Based on kernel version 2.6.26. Page generated on 2008-07-16 21:12 EST.
1 The text below describes the locking rules for VFS-related methods. 2 It is (believed to be) up-to-date. *Please*, if you change anything in 3 prototypes or locking protocols - update this file. And update the relevant 4 instances in the tree, don't leave that to maintainers of filesystems/devices/ 5 etc. At the very least, put the list of dubious cases in the end of this file. 6 Don't turn it into log - maintainers of out-of-the-tree code are supposed to 7 be able to use diff(1). 8 Thing currently missing here: socket operations. Alexey? 9 10 --------------------------- dentry_operations -------------------------- 11 prototypes: 12 int (*d_revalidate)(struct dentry *, int); 13 int (*d_hash) (struct dentry *, struct qstr *); 14 int (*d_compare) (struct dentry *, struct qstr *, struct qstr *); 15 int (*d_delete)(struct dentry *); 16 void (*d_release)(struct dentry *); 17 void (*d_iput)(struct dentry *, struct inode *); 18 char *(*d_dname)((struct dentry *dentry, char *buffer, int buflen); 19 20 locking rules: 21 none have BKL 22 dcache_lock rename_lock ->d_lock may block 23 d_revalidate: no no no yes 24 d_hash no no no yes 25 d_compare: no yes no no 26 d_delete: yes no yes no 27 d_release: no no no yes 28 d_iput: no no no yes 29 d_dname: no no no no 30 31 --------------------------- inode_operations --------------------------- 32 prototypes: 33 int (*create) (struct inode *,struct dentry *,int, struct nameidata *); 34 struct dentry * (*lookup) (struct inode *,struct dentry *, struct nameid 35 ata *); 36 int (*link) (struct dentry *,struct inode *,struct dentry *); 37 int (*unlink) (struct inode *,struct dentry *); 38 int (*symlink) (struct inode *,struct dentry *,const char *); 39 int (*mkdir) (struct inode *,struct dentry *,int); 40 int (*rmdir) (struct inode *,struct dentry *); 41 int (*mknod) (struct inode *,struct dentry *,int,dev_t); 42 int (*rename) (struct inode *, struct dentry *, 43 struct inode *, struct dentry *); 44 int (*readlink) (struct dentry *, char __user *,int); 45 int (*follow_link) (struct dentry *, struct nameidata *); 46 void (*truncate) (struct inode *); 47 int (*permission) (struct inode *, int, struct nameidata *); 48 int (*setattr) (struct dentry *, struct iattr *); 49 int (*getattr) (struct vfsmount *, struct dentry *, struct kstat *); 50 int (*setxattr) (struct dentry *, const char *,const void *,size_t,int); 51 ssize_t (*getxattr) (struct dentry *, const char *, void *, size_t); 52 ssize_t (*listxattr) (struct dentry *, char *, size_t); 53 int (*removexattr) (struct dentry *, const char *); 54 55 locking rules: 56 all may block, none have BKL 57 i_mutex(inode) 58 lookup: yes 59 create: yes 60 link: yes (both) 61 mknod: yes 62 symlink: yes 63 mkdir: yes 64 unlink: yes (both) 65 rmdir: yes (both) (see below) 66 rename: yes (all) (see below) 67 readlink: no 68 follow_link: no 69 truncate: yes (see below) 70 setattr: yes 71 permission: no 72 getattr: no 73 setxattr: yes 74 getxattr: no 75 listxattr: no 76 removexattr: yes 77 Additionally, ->rmdir(), ->unlink() and ->rename() have ->i_mutex on 78 victim. 79 cross-directory ->rename() has (per-superblock) ->s_vfs_rename_sem. 80 ->truncate() is never called directly - it's a callback, not a 81 method. It's called by vmtruncate() - library function normally used by 82 ->setattr(). Locking information above applies to that call (i.e. is 83 inherited from ->setattr() - vmtruncate() is used when ATTR_SIZE had been 84 passed). 85 86 See Documentation/filesystems/directory-locking for more detailed discussion 87 of the locking scheme for directory operations. 88 89 --------------------------- super_operations --------------------------- 90 prototypes: 91 struct inode *(*alloc_inode)(struct super_block *sb); 92 void (*destroy_inode)(struct inode *); 93 void (*dirty_inode) (struct inode *); 94 int (*write_inode) (struct inode *, int); 95 void (*put_inode) (struct inode *); 96 void (*drop_inode) (struct inode *); 97 void (*delete_inode) (struct inode *); 98 void (*put_super) (struct super_block *); 99 void (*write_super) (struct super_block *); 100 int (*sync_fs)(struct super_block *sb, int wait); 101 void (*write_super_lockfs) (struct super_block *); 102 void (*unlockfs) (struct super_block *); 103 int (*statfs) (struct dentry *, struct kstatfs *); 104 int (*remount_fs) (struct super_block *, int *, char *); 105 void (*clear_inode) (struct inode *); 106 void (*umount_begin) (struct super_block *); 107 int (*show_options)(struct seq_file *, struct vfsmount *); 108 ssize_t (*quota_read)(struct super_block *, int, char *, size_t, loff_t); 109 ssize_t (*quota_write)(struct super_block *, int, const char *, size_t, loff_t); 110 111 locking rules: 112 All may block. 113 BKL s_lock s_umount 114 alloc_inode: no no no 115 destroy_inode: no 116 dirty_inode: no (must not sleep) 117 write_inode: no 118 put_inode: no 119 drop_inode: no !!!inode_lock!!! 120 delete_inode: no 121 put_super: yes yes no 122 write_super: no yes read 123 sync_fs: no no read 124 write_super_lockfs: ? 125 unlockfs: ? 126 statfs: no no no 127 remount_fs: yes yes maybe (see below) 128 clear_inode: no 129 umount_begin: yes no no 130 show_options: no (vfsmount->sem) 131 quota_read: no no no (see below) 132 quota_write: no no no (see below) 133 134 ->remount_fs() will have the s_umount lock if it's already mounted. 135 When called from get_sb_single, it does NOT have the s_umount lock. 136 ->quota_read() and ->quota_write() functions are both guaranteed to 137 be the only ones operating on the quota file by the quota code (via 138 dqio_sem) (unless an admin really wants to screw up something and 139 writes to quota files with quotas on). For other details about locking 140 see also dquot_operations section. 141 142 --------------------------- file_system_type --------------------------- 143 prototypes: 144 int (*get_sb) (struct file_system_type *, int, 145 const char *, void *, struct vfsmount *); 146 void (*kill_sb) (struct super_block *); 147 locking rules: 148 may block BKL 149 get_sb yes yes 150 kill_sb yes yes 151 152 ->get_sb() returns error or 0 with locked superblock attached to the vfsmount 153 (exclusive on ->s_umount). 154 ->kill_sb() takes a write-locked superblock, does all shutdown work on it, 155 unlocks and drops the reference. 156 157 --------------------------- address_space_operations -------------------------- 158 prototypes: 159 int (*writepage)(struct page *page, struct writeback_control *wbc); 160 int (*readpage)(struct file *, struct page *); 161 int (*sync_page)(struct page *); 162 int (*writepages)(struct address_space *, struct writeback_control *); 163 int (*set_page_dirty)(struct page *page); 164 int (*readpages)(struct file *filp, struct address_space *mapping, 165 struct list_head *pages, unsigned nr_pages); 166 int (*prepare_write)(struct file *, struct page *, unsigned, unsigned); 167 int (*commit_write)(struct file *, struct page *, unsigned, unsigned); 168 sector_t (*bmap)(struct address_space *, sector_t); 169 int (*invalidatepage) (struct page *, unsigned long); 170 int (*releasepage) (struct page *, int); 171 int (*direct_IO)(int, struct kiocb *, const struct iovec *iov, 172 loff_t offset, unsigned long nr_segs); 173 int (*launder_page) (struct page *); 174 175 locking rules: 176 All except set_page_dirty may block 177 178 BKL PageLocked(page) i_sem 179 writepage: no yes, unlocks (see below) 180 readpage: no yes, unlocks 181 sync_page: no maybe 182 writepages: no 183 set_page_dirty no no 184 readpages: no 185 prepare_write: no yes yes 186 commit_write: no yes yes 187 write_begin: no locks the page yes 188 write_end: no yes, unlocks yes 189 perform_write: no n/a yes 190 bmap: yes 191 invalidatepage: no yes 192 releasepage: no yes 193 direct_IO: no 194 launder_page: no yes 195 196 ->prepare_write(), ->commit_write(), ->sync_page() and ->readpage() 197 may be called from the request handler (/dev/loop). 198 199 ->readpage() unlocks the page, either synchronously or via I/O 200 completion. 201 202 ->readpages() populates the pagecache with the passed pages and starts 203 I/O against them. They come unlocked upon I/O completion. 204 205 ->writepage() is used for two purposes: for "memory cleansing" and for 206 "sync". These are quite different operations and the behaviour may differ 207 depending upon the mode. 208 209 If writepage is called for sync (wbc->sync_mode != WBC_SYNC_NONE) then 210 it *must* start I/O against the page, even if that would involve 211 blocking on in-progress I/O. 212 213 If writepage is called for memory cleansing (sync_mode == 214 WBC_SYNC_NONE) then its role is to get as much writeout underway as 215 possible. So writepage should try to avoid blocking against 216 currently-in-progress I/O. 217 218 If the filesystem is not called for "sync" and it determines that it 219 would need to block against in-progress I/O to be able to start new I/O 220 against the page the filesystem should redirty the page with 221 redirty_page_for_writepage(), then unlock the page and return zero. 222 This may also be done to avoid internal deadlocks, but rarely. 223 224 If the filesystem is called for sync then it must wait on any 225 in-progress I/O and then start new I/O. 226 227 The filesystem should unlock the page synchronously, before returning to the 228 caller, unless ->writepage() returns special WRITEPAGE_ACTIVATE 229 value. WRITEPAGE_ACTIVATE means that page cannot really be written out 230 currently, and VM should stop calling ->writepage() on this page for some 231 time. VM does this by moving page to the head of the active list, hence the 232 name. 233 234 Unless the filesystem is going to redirty_page_for_writepage(), unlock the page 235 and return zero, writepage *must* run set_page_writeback() against the page, 236 followed by unlocking it. Once set_page_writeback() has been run against the 237 page, write I/O can be submitted and the write I/O completion handler must run 238 end_page_writeback() once the I/O is complete. If no I/O is submitted, the 239 filesystem must run end_page_writeback() against the page before returning from 240 writepage. 241 242 That is: after 2.5.12, pages which are under writeout are *not* locked. Note, 243 if the filesystem needs the page to be locked during writeout, that is ok, too, 244 the page is allowed to be unlocked at any point in time between the calls to 245 set_page_writeback() and end_page_writeback(). 246 247 Note, failure to run either redirty_page_for_writepage() or the combination of 248 set_page_writeback()/end_page_writeback() on a page submitted to writepage 249 will leave the page itself marked clean but it will be tagged as dirty in the 250 radix tree. This incoherency can lead to all sorts of hard-to-debug problems 251 in the filesystem like having dirty inodes at umount and losing written data. 252 253 ->sync_page() locking rules are not well-defined - usually it is called 254 with lock on page, but that is not guaranteed. Considering the currently 255 existing instances of this method ->sync_page() itself doesn't look 256 well-defined... 257 258 ->writepages() is used for periodic writeback and for syscall-initiated 259 sync operations. The address_space should start I/O against at least 260 *nr_to_write pages. *nr_to_write must be decremented for each page which is 261 written. The address_space implementation may write more (or less) pages 262 than *nr_to_write asks for, but it should try to be reasonably close. If 263 nr_to_write is NULL, all dirty pages must be written. 264 265 writepages should _only_ write pages which are present on 266 mapping->io_pages. 267 268 ->set_page_dirty() is called from various places in the kernel 269 when the target page is marked as needing writeback. It may be called 270 under spinlock (it cannot block) and is sometimes called with the page 271 not locked. 272 273 ->bmap() is currently used by legacy ioctl() (FIBMAP) provided by some 274 filesystems and by the swapper. The latter will eventually go away. All 275 instances do not actually need the BKL. Please, keep it that way and don't 276 breed new callers. 277 278 ->invalidatepage() is called when the filesystem must attempt to drop 279 some or all of the buffers from the page when it is being truncated. It 280 returns zero on success. If ->invalidatepage is zero, the kernel uses 281 block_invalidatepage() instead. 282 283 ->releasepage() is called when the kernel is about to try to drop the 284 buffers from the page in preparation for freeing it. It returns zero to 285 indicate that the buffers are (or may be) freeable. If ->releasepage is zero, 286 the kernel assumes that the fs has no private interest in the buffers. 287 288 ->launder_page() may be called prior to releasing a page if 289 it is still found to be dirty. It returns zero if the page was successfully 290 cleaned, or an error value if not. Note that in order to prevent the page 291 getting mapped back in and redirtied, it needs to be kept locked 292 across the entire operation. 293 294 Note: currently almost all instances of address_space methods are 295 using BKL for internal serialization and that's one of the worst sources 296 of contention. Normally they are calling library functions (in fs/buffer.c) 297 and pass foo_get_block() as a callback (on local block-based filesystems, 298 indeed). BKL is not needed for library stuff and is usually taken by 299 foo_get_block(). It's an overkill, since block bitmaps can be protected by 300 internal fs locking and real critical areas are much smaller than the areas 301 filesystems protect now. 302 303 ----------------------- file_lock_operations ------------------------------ 304 prototypes: 305 void (*fl_insert)(struct file_lock *); /* lock insertion callback */ 306 void (*fl_remove)(struct file_lock *); /* lock removal callback */ 307 void (*fl_copy_lock)(struct file_lock *, struct file_lock *); 308 void (*fl_release_private)(struct file_lock *); 309 310 311 locking rules: 312 BKL may block 313 fl_insert: yes no 314 fl_remove: yes no 315 fl_copy_lock: yes no 316 fl_release_private: yes yes 317 318 ----------------------- lock_manager_operations --------------------------- 319 prototypes: 320 int (*fl_compare_owner)(struct file_lock *, struct file_lock *); 321 void (*fl_notify)(struct file_lock *); /* unblock callback */ 322 void (*fl_copy_lock)(struct file_lock *, struct file_lock *); 323 void (*fl_release_private)(struct file_lock *); 324 void (*fl_break)(struct file_lock *); /* break_lease callback */ 325 326 locking rules: 327 BKL may block 328 fl_compare_owner: yes no 329 fl_notify: yes no 330 fl_copy_lock: yes no 331 fl_release_private: yes yes 332 fl_break: yes no 333 334 Currently only NFSD and NLM provide instances of this class. None of the 335 them block. If you have out-of-tree instances - please, show up. Locking 336 in that area will change. 337 --------------------------- buffer_head ----------------------------------- 338 prototypes: 339 void (*b_end_io)(struct buffer_head *bh, int uptodate); 340 341 locking rules: 342 called from interrupts. In other words, extreme care is needed here. 343 bh is locked, but that's all warranties we have here. Currently only RAID1, 344 highmem, fs/buffer.c, and fs/ntfs/aops.c are providing these. Block devices 345 call this method upon the IO completion. 346 347 --------------------------- block_device_operations ----------------------- 348 prototypes: 349 int (*open) (struct inode *, struct file *); 350 int (*release) (struct inode *, struct file *); 351 int (*ioctl) (struct inode *, struct file *, unsigned, unsigned long); 352 int (*media_changed) (struct gendisk *); 353 int (*revalidate_disk) (struct gendisk *); 354 355 locking rules: 356 BKL bd_sem 357 open: yes yes 358 release: yes yes 359 ioctl: yes no 360 media_changed: no no 361 revalidate_disk: no no 362 363 The last two are called only from check_disk_change(). 364 365 --------------------------- file_operations ------------------------------- 366 prototypes: 367 loff_t (*llseek) (struct file *, loff_t, int); 368 ssize_t (*read) (struct file *, char __user *, size_t, loff_t *); 369 ssize_t (*write) (struct file *, const char __user *, size_t, loff_t *); 370 ssize_t (*aio_read) (struct kiocb *, const struct iovec *, unsigned long, loff_t); 371 ssize_t (*aio_write) (struct kiocb *, const struct iovec *, unsigned long, loff_t); 372 int (*readdir) (struct file *, void *, filldir_t); 373 unsigned int (*poll) (struct file *, struct poll_table_struct *); 374 int (*ioctl) (struct inode *, struct file *, unsigned int, 375 unsigned long); 376 long (*unlocked_ioctl) (struct file *, unsigned int, unsigned long); 377 long (*compat_ioctl) (struct file *, unsigned int, unsigned long); 378 int (*mmap) (struct file *, struct vm_area_struct *); 379 int (*open) (struct inode *, struct file *); 380 int (*flush) (struct file *); 381 int (*release) (struct inode *, struct file *); 382 int (*fsync) (struct file *, struct dentry *, int datasync); 383 int (*aio_fsync) (struct kiocb *, int datasync); 384 int (*fasync) (int, struct file *, int); 385 int (*lock) (struct file *, int, struct file_lock *); 386 ssize_t (*readv) (struct file *, const struct iovec *, unsigned long, 387 loff_t *); 388 ssize_t (*writev) (struct file *, const struct iovec *, unsigned long, 389 loff_t *); 390 ssize_t (*sendfile) (struct file *, loff_t *, size_t, read_actor_t, 391 void __user *); 392 ssize_t (*sendpage) (struct file *, struct page *, int, size_t, 393 loff_t *, int); 394 unsigned long (*get_unmapped_area)(struct file *, unsigned long, 395 unsigned long, unsigned long, unsigned long); 396 int (*check_flags)(int); 397 int (*dir_notify)(struct file *, unsigned long); 398 }; 399 400 locking rules: 401 All except ->poll() may block. 402 BKL 403 llseek: no (see below) 404 read: no 405 aio_read: no 406 write: no 407 aio_write: no 408 readdir: no 409 poll: no 410 ioctl: yes (see below) 411 unlocked_ioctl: no (see below) 412 compat_ioctl: no 413 mmap: no 414 open: maybe (see below) 415 flush: no 416 release: no 417 fsync: no (see below) 418 aio_fsync: no 419 fasync: yes (see below) 420 lock: yes 421 readv: no 422 writev: no 423 sendfile: no 424 sendpage: no 425 get_unmapped_area: no 426 check_flags: no 427 dir_notify: no 428 429 ->llseek() locking has moved from llseek to the individual llseek 430 implementations. If your fs is not using generic_file_llseek, you 431 need to acquire and release the appropriate locks in your ->llseek(). 432 For many filesystems, it is probably safe to acquire the inode 433 semaphore. Note some filesystems (i.e. remote ones) provide no 434 protection for i_size so you will need to use the BKL. 435 436 ->open() locking is in-transit: big lock partially moved into the methods. 437 The only exception is ->open() in the instances of file_operations that never 438 end up in ->i_fop/->proc_fops, i.e. ones that belong to character devices 439 (chrdev_open() takes lock before replacing ->f_op and calling the secondary 440 method. As soon as we fix the handling of module reference counters all 441 instances of ->open() will be called without the BKL. 442 443 Note: ext2_release() was *the* source of contention on fs-intensive 444 loads and dropping BKL on ->release() helps to get rid of that (we still 445 grab BKL for cases when we close a file that had been opened r/w, but that 446 can and should be done using the internal locking with smaller critical areas). 447 Current worst offender is ext2_get_block()... 448 449 ->fasync() is a mess. This area needs a big cleanup and that will probably 450 affect locking. 451 452 ->readdir() and ->ioctl() on directories must be changed. Ideally we would 453 move ->readdir() to inode_operations and use a separate method for directory 454 ->ioctl() or kill the latter completely. One of the problems is that for 455 anything that resembles union-mount we won't have a struct file for all 456 components. And there are other reasons why the current interface is a mess... 457 458 ->ioctl() on regular files is superceded by the ->unlocked_ioctl() that 459 doesn't take the BKL. 460 461 ->read on directories probably must go away - we should just enforce -EISDIR 462 in sys_read() and friends. 463 464 ->fsync() has i_mutex on inode. 465 466 --------------------------- dquot_operations ------------------------------- 467 prototypes: 468 int (*initialize) (struct inode *, int); 469 int (*drop) (struct inode *); 470 int (*alloc_space) (struct inode *, qsize_t, int); 471 int (*alloc_inode) (const struct inode *, unsigned long); 472 int (*free_space) (struct inode *, qsize_t); 473 int (*free_inode) (const struct inode *, unsigned long); 474 int (*transfer) (struct inode *, struct iattr *); 475 int (*write_dquot) (struct dquot *); 476 int (*acquire_dquot) (struct dquot *); 477 int (*release_dquot) (struct dquot *); 478 int (*mark_dirty) (struct dquot *); 479 int (*write_info) (struct super_block *, int); 480 481 These operations are intended to be more or less wrapping functions that ensure 482 a proper locking wrt the filesystem and call the generic quota operations. 483 484 What filesystem should expect from the generic quota functions: 485 486 FS recursion Held locks when called 487 initialize: yes maybe dqonoff_sem 488 drop: yes - 489 alloc_space: ->mark_dirty() - 490 alloc_inode: ->mark_dirty() - 491 free_space: ->mark_dirty() - 492 free_inode: ->mark_dirty() - 493 transfer: yes - 494 write_dquot: yes dqonoff_sem or dqptr_sem 495 acquire_dquot: yes dqonoff_sem or dqptr_sem 496 release_dquot: yes dqonoff_sem or dqptr_sem 497 mark_dirty: no - 498 write_info: yes dqonoff_sem 499 500 FS recursion means calling ->quota_read() and ->quota_write() from superblock 501 operations. 502 503 ->alloc_space(), ->alloc_inode(), ->free_space(), ->free_inode() are called 504 only directly by the filesystem and do not call any fs functions only 505 the ->mark_dirty() operation. 506 507 More details about quota locking can be found in fs/dquot.c. 508 509 --------------------------- vm_operations_struct ----------------------------- 510 prototypes: 511 void (*open)(struct vm_area_struct*); 512 void (*close)(struct vm_area_struct*); 513 int (*fault)(struct vm_area_struct*, struct vm_fault *); 514 struct page *(*nopage)(struct vm_area_struct*, unsigned long, int *); 515 int (*page_mkwrite)(struct vm_area_struct *, struct page *); 516 517 locking rules: 518 BKL mmap_sem PageLocked(page) 519 open: no yes 520 close: no yes 521 fault: no yes 522 nopage: no yes 523 page_mkwrite: no yes no 524 525 ->page_mkwrite() is called when a previously read-only page is 526 about to become writeable. The file system is responsible for 527 protecting against truncate races. Once appropriate action has been 528 taking to lock out truncate, the page range should be verified to be 529 within i_size. The page mapping should also be checked that it is not 530 NULL. 531 532 ================================================================================ 533 Dubious stuff 534 535 (if you break something or notice that it is broken and do not fix it yourself 536 - at least put it here) 537 538 ipc/shm.c::shm_delete() - may need BKL. 539 ->read() and ->write() in many drivers are (probably) missing BKL. 540 drivers/sgi/char/graphics.c::sgi_graphics_nopage() - may need BKL.