
assert_spin_locked(&dentry->d_lock);
|
|
|
|
if (!read_seqcount_retry(&dentry->d_seq, seq)) {
|
|
|
|
ret = 1;
|
|
|
|
dentry->d_count++;
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/* validate "insecure" dentry pointer */
|
|
|
|
extern int d_validate(struct dentry *, struct dentry *);
|
|
|
|
|
2007-05-08 15:26:18 +08:00
|
|
|
/*
|
|
|
|
* helper function for dentry_operations.d_dname() members
|
|
|
|
*/
|
|
|
|
extern char *dynamic_dname(struct dentry *, char *, int, const char *, ...);
|
|
|
|
|
fix apparmor dereferencing potentially freed dentry, sanitize __d_path() API
__d_path() API is asking for trouble and in case of apparmor d_namespace_path()
getting just that. The root cause is that when __d_path() misses the root
it had been told to look for, it stores the location of the most remote ancestor
in *root. Without grabbing references. Sure, at the moment of call it had
been pinned down by what we have in *path. And if we raced with umount -l, we
could have very well stopped at vfsmount/dentry that got freed as soon as
prepend_path() dropped vfsmount_lock.
It is safe to compare these pointers with pre-existing (and known to be still
alive) vfsmount and dentry, as long as all we are asking is "is it the same
address?". Dereferencing is not safe and apparmor ended up stepping into
that. d_namespace_path() really wants to examine the place where we stopped,
even if it's not connected to our namespace. As the result, it looked
at ->d_sb->s_magic of a dentry that might've been already freed by that point.
All other callers had been careful enough to avoid that, but it's really
a bad interface - it invites that kind of trouble.
The fix is fairly straightforward, even though it's bigger than I'd like:
* prepend_path() root argument becomes const.
* __d_path() is never called with NULL/NULL root. It was a kludge
to start with. Instead, we have an explicit function - d_absolute_root().
Same as __d_path(), except that it doesn't get root passed and stops where
it stops. apparmor and tomoyo are using it.
* __d_path() returns NULL on path outside of root. The main
caller is show_mountinfo() and that's precisely what we pass root for - to
skip those outside chroot jail. Those who don't want that can (and do)
use d_path().
* __d_path() root argument becomes const. Everyone agrees, I hope.
* apparmor does *NOT* try to use __d_path() or any of its variants
when it sees that path->mnt is an internal vfsmount. In that case it's
definitely not mounted anywhere and dentry_path() is exactly what we want
there. Handling of sysctl()-triggered weirdness is moved to that place.
* if apparmor is asked to do pathname relative to chroot jail
and __d_path() tells it we it's not in that jail, the sucker just calls
d_absolute_path() instead. That's the other remaining caller of __d_path(),
BTW.
* seq_path_root() does _NOT_ return -ENAMETOOLONG (it's stupid anyway -
the normal seq_file logics will take care of growing the buffer and redoing
the call of ->show() just fine). However, if it gets path not reachable
from root, it returns SEQ_SKIP. The only caller adjusted (i.e. stopped
ignoring the return value as it used to do).
Reviewed-by: John Johansen <john.johansen@canonical.com>
ACKed-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: stable@vger.kernel.org
2011-12-05 21:43:34 +08:00
|
|
|
extern char *__d_path(const struct path *, const struct path *, char *, int);
|
|
|
|
extern char *d_absolute_path(const struct path *, char *, int);
|
2008-06-10 07:40:36 +08:00
|
|
|
extern char *d_path(const struct path *, char *, int);
|
2010-08-10 17:41:41 +08:00
|
|
|
extern char *d_path_with_unreachable(const struct path *, char *, int);
|
2011-01-07 14:49:29 +08:00
|
|
|
extern char *dentry_path_raw(struct dentry *, char *, int);
|
2008-03-27 20:06:20 +08:00
|
|
|
extern char *dentry_path(struct dentry *, char *, int);
|
2008-02-15 11:38:44 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/* Allocation counts.. */
|
|
|
|
|
|
|
|
/**
|
2011-01-07 14:49:43 +08:00
|
|
|
* dget, dget_dlock - get a reference to a dentry
|
2005-04-17 06:20:36 +08:00
|
|
|
* @dentry: dentry to get a reference to
|
|
|
|
*
|
|
|
|
* Given a dentry or %NULL pointer increment the reference count
|
|
|
|
* if appropriate and return the dentry. A dentry will not be
|
2011-01-07 14:49:43 +08:00
|
|
|
* destroyed when it has references.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
2011-01-07 14:49:32 +08:00
|
|
|
static inline struct dentry *dget_dlock(struct dentry *dentry)
|
|
|
|
{
|
2011-01-07 14:49:43 +08:00
|
|
|
if (dentry)
|
2011-01-07 14:49:32 +08:00
|
|
|
dentry->d_count++;
|
|
|
|
return dentry;
|
|
|
|
}
|
2011-01-07 14:49:34 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
static inline struct dentry *dget(struct dentry *dentry)
|
|
|
|
{
|
|
|
|
if (dentry) {
|
2011-01-07 14:49:32 +08:00
|
|
|
spin_lock(&dentry->d_lock);
|
|
|
|
dget_dlock(dentry);
|
|
|
|
spin_unlock(&dentry->d_lock);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
return dentry;
|
|
|
|
}
|
|
|
|
|
2011-01-07 14:49:32 +08:00
|
|
|
extern struct dentry *dget_parent(struct dentry *dentry);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/**
|
|
|
|
* d_unhashed - is dentry hashed
|
|
|
|
* @dentry: entry to check
|
|
|
|
*
|
|
|
|
* Returns true if the dentry passed is not currently hashed.
|
|
|
|
*/
|
|
|
|
|
|
|
|
static inline int d_unhashed(struct dentry *dentry)
|
|
|
|
{
|
vfs: get rid of insane dentry hashing rules
The dentry hashing rules have been really quite complicated for a long
while, in odd ways. That made functions like __d_drop() very fragile
and non-obvious.
In particular, whether a dentry was hashed or not was indicated with an
explicit DCACHE_UNHASHED bit. That's despite the fact that the hash
abstraction that the dentries use actually have a 'is this entry hashed
or not' model (which is a simple test of the 'pprev' pointer).
The reason that was done is because we used the normal 'is this entry
unhashed' model to mark whether the dentry had _ever_ been hashed in the
dentry hash tables, and that logic goes back many years (commit
b3423415fbc2: "dcache: avoid RCU for never-hashed dentries").
That, in turn, meant that __d_drop had totally different unhashing logic
for the dentry hash table case and for the anonymous dcache case,
because in order to use the "is this dentry hashed" logic as a flag for
whether it had ever been on the RCU hash table, we had to unhash such a
dentry differently so that we'd never think that it wasn't 'unhashed'
and wouldn't be free'd correctly.
That's just insane. It made the logic really hard to follow, when there
were two different kinds of "unhashed" states, and one of them (the one
that used "list_bl_unhashed()") really had nothing at all to do with
being unhashed per se, but with a very subtle lifetime rule instead.
So turn all of it around, and make it logical.
Instead of having a DENTRY_UNHASHED bit in d_flags to indicate whether
the dentry is on the hash chains or not, use the hash chain unhashed
logic for that. Suddenly "d_unhashed()" just uses "list_bl_unhashed()",
and everything makes sense.
And for the lifetime rule, just use an explicit DENTRY_RCUACCEES bit.
If we ever insert the dentry into the dentry hash table so that it is
visible to RCU lookup, we mark it DENTRY_RCUACCESS to show that it now
needs the RCU lifetime rules. Now suddently that test at dentry free
time makes sense too.
And because unhashing now is sane and doesn't depend on where the dentry
got unhashed from (because the dentry hash chain details doesn't have
some subtle side effects), we can re-unify the __d_drop() logic and use
common code for the unhashing.
Also fix one more open-coded hash chain bit_spin_lock() that I missed in
the previous chain locking cleanup commit.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-04-24 22:58:46 +08:00
|
|
|
return hlist_bl_unhashed(&dentry->d_hash);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2009-05-04 07:32:03 +08:00
|
|
|
static inline int d_unlinked(struct dentry *dentry)
|
|
|
|
{
|
|
|
|
return d_unhashed(dentry) && !IS_ROOT(dentry);
|
|
|
|
}
|
|
|
|
|
2010-05-01 05:17:09 +08:00
|
|
|
static inline int cant_mount(struct dentry *dentry)
|
|
|
|
{
|
|
|
|
return (dentry->d_flags & DCACHE_CANT_MOUNT);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline void dont_mount(struct dentry *dentry)
|
|
|
|
{
|
|
|
|
spin_lock(&dentry->d_lock);
|
|
|
|
dentry->d_flags |= DCACHE_CANT_MOUNT;
|
|
|
|
spin_unlock(&dentry->d_lock);
|
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
extern void dput(struct dentry *);
|
|
|
|
|
Add a dentry op to allow processes to be held during pathwalk transit
Add a dentry op (d_manage) to permit a filesystem to hold a process and make it
sleep when it tries to transit away from one of that filesystem's directories
during a pathwalk. The operation is keyed off a new dentry flag
(DCACHE_MANAGE_TRANSIT).
The filesystem is allowed to be selective about which processes it holds and
which it permits to continue on or prohibits from transiting from each flagged
directory. This will allow autofs to hold up client processes whilst letting
its userspace daemon through to maintain the directory or the stuff behind it
or mounted upon it.
The ->d_manage() dentry operation:
int (*d_manage)(struct path *path, bool mounting_here);
takes a pointer to the directory about to be transited away from and a flag
indicating whether the transit is undertaken by do_add_mount() or
do_move_mount() skipping through a pile of filesystems mounted on a mountpoint.
It should return 0 if successful and to let the process continue on its way;
-EISDIR to prohibit the caller from skipping to overmounted filesystems or
automounting, and to use this directory; or some other error code to return to
the user.
->d_manage() is called with namespace_sem writelocked if mounting_here is true
and no other locks held, so it may sleep. However, if mounting_here is true,
it may not initiate or wait for a mount or unmount upon the parameter
directory, even if the act is actually performed by userspace.
Within fs/namei.c, follow_managed() is extended to check with d_manage() first
on each managed directory, before transiting away from it or attempting to
automount upon it.
follow_down() is renamed follow_down_one() and should only be used where the
filesystem deliberately intends to avoid management steps (e.g. autofs).
A new follow_down() is added that incorporates the loop done by all other
callers of follow_down() (do_add/move_mount(), autofs and NFSD; whilst AFS, NFS
and CIFS do use it, their use is removed by converting them to use
d_automount()). The new follow_down() calls d_manage() as appropriate. It
also takes an extra parameter to indicate if it is being called from mount code
(with namespace_sem writelocked) which it passes to d_manage(). follow_down()
ignores automount points so that it can be used to mount on them.
__follow_mount_rcu() is made to abort rcu-walk mode if it hits a directory with
DCACHE_MANAGE_TRANSIT set on the basis that we're probably going to have to
sleep. It would be possible to enter d_manage() in rcu-walk mode too, and have
that determine whether to abort or not itself. That would allow the autofs
daemon to continue on in rcu-walk mode.
Note that DCACHE_MANAGE_TRANSIT on a directory should be cleared when it isn't
required as every tranist from that directory will cause d_manage() to be
invoked. It can always be set again when necessary.
==========================
WHAT THIS MEANS FOR AUTOFS
==========================
Autofs currently uses the lookup() inode op and the d_revalidate() dentry op to
trigger the automounting of indirect mounts, and both of these can be called
with i_mutex held.
autofs knows that the i_mutex will be held by the caller in lookup(), and so
can drop it before invoking the daemon - but this isn't so for d_revalidate(),
since the lock is only held on _some_ of the code paths that call it. This
means that autofs can't risk dropping i_mutex from its d_revalidate() function
before it calls the daemon.
The bug could manifest itself as, for example, a process that's trying to
validate an automount dentry that gets made to wait because that dentry is
expired and needs cleaning up:
mkdir S ffffffff8014e05a 0 32580 24956
Call Trace:
[<ffffffff885371fd>] :autofs4:autofs4_wait+0x674/0x897
[<ffffffff80127f7d>] avc_has_perm+0x46/0x58
[<ffffffff8009fdcf>] autoremove_wake_function+0x0/0x2e
[<ffffffff88537be6>] :autofs4:autofs4_expire_wait+0x41/0x6b
[<ffffffff88535cfc>] :autofs4:autofs4_revalidate+0x91/0x149
[<ffffffff80036d96>] __lookup_hash+0xa0/0x12f
[<ffffffff80057a2f>] lookup_create+0x46/0x80
[<ffffffff800e6e31>] sys_mkdirat+0x56/0xe4
versus the automount daemon which wants to remove that dentry, but can't
because the normal process is holding the i_mutex lock:
automount D ffffffff8014e05a 0 32581 1 32561
Call Trace:
[<ffffffff80063c3f>] __mutex_lock_slowpath+0x60/0x9b
[<ffffffff8000ccf1>] do_path_lookup+0x2ca/0x2f1
[<ffffffff80063c89>] .text.lock.mutex+0xf/0x14
[<ffffffff800e6d55>] do_rmdir+0x77/0xde
[<ffffffff8005d229>] tracesys+0x71/0xe0
[<ffffffff8005d28d>] tracesys+0xd5/0xe0
which means that the system is deadlocked.
This patch allows autofs to hold up normal processes whilst the daemon goes
ahead and does things to the dentry tree behind the automouter point without
risking a deadlock as almost no locks are held in d_manage() and none in
d_automount().
Signed-off-by: David Howells <dhowells@redhat.com>
Was-Acked-by: Ian Kent <raven@themaw.net>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2011-01-15 02:45:26 +08:00
|
|
|
static inline bool d_managed(struct dentry *dentry)
|
|
|
|
{
|
|
|
|
return dentry->d_flags & DCACHE_MANAGED_DENTRY;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline bool d_mountpoint(struct dentry *dentry)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2011-01-07 14:49:54 +08:00
|
|
|
return dentry->d_flags & DCACHE_MOUNTED;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2011-05-31 23:58:49 +08:00
|
|
|
static inline bool d_need_lookup(struct dentry *dentry)
|
|
|
|
{
|
|
|
|
return dentry->d_flags & DCACHE_NEED_LOOKUP;
|
|
|
|
}
|
|
|
|
|
|
|
|
extern void d_clear_need_lookup(struct dentry *dentry);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
extern int sysctl_vfs_cache_pressure;
|
|
|
|
|
|
|
|
#endif /* __LINUX_DCACHE_H */
|