Merge tag 'vfs-6.10-rc8.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs

#include <linux/slab.h>

#include <linux/statfs.h>

#include <linux/namei.h>

#include <trace/events/fscache.h>

#include "internal.h"

/*

}

/*

 * Withdraw volumes.

 * Withdraw fscache volumes.

 */

static void cachefiles_withdraw_fscache_volumes(struct cachefiles_cache *cache)

{

	struct list_head *cur;

	struct cachefiles_volume *volume;

	struct fscache_volume *vcookie;

	_enter("");

retry:

	spin_lock(&cache->object_list_lock);

	list_for_each(cur, &cache->volumes) {

		volume = list_entry(cur, struct cachefiles_volume, cache_link);

		if (atomic_read(&volume->vcookie->n_accesses) == 0)

			continue;

		vcookie = fscache_try_get_volume(volume->vcookie,

						 fscache_volume_get_withdraw);

		if (vcookie) {

			spin_unlock(&cache->object_list_lock);

			fscache_withdraw_volume(vcookie);

			fscache_put_volume(vcookie, fscache_volume_put_withdraw);

			goto retry;

		}

	}

	spin_unlock(&cache->object_list_lock);

	_leave("");

}

/*

 * Withdraw cachefiles volumes.

 */

static void cachefiles_withdraw_volumes(struct cachefiles_cache *cache)

{

	_enter("");

	for (;;) {

		struct fscache_volume *vcookie = NULL;

		struct cachefiles_volume *volume = NULL;

		spin_lock(&cache->object_list_lock);

		if (!list_empty(&cache->volumes)) {

			volume = list_first_entry(&cache->volumes,

						  struct cachefiles_volume, cache_link);

			vcookie = fscache_try_get_volume(volume->vcookie,

							 fscache_volume_get_withdraw);

			if (!vcookie) {

				spin_unlock(&cache->object_list_lock);

				cpu_relax();

				continue;

			}

			list_del_init(&volume->cache_link);

		}

		spin_unlock(&cache->object_list_lock);

			break;

		cachefiles_withdraw_volume(volume);

		fscache_put_volume(vcookie, fscache_volume_put_withdraw);

	}

	_leave("");

	pr_info("File cache on %s unregistering\n", fscache->name);

	fscache_withdraw_cache(fscache);

	cachefiles_withdraw_fscache_volumes(cache);

	/* we now have to destroy all the active objects pertaining to this

	 * cache - which we do by passing them off to thread pool to be

	if (cachefiles_in_ondemand_mode(cache)) {

		if (!xa_empty(&cache->reqs)) {

			rcu_read_lock();

			xas_lock(&xas);

			xas_for_each_marked(&xas, req, ULONG_MAX, CACHEFILES_REQ_NEW) {

				if (!cachefiles_ondemand_is_reopening_read(req)) {

					mask |= EPOLLIN;

					break;

				}

			}

			rcu_read_unlock();

			xas_unlock(&xas);

		}

	} else {

		if (test_bit(CACHEFILES_STATE_CHANGED, &cache->flags))

	CACHEFILES_ONDEMAND_OBJSTATE_CLOSE, /* Anonymous fd closed by daemon or initial state */

	CACHEFILES_ONDEMAND_OBJSTATE_OPEN, /* Anonymous fd associated with object is available */

	CACHEFILES_ONDEMAND_OBJSTATE_REOPENING, /* Object that was closed and is being reopened. */

	CACHEFILES_ONDEMAND_OBJSTATE_DROPPING, /* Object is being dropped. */

};

struct cachefiles_ondemand_info {

	unsigned long			req_id_next;

	struct xarray			ondemand_ids;	/* xarray for ondemand_id allocation */

	u32				ondemand_id_next;

	u32				msg_id_next;

};

static inline bool cachefiles_in_ondemand_mode(struct cachefiles_cache *cache)

CACHEFILES_OBJECT_STATE_FUNCS(open, OPEN);

CACHEFILES_OBJECT_STATE_FUNCS(close, CLOSE);

CACHEFILES_OBJECT_STATE_FUNCS(reopening, REOPENING);

CACHEFILES_OBJECT_STATE_FUNCS(dropping, DROPPING);

static inline bool cachefiles_ondemand_is_reopening_read(struct cachefiles_req *req)

{

		 */

		xas_lock(&xas);

		if (test_bit(CACHEFILES_DEAD, &cache->flags)) {

		if (test_bit(CACHEFILES_DEAD, &cache->flags) ||

		    cachefiles_ondemand_object_is_dropping(object)) {

			xas_unlock(&xas);

			ret = -EIO;

			goto out;

			goto out;

		}

		xas.xa_index = 0;

		/*

		 * Cyclically find a free xas to avoid msg_id reuse that would

		 * cause the daemon to successfully copen a stale msg_id.

		 */

		xas.xa_index = cache->msg_id_next;

		xas_find_marked(&xas, UINT_MAX, XA_FREE_MARK);

		if (xas.xa_node == XAS_RESTART) {

			xas.xa_index = 0;

			xas_find_marked(&xas, cache->msg_id_next - 1, XA_FREE_MARK);

		}

		if (xas.xa_node == XAS_RESTART)

			xas_set_err(&xas, -EBUSY);

		xas_store(&xas, req);

		if (xas_valid(&xas)) {

			cache->msg_id_next = xas.xa_index + 1;

			xas_clear_mark(&xas, XA_FREE_MARK);

			xas_set_mark(&xas, CACHEFILES_REQ_NEW);

		}

		xas_unlock(&xas);

	} while (xas_nomem(&xas, GFP_KERNEL));

	 * If error occurs after creating the anonymous fd,

	 * cachefiles_ondemand_fd_release() will set object to close.

	 */

	if (opcode == CACHEFILES_OP_OPEN)

	if (opcode == CACHEFILES_OP_OPEN &&

	    !cachefiles_ondemand_object_is_dropping(object))

		cachefiles_ondemand_set_object_close(object);

	kfree(req);

	return ret;

void cachefiles_ondemand_clean_object(struct cachefiles_object *object)

{

	unsigned long index;

	struct cachefiles_req *req;

	struct cachefiles_cache *cache;

	if (!object->ondemand)

		return;

	cachefiles_ondemand_send_req(object, CACHEFILES_OP_CLOSE, 0,

			cachefiles_ondemand_init_close_req, NULL);

	if (!object->ondemand->ondemand_id)

		return;

	/* Cancel all requests for the object that is being dropped. */

	cache = object->volume->cache;

	xa_lock(&cache->reqs);

	cachefiles_ondemand_set_object_dropping(object);

	xa_for_each(&cache->reqs, index, req) {

		if (req->object == object) {

			req->error = -EIO;

			complete(&req->done);

			__xa_erase(&cache->reqs, index);

		}

	}

	xa_unlock(&cache->reqs);

	/* Wait for ondemand_object_worker() to finish to avoid UAF. */

	cancel_work_sync(&object->ondemand->ondemand_work);

}

int cachefiles_ondemand_init_obj_info(struct cachefiles_object *object,

void cachefiles_withdraw_volume(struct cachefiles_volume *volume)

{

	fscache_withdraw_volume(volume->vcookie);

	cachefiles_set_volume_xattr(volume);

	__cachefiles_free_volume(volume);

}