Loading...
1====================
2Changes since 2.5.0:
3====================
4
5---
6
7**recommended**
8
9New helpers: sb_bread(), sb_getblk(), sb_find_get_block(), set_bh(),
10sb_set_blocksize() and sb_min_blocksize().
11
12Use them.
13
14(sb_find_get_block() replaces 2.4's get_hash_table())
15
16---
17
18**recommended**
19
20New methods: ->alloc_inode() and ->destroy_inode().
21
22Remove inode->u.foo_inode_i
23
24Declare::
25
26 struct foo_inode_info {
27 /* fs-private stuff */
28 struct inode vfs_inode;
29 };
30 static inline struct foo_inode_info *FOO_I(struct inode *inode)
31 {
32 return list_entry(inode, struct foo_inode_info, vfs_inode);
33 }
34
35Use FOO_I(inode) instead of &inode->u.foo_inode_i;
36
37Add foo_alloc_inode() and foo_destroy_inode() - the former should allocate
38foo_inode_info and return the address of ->vfs_inode, the latter should free
39FOO_I(inode) (see in-tree filesystems for examples).
40
41Make them ->alloc_inode and ->destroy_inode in your super_operations.
42
43Keep in mind that now you need explicit initialization of private data
44typically between calling iget_locked() and unlocking the inode.
45
46At some point that will become mandatory.
47
48**mandatory**
49
50The foo_inode_info should always be allocated through alloc_inode_sb() rather
51than kmem_cache_alloc() or kmalloc() related to set up the inode reclaim context
52correctly.
53
54---
55
56**mandatory**
57
58Change of file_system_type method (->read_super to ->get_sb)
59
60->read_super() is no more. Ditto for DECLARE_FSTYPE and DECLARE_FSTYPE_DEV.
61
62Turn your foo_read_super() into a function that would return 0 in case of
63success and negative number in case of error (-EINVAL unless you have more
64informative error value to report). Call it foo_fill_super(). Now declare::
65
66 int foo_get_sb(struct file_system_type *fs_type,
67 int flags, const char *dev_name, void *data, struct vfsmount *mnt)
68 {
69 return get_sb_bdev(fs_type, flags, dev_name, data, foo_fill_super,
70 mnt);
71 }
72
73(or similar with s/bdev/nodev/ or s/bdev/single/, depending on the kind of
74filesystem).
75
76Replace DECLARE_FSTYPE... with explicit initializer and have ->get_sb set as
77foo_get_sb.
78
79---
80
81**mandatory**
82
83Locking change: ->s_vfs_rename_sem is taken only by cross-directory renames.
84Most likely there is no need to change anything, but if you relied on
85global exclusion between renames for some internal purpose - you need to
86change your internal locking. Otherwise exclusion warranties remain the
87same (i.e. parents and victim are locked, etc.).
88
89---
90
91**informational**
92
93Now we have the exclusion between ->lookup() and directory removal (by
94->rmdir() and ->rename()). If you used to need that exclusion and do
95it by internal locking (most of filesystems couldn't care less) - you
96can relax your locking.
97
98---
99
100**mandatory**
101
102->lookup(), ->truncate(), ->create(), ->unlink(), ->mknod(), ->mkdir(),
103->rmdir(), ->link(), ->lseek(), ->symlink(), ->rename()
104and ->readdir() are called without BKL now. Grab it on entry, drop upon return
105- that will guarantee the same locking you used to have. If your method or its
106parts do not need BKL - better yet, now you can shift lock_kernel() and
107unlock_kernel() so that they would protect exactly what needs to be
108protected.
109
110---
111
112**mandatory**
113
114BKL is also moved from around sb operations. BKL should have been shifted into
115individual fs sb_op functions. If you don't need it, remove it.
116
117---
118
119**informational**
120
121check for ->link() target not being a directory is done by callers. Feel
122free to drop it...
123
124---
125
126**informational**
127
128->link() callers hold ->i_mutex on the object we are linking to. Some of your
129problems might be over...
130
131---
132
133**mandatory**
134
135new file_system_type method - kill_sb(superblock). If you are converting
136an existing filesystem, set it according to ->fs_flags::
137
138 FS_REQUIRES_DEV - kill_block_super
139 FS_LITTER - kill_litter_super
140 neither - kill_anon_super
141
142FS_LITTER is gone - just remove it from fs_flags.
143
144---
145
146**mandatory**
147
148FS_SINGLE is gone (actually, that had happened back when ->get_sb()
149went in - and hadn't been documented ;-/). Just remove it from fs_flags
150(and see ->get_sb() entry for other actions).
151
152---
153
154**mandatory**
155
156->setattr() is called without BKL now. Caller _always_ holds ->i_mutex, so
157watch for ->i_mutex-grabbing code that might be used by your ->setattr().
158Callers of notify_change() need ->i_mutex now.
159
160---
161
162**recommended**
163
164New super_block field ``struct export_operations *s_export_op`` for
165explicit support for exporting, e.g. via NFS. The structure is fully
166documented at its declaration in include/linux/fs.h, and in
167Documentation/filesystems/nfs/exporting.rst.
168
169Briefly it allows for the definition of decode_fh and encode_fh operations
170to encode and decode filehandles, and allows the filesystem to use
171a standard helper function for decode_fh, and provide file-system specific
172support for this helper, particularly get_parent.
173
174It is planned that this will be required for exporting once the code
175settles down a bit.
176
177**mandatory**
178
179s_export_op is now required for exporting a filesystem.
180isofs, ext2, ext3, fat
181can be used as examples of very different filesystems.
182
183---
184
185**mandatory**
186
187iget4() and the read_inode2 callback have been superseded by iget5_locked()
188which has the following prototype::
189
190 struct inode *iget5_locked(struct super_block *sb, unsigned long ino,
191 int (*test)(struct inode *, void *),
192 int (*set)(struct inode *, void *),
193 void *data);
194
195'test' is an additional function that can be used when the inode
196number is not sufficient to identify the actual file object. 'set'
197should be a non-blocking function that initializes those parts of a
198newly created inode to allow the test function to succeed. 'data' is
199passed as an opaque value to both test and set functions.
200
201When the inode has been created by iget5_locked(), it will be returned with the
202I_NEW flag set and will still be locked. The filesystem then needs to finalize
203the initialization. Once the inode is initialized it must be unlocked by
204calling unlock_new_inode().
205
206The filesystem is responsible for setting (and possibly testing) i_ino
207when appropriate. There is also a simpler iget_locked function that
208just takes the superblock and inode number as arguments and does the
209test and set for you.
210
211e.g.::
212
213 inode = iget_locked(sb, ino);
214 if (inode->i_state & I_NEW) {
215 err = read_inode_from_disk(inode);
216 if (err < 0) {
217 iget_failed(inode);
218 return err;
219 }
220 unlock_new_inode(inode);
221 }
222
223Note that if the process of setting up a new inode fails, then iget_failed()
224should be called on the inode to render it dead, and an appropriate error
225should be passed back to the caller.
226
227---
228
229**recommended**
230
231->getattr() finally getting used. See instances in nfs, minix, etc.
232
233---
234
235**mandatory**
236
237->revalidate() is gone. If your filesystem had it - provide ->getattr()
238and let it call whatever you had as ->revlidate() + (for symlinks that
239had ->revalidate()) add calls in ->follow_link()/->readlink().
240
241---
242
243**mandatory**
244
245->d_parent changes are not protected by BKL anymore. Read access is safe
246if at least one of the following is true:
247
248 * filesystem has no cross-directory rename()
249 * we know that parent had been locked (e.g. we are looking at
250 ->d_parent of ->lookup() argument).
251 * we are called from ->rename().
252 * the child's ->d_lock is held
253
254Audit your code and add locking if needed. Notice that any place that is
255not protected by the conditions above is risky even in the old tree - you
256had been relying on BKL and that's prone to screwups. Old tree had quite
257a few holes of that kind - unprotected access to ->d_parent leading to
258anything from oops to silent memory corruption.
259
260---
261
262**mandatory**
263
264FS_NOMOUNT is gone. If you use it - just set SB_NOUSER in flags
265(see rootfs for one kind of solution and bdev/socket/pipe for another).
266
267---
268
269**recommended**
270
271Use bdev_read_only(bdev) instead of is_read_only(kdev). The latter
272is still alive, but only because of the mess in drivers/s390/block/dasd.c.
273As soon as it gets fixed is_read_only() will die.
274
275---
276
277**mandatory**
278
279->permission() is called without BKL now. Grab it on entry, drop upon
280return - that will guarantee the same locking you used to have. If
281your method or its parts do not need BKL - better yet, now you can
282shift lock_kernel() and unlock_kernel() so that they would protect
283exactly what needs to be protected.
284
285---
286
287**mandatory**
288
289->statfs() is now called without BKL held. BKL should have been
290shifted into individual fs sb_op functions where it's not clear that
291it's safe to remove it. If you don't need it, remove it.
292
293---
294
295**mandatory**
296
297is_read_only() is gone; use bdev_read_only() instead.
298
299---
300
301**mandatory**
302
303destroy_buffers() is gone; use invalidate_bdev().
304
305---
306
307**mandatory**
308
309fsync_dev() is gone; use fsync_bdev(). NOTE: lvm breakage is
310deliberate; as soon as struct block_device * is propagated in a reasonable
311way by that code fixing will become trivial; until then nothing can be
312done.
313
314**mandatory**
315
316block truncatation on error exit from ->write_begin, and ->direct_IO
317moved from generic methods (block_write_begin, cont_write_begin,
318nobh_write_begin, blockdev_direct_IO*) to callers. Take a look at
319ext2_write_failed and callers for an example.
320
321**mandatory**
322
323->truncate is gone. The whole truncate sequence needs to be
324implemented in ->setattr, which is now mandatory for filesystems
325implementing on-disk size changes. Start with a copy of the old inode_setattr
326and vmtruncate, and the reorder the vmtruncate + foofs_vmtruncate sequence to
327be in order of zeroing blocks using block_truncate_page or similar helpers,
328size update and on finally on-disk truncation which should not fail.
329setattr_prepare (which used to be inode_change_ok) now includes the size checks
330for ATTR_SIZE and must be called in the beginning of ->setattr unconditionally.
331
332**mandatory**
333
334->clear_inode() and ->delete_inode() are gone; ->evict_inode() should
335be used instead. It gets called whenever the inode is evicted, whether it has
336remaining links or not. Caller does *not* evict the pagecache or inode-associated
337metadata buffers; the method has to use truncate_inode_pages_final() to get rid
338of those. Caller makes sure async writeback cannot be running for the inode while
339(or after) ->evict_inode() is called.
340
341->drop_inode() returns int now; it's called on final iput() with
342inode->i_lock held and it returns true if filesystems wants the inode to be
343dropped. As before, generic_drop_inode() is still the default and it's been
344updated appropriately. generic_delete_inode() is also alive and it consists
345simply of return 1. Note that all actual eviction work is done by caller after
346->drop_inode() returns.
347
348As before, clear_inode() must be called exactly once on each call of
349->evict_inode() (as it used to be for each call of ->delete_inode()). Unlike
350before, if you are using inode-associated metadata buffers (i.e.
351mark_buffer_dirty_inode()), it's your responsibility to call
352invalidate_inode_buffers() before clear_inode().
353
354NOTE: checking i_nlink in the beginning of ->write_inode() and bailing out
355if it's zero is not *and* *never* *had* *been* enough. Final unlink() and iput()
356may happen while the inode is in the middle of ->write_inode(); e.g. if you blindly
357free the on-disk inode, you may end up doing that while ->write_inode() is writing
358to it.
359
360---
361
362**mandatory**
363
364.d_delete() now only advises the dcache as to whether or not to cache
365unreferenced dentries, and is now only called when the dentry refcount goes to
3660. Even on 0 refcount transition, it must be able to tolerate being called 0,
3671, or more times (eg. constant, idempotent).
368
369---
370
371**mandatory**
372
373.d_compare() calling convention and locking rules are significantly
374changed. Read updated documentation in Documentation/filesystems/vfs.rst (and
375look at examples of other filesystems) for guidance.
376
377---
378
379**mandatory**
380
381.d_hash() calling convention and locking rules are significantly
382changed. Read updated documentation in Documentation/filesystems/vfs.rst (and
383look at examples of other filesystems) for guidance.
384
385---
386
387**mandatory**
388
389dcache_lock is gone, replaced by fine grained locks. See fs/dcache.c
390for details of what locks to replace dcache_lock with in order to protect
391particular things. Most of the time, a filesystem only needs ->d_lock, which
392protects *all* the dcache state of a given dentry.
393
394---
395
396**mandatory**
397
398Filesystems must RCU-free their inodes, if they can have been accessed
399via rcu-walk path walk (basically, if the file can have had a path name in the
400vfs namespace).
401
402Even though i_dentry and i_rcu share storage in a union, we will
403initialize the former in inode_init_always(), so just leave it alone in
404the callback. It used to be necessary to clean it there, but not anymore
405(starting at 3.2).
406
407---
408
409**recommended**
410
411vfs now tries to do path walking in "rcu-walk mode", which avoids
412atomic operations and scalability hazards on dentries and inodes (see
413Documentation/filesystems/path-lookup.txt). d_hash and d_compare changes
414(above) are examples of the changes required to support this. For more complex
415filesystem callbacks, the vfs drops out of rcu-walk mode before the fs call, so
416no changes are required to the filesystem. However, this is costly and loses
417the benefits of rcu-walk mode. We will begin to add filesystem callbacks that
418are rcu-walk aware, shown below. Filesystems should take advantage of this
419where possible.
420
421---
422
423**mandatory**
424
425d_revalidate is a callback that is made on every path element (if
426the filesystem provides it), which requires dropping out of rcu-walk mode. This
427may now be called in rcu-walk mode (nd->flags & LOOKUP_RCU). -ECHILD should be
428returned if the filesystem cannot handle rcu-walk. See
429Documentation/filesystems/vfs.rst for more details.
430
431permission is an inode permission check that is called on many or all
432directory inodes on the way down a path walk (to check for exec permission). It
433must now be rcu-walk aware (mask & MAY_NOT_BLOCK). See
434Documentation/filesystems/vfs.rst for more details.
435
436---
437
438**mandatory**
439
440In ->fallocate() you must check the mode option passed in. If your
441filesystem does not support hole punching (deallocating space in the middle of a
442file) you must return -EOPNOTSUPP if FALLOC_FL_PUNCH_HOLE is set in mode.
443Currently you can only have FALLOC_FL_PUNCH_HOLE with FALLOC_FL_KEEP_SIZE set,
444so the i_size should not change when hole punching, even when puching the end of
445a file off.
446
447---
448
449**mandatory**
450
451->get_sb() is gone. Switch to use of ->mount(). Typically it's just
452a matter of switching from calling ``get_sb_``... to ``mount_``... and changing
453the function type. If you were doing it manually, just switch from setting
454->mnt_root to some pointer to returning that pointer. On errors return
455ERR_PTR(...).
456
457---
458
459**mandatory**
460
461->permission() and generic_permission()have lost flags
462argument; instead of passing IPERM_FLAG_RCU we add MAY_NOT_BLOCK into mask.
463
464generic_permission() has also lost the check_acl argument; ACL checking
465has been taken to VFS and filesystems need to provide a non-NULL
466->i_op->get_inode_acl to read an ACL from disk.
467
468---
469
470**mandatory**
471
472If you implement your own ->llseek() you must handle SEEK_HOLE and
473SEEK_DATA. You can handle this by returning -EINVAL, but it would be nicer to
474support it in some way. The generic handler assumes that the entire file is
475data and there is a virtual hole at the end of the file. So if the provided
476offset is less than i_size and SEEK_DATA is specified, return the same offset.
477If the above is true for the offset and you are given SEEK_HOLE, return the end
478of the file. If the offset is i_size or greater return -ENXIO in either case.
479
480**mandatory**
481
482If you have your own ->fsync() you must make sure to call
483filemap_write_and_wait_range() so that all dirty pages are synced out properly.
484You must also keep in mind that ->fsync() is not called with i_mutex held
485anymore, so if you require i_mutex locking you must make sure to take it and
486release it yourself.
487
488---
489
490**mandatory**
491
492d_alloc_root() is gone, along with a lot of bugs caused by code
493misusing it. Replacement: d_make_root(inode). On success d_make_root(inode)
494allocates and returns a new dentry instantiated with the passed in inode.
495On failure NULL is returned and the passed in inode is dropped so the reference
496to inode is consumed in all cases and failure handling need not do any cleanup
497for the inode. If d_make_root(inode) is passed a NULL inode it returns NULL
498and also requires no further error handling. Typical usage is::
499
500 inode = foofs_new_inode(....);
501 s->s_root = d_make_root(inode);
502 if (!s->s_root)
503 /* Nothing needed for the inode cleanup */
504 return -ENOMEM;
505 ...
506
507---
508
509**mandatory**
510
511The witch is dead! Well, 2/3 of it, anyway. ->d_revalidate() and
512->lookup() do *not* take struct nameidata anymore; just the flags.
513
514---
515
516**mandatory**
517
518->create() doesn't take ``struct nameidata *``; unlike the previous
519two, it gets "is it an O_EXCL or equivalent?" boolean argument. Note that
520local filesystems can ignore this argument - they are guaranteed that the
521object doesn't exist. It's remote/distributed ones that might care...
522
523---
524
525**mandatory**
526
527FS_REVAL_DOT is gone; if you used to have it, add ->d_weak_revalidate()
528in your dentry operations instead.
529
530---
531
532**mandatory**
533
534vfs_readdir() is gone; switch to iterate_dir() instead
535
536---
537
538**mandatory**
539
540->readdir() is gone now; switch to ->iterate_shared()
541
542**mandatory**
543
544vfs_follow_link has been removed. Filesystems must use nd_set_link
545from ->follow_link for normal symlinks, or nd_jump_link for magic
546/proc/<pid> style links.
547
548---
549
550**mandatory**
551
552iget5_locked()/ilookup5()/ilookup5_nowait() test() callback used to be
553called with both ->i_lock and inode_hash_lock held; the former is *not*
554taken anymore, so verify that your callbacks do not rely on it (none
555of the in-tree instances did). inode_hash_lock is still held,
556of course, so they are still serialized wrt removal from inode hash,
557as well as wrt set() callback of iget5_locked().
558
559---
560
561**mandatory**
562
563d_materialise_unique() is gone; d_splice_alias() does everything you
564need now. Remember that they have opposite orders of arguments ;-/
565
566---
567
568**mandatory**
569
570f_dentry is gone; use f_path.dentry, or, better yet, see if you can avoid
571it entirely.
572
573---
574
575**mandatory**
576
577never call ->read() and ->write() directly; use __vfs_{read,write} or
578wrappers; instead of checking for ->write or ->read being NULL, look for
579FMODE_CAN_{WRITE,READ} in file->f_mode.
580
581---
582
583**mandatory**
584
585do _not_ use new_sync_{read,write} for ->read/->write; leave it NULL
586instead.
587
588---
589
590**mandatory**
591 ->aio_read/->aio_write are gone. Use ->read_iter/->write_iter.
592
593---
594
595**recommended**
596
597for embedded ("fast") symlinks just set inode->i_link to wherever the
598symlink body is and use simple_follow_link() as ->follow_link().
599
600---
601
602**mandatory**
603
604calling conventions for ->follow_link() have changed. Instead of returning
605cookie and using nd_set_link() to store the body to traverse, we return
606the body to traverse and store the cookie using explicit void ** argument.
607nameidata isn't passed at all - nd_jump_link() doesn't need it and
608nd_[gs]et_link() is gone.
609
610---
611
612**mandatory**
613
614calling conventions for ->put_link() have changed. It gets inode instead of
615dentry, it does not get nameidata at all and it gets called only when cookie
616is non-NULL. Note that link body isn't available anymore, so if you need it,
617store it as cookie.
618
619---
620
621**mandatory**
622
623any symlink that might use page_follow_link_light/page_put_link() must
624have inode_nohighmem(inode) called before anything might start playing with
625its pagecache. No highmem pages should end up in the pagecache of such
626symlinks. That includes any preseeding that might be done during symlink
627creation. page_symlink() will honour the mapping gfp flags, so once
628you've done inode_nohighmem() it's safe to use, but if you allocate and
629insert the page manually, make sure to use the right gfp flags.
630
631---
632
633**mandatory**
634
635->follow_link() is replaced with ->get_link(); same API, except that
636
637 * ->get_link() gets inode as a separate argument
638 * ->get_link() may be called in RCU mode - in that case NULL
639 dentry is passed
640
641---
642
643**mandatory**
644
645->get_link() gets struct delayed_call ``*done`` now, and should do
646set_delayed_call() where it used to set ``*cookie``.
647
648->put_link() is gone - just give the destructor to set_delayed_call()
649in ->get_link().
650
651---
652
653**mandatory**
654
655->getxattr() and xattr_handler.get() get dentry and inode passed separately.
656dentry might be yet to be attached to inode, so do _not_ use its ->d_inode
657in the instances. Rationale: !@#!@# security_d_instantiate() needs to be
658called before we attach dentry to inode.
659
660---
661
662**mandatory**
663
664symlinks are no longer the only inodes that do *not* have i_bdev/i_cdev/
665i_pipe/i_link union zeroed out at inode eviction. As the result, you can't
666assume that non-NULL value in ->i_nlink at ->destroy_inode() implies that
667it's a symlink. Checking ->i_mode is really needed now. In-tree we had
668to fix shmem_destroy_callback() that used to take that kind of shortcut;
669watch out, since that shortcut is no longer valid.
670
671---
672
673**mandatory**
674
675->i_mutex is replaced with ->i_rwsem now. inode_lock() et.al. work as
676they used to - they just take it exclusive. However, ->lookup() may be
677called with parent locked shared. Its instances must not
678
679 * use d_instantiate) and d_rehash() separately - use d_add() or
680 d_splice_alias() instead.
681 * use d_rehash() alone - call d_add(new_dentry, NULL) instead.
682 * in the unlikely case when (read-only) access to filesystem
683 data structures needs exclusion for some reason, arrange it
684 yourself. None of the in-tree filesystems needed that.
685 * rely on ->d_parent and ->d_name not changing after dentry has
686 been fed to d_add() or d_splice_alias(). Again, none of the
687 in-tree instances relied upon that.
688
689We are guaranteed that lookups of the same name in the same directory
690will not happen in parallel ("same" in the sense of your ->d_compare()).
691Lookups on different names in the same directory can and do happen in
692parallel now.
693
694---
695
696**mandatory**
697
698->iterate_shared() is added.
699Exclusion on struct file level is still provided (as well as that
700between it and lseek on the same struct file), but if your directory
701has been opened several times, you can get these called in parallel.
702Exclusion between that method and all directory-modifying ones is
703still provided, of course.
704
705If you have any per-inode or per-dentry in-core data structures modified
706by ->iterate_shared(), you might need something to serialize the access
707to them. If you do dcache pre-seeding, you'll need to switch to
708d_alloc_parallel() for that; look for in-tree examples.
709
710---
711
712**mandatory**
713
714->atomic_open() calls without O_CREAT may happen in parallel.
715
716---
717
718**mandatory**
719
720->setxattr() and xattr_handler.set() get dentry and inode passed separately.
721The xattr_handler.set() gets passed the user namespace of the mount the inode
722is seen from so filesystems can idmap the i_uid and i_gid accordingly.
723dentry might be yet to be attached to inode, so do _not_ use its ->d_inode
724in the instances. Rationale: !@#!@# security_d_instantiate() needs to be
725called before we attach dentry to inode and !@#!@##!@$!$#!@#$!@$!@$ smack
726->d_instantiate() uses not just ->getxattr() but ->setxattr() as well.
727
728---
729
730**mandatory**
731
732->d_compare() doesn't get parent as a separate argument anymore. If you
733used it for finding the struct super_block involved, dentry->d_sb will
734work just as well; if it's something more complicated, use dentry->d_parent.
735Just be careful not to assume that fetching it more than once will yield
736the same value - in RCU mode it could change under you.
737
738---
739
740**mandatory**
741
742->rename() has an added flags argument. Any flags not handled by the
743filesystem should result in EINVAL being returned.
744
745---
746
747
748**recommended**
749
750->readlink is optional for symlinks. Don't set, unless filesystem needs
751to fake something for readlink(2).
752
753---
754
755**mandatory**
756
757->getattr() is now passed a struct path rather than a vfsmount and
758dentry separately, and it now has request_mask and query_flags arguments
759to specify the fields and sync type requested by statx. Filesystems not
760supporting any statx-specific features may ignore the new arguments.
761
762---
763
764**mandatory**
765
766->atomic_open() calling conventions have changed. Gone is ``int *opened``,
767along with FILE_OPENED/FILE_CREATED. In place of those we have
768FMODE_OPENED/FMODE_CREATED, set in file->f_mode. Additionally, return
769value for 'called finish_no_open(), open it yourself' case has become
7700, not 1. Since finish_no_open() itself is returning 0 now, that part
771does not need any changes in ->atomic_open() instances.
772
773---
774
775**mandatory**
776
777alloc_file() has become static now; two wrappers are to be used instead.
778alloc_file_pseudo(inode, vfsmount, name, flags, ops) is for the cases
779when dentry needs to be created; that's the majority of old alloc_file()
780users. Calling conventions: on success a reference to new struct file
781is returned and callers reference to inode is subsumed by that. On
782failure, ERR_PTR() is returned and no caller's references are affected,
783so the caller needs to drop the inode reference it held.
784alloc_file_clone(file, flags, ops) does not affect any caller's references.
785On success you get a new struct file sharing the mount/dentry with the
786original, on failure - ERR_PTR().
787
788---
789
790**mandatory**
791
792->clone_file_range() and ->dedupe_file_range have been replaced with
793->remap_file_range(). See Documentation/filesystems/vfs.rst for more
794information.
795
796---
797
798**recommended**
799
800->lookup() instances doing an equivalent of::
801
802 if (IS_ERR(inode))
803 return ERR_CAST(inode);
804 return d_splice_alias(inode, dentry);
805
806don't need to bother with the check - d_splice_alias() will do the
807right thing when given ERR_PTR(...) as inode. Moreover, passing NULL
808inode to d_splice_alias() will also do the right thing (equivalent of
809d_add(dentry, NULL); return NULL;), so that kind of special cases
810also doesn't need a separate treatment.
811
812---
813
814**strongly recommended**
815
816take the RCU-delayed parts of ->destroy_inode() into a new method -
817->free_inode(). If ->destroy_inode() becomes empty - all the better,
818just get rid of it. Synchronous work (e.g. the stuff that can't
819be done from an RCU callback, or any WARN_ON() where we want the
820stack trace) *might* be movable to ->evict_inode(); however,
821that goes only for the things that are not needed to balance something
822done by ->alloc_inode(). IOW, if it's cleaning up the stuff that
823might have accumulated over the life of in-core inode, ->evict_inode()
824might be a fit.
825
826Rules for inode destruction:
827
828 * if ->destroy_inode() is non-NULL, it gets called
829 * if ->free_inode() is non-NULL, it gets scheduled by call_rcu()
830 * combination of NULL ->destroy_inode and NULL ->free_inode is
831 treated as NULL/free_inode_nonrcu, to preserve the compatibility.
832
833Note that the callback (be it via ->free_inode() or explicit call_rcu()
834in ->destroy_inode()) is *NOT* ordered wrt superblock destruction;
835as the matter of fact, the superblock and all associated structures
836might be already gone. The filesystem driver is guaranteed to be still
837there, but that's it. Freeing memory in the callback is fine; doing
838more than that is possible, but requires a lot of care and is best
839avoided.
840
841---
842
843**mandatory**
844
845DCACHE_RCUACCESS is gone; having an RCU delay on dentry freeing is the
846default. DCACHE_NORCU opts out, and only d_alloc_pseudo() has any
847business doing so.
848
849---
850
851**mandatory**
852
853d_alloc_pseudo() is internal-only; uses outside of alloc_file_pseudo() are
854very suspect (and won't work in modules). Such uses are very likely to
855be misspelled d_alloc_anon().
856
857---
858
859**mandatory**
860
861[should've been added in 2016] stale comment in finish_open() notwithstanding,
862failure exits in ->atomic_open() instances should *NOT* fput() the file,
863no matter what. Everything is handled by the caller.
864
865---
866
867**mandatory**
868
869clone_private_mount() returns a longterm mount now, so the proper destructor of
870its result is kern_unmount() or kern_unmount_array().
871
872---
873
874**mandatory**
875
876zero-length bvec segments are disallowed, they must be filtered out before
877passed on to an iterator.
878
879---
880
881**mandatory**
882
883For bvec based itererators bio_iov_iter_get_pages() now doesn't copy bvecs but
884uses the one provided. Anyone issuing kiocb-I/O should ensure that the bvec and
885page references stay until I/O has completed, i.e. until ->ki_complete() has
886been called or returned with non -EIOCBQUEUED code.
887
888---
889
890**mandatory**
891
892mnt_want_write_file() can now only be paired with mnt_drop_write_file(),
893whereas previously it could be paired with mnt_drop_write() as well.
894
895---
896
897**mandatory**
898
899iov_iter_copy_from_user_atomic() is gone; use copy_page_from_iter_atomic().
900The difference is copy_page_from_iter_atomic() advances the iterator and
901you don't need iov_iter_advance() after it. However, if you decide to use
902only a part of obtained data, you should do iov_iter_revert().
903
904---
905
906**mandatory**
907
908Calling conventions for file_open_root() changed; now it takes struct path *
909instead of passing mount and dentry separately. For callers that used to
910pass <mnt, mnt->mnt_root> pair (i.e. the root of given mount), a new helper
911is provided - file_open_root_mnt(). In-tree users adjusted.
912
913---
914
915**mandatory**
916
917no_llseek is gone; don't set .llseek to that - just leave it NULL instead.
918Checks for "does that file have llseek(2), or should it fail with ESPIPE"
919should be done by looking at FMODE_LSEEK in file->f_mode.
920
921---
922
923*mandatory*
924
925filldir_t (readdir callbacks) calling conventions have changed. Instead of
926returning 0 or -E... it returns bool now. false means "no more" (as -E... used
927to) and true - "keep going" (as 0 in old calling conventions). Rationale:
928callers never looked at specific -E... values anyway. -> iterate_shared()
929instances require no changes at all, all filldir_t ones in the tree
930converted.
931
932---
933
934**mandatory**
935
936Calling conventions for ->tmpfile() have changed. It now takes a struct
937file pointer instead of struct dentry pointer. d_tmpfile() is similarly
938changed to simplify callers. The passed file is in a non-open state and on
939success must be opened before returning (e.g. by calling
940finish_open_simple()).
941
942---
943
944**mandatory**
945
946Calling convention for ->huge_fault has changed. It now takes a page
947order instead of an enum page_entry_size, and it may be called without the
948mmap_lock held. All in-tree users have been audited and do not seem to
949depend on the mmap_lock being held, but out of tree users should verify
950for themselves. If they do need it, they can return VM_FAULT_RETRY to
951be called with the mmap_lock held.
952
953---
954
955**mandatory**
956
957The order of opening block devices and matching or creating superblocks has
958changed.
959
960The old logic opened block devices first and then tried to find a
961suitable superblock to reuse based on the block device pointer.
962
963The new logic tries to find a suitable superblock first based on the device
964number, and opening the block device afterwards.
965
966Since opening block devices cannot happen under s_umount because of lock
967ordering requirements s_umount is now dropped while opening block devices and
968reacquired before calling fill_super().
969
970In the old logic concurrent mounters would find the superblock on the list of
971superblocks for the filesystem type. Since the first opener of the block device
972would hold s_umount they would wait until the superblock became either born or
973was discarded due to initialization failure.
974
975Since the new logic drops s_umount concurrent mounters could grab s_umount and
976would spin. Instead they are now made to wait using an explicit wait-wake
977mechanism without having to hold s_umount.
978
979---
980
981**mandatory**
982
983The holder of a block device is now the superblock.
984
985The holder of a block device used to be the file_system_type which wasn't
986particularly useful. It wasn't possible to go from block device to owning
987superblock without matching on the device pointer stored in the superblock.
988This mechanism would only work for a single device so the block layer couldn't
989find the owning superblock of any additional devices.
990
991In the old mechanism reusing or creating a superblock for a racing mount(2) and
992umount(2) relied on the file_system_type as the holder. This was severely
993underdocumented however:
994
995(1) Any concurrent mounter that managed to grab an active reference on an
996 existing superblock was made to wait until the superblock either became
997 ready or until the superblock was removed from the list of superblocks of
998 the filesystem type. If the superblock is ready the caller would simple
999 reuse it.
1000
1001(2) If the mounter came after deactivate_locked_super() but before
1002 the superblock had been removed from the list of superblocks of the
1003 filesystem type the mounter would wait until the superblock was shutdown,
1004 reuse the block device and allocate a new superblock.
1005
1006(3) If the mounter came after deactivate_locked_super() and after
1007 the superblock had been removed from the list of superblocks of the
1008 filesystem type the mounter would reuse the block device and allocate a new
1009 superblock (the bd_holder point may still be set to the filesystem type).
1010
1011Because the holder of the block device was the file_system_type any concurrent
1012mounter could open the block devices of any superblock of the same
1013file_system_type without risking seeing EBUSY because the block device was
1014still in use by another superblock.
1015
1016Making the superblock the owner of the block device changes this as the holder
1017is now a unique superblock and thus block devices associated with it cannot be
1018reused by concurrent mounters. So a concurrent mounter in (2) could suddenly
1019see EBUSY when trying to open a block device whose holder was a different
1020superblock.
1021
1022The new logic thus waits until the superblock and the devices are shutdown in
1023->kill_sb(). Removal of the superblock from the list of superblocks of the
1024filesystem type is now moved to a later point when the devices are closed:
1025
1026(1) Any concurrent mounter managing to grab an active reference on an existing
1027 superblock is made to wait until the superblock is either ready or until
1028 the superblock and all devices are shutdown in ->kill_sb(). If the
1029 superblock is ready the caller will simply reuse it.
1030
1031(2) If the mounter comes after deactivate_locked_super() but before
1032 the superblock has been removed from the list of superblocks of the
1033 filesystem type the mounter is made to wait until the superblock and the
1034 devices are shut down in ->kill_sb() and the superblock is removed from the
1035 list of superblocks of the filesystem type. The mounter will allocate a new
1036 superblock and grab ownership of the block device (the bd_holder pointer of
1037 the block device will be set to the newly allocated superblock).
1038
1039(3) This case is now collapsed into (2) as the superblock is left on the list
1040 of superblocks of the filesystem type until all devices are shutdown in
1041 ->kill_sb(). In other words, if the superblock isn't on the list of
1042 superblock of the filesystem type anymore then it has given up ownership of
1043 all associated block devices (the bd_holder pointer is NULL).
1044
1045As this is a VFS level change it has no practical consequences for filesystems
1046other than that all of them must use one of the provided kill_litter_super(),
1047kill_anon_super(), or kill_block_super() helpers.
1048
1049---
1050
1051**mandatory**
1052
1053Lock ordering has been changed so that s_umount ranks above open_mutex again.
1054All places where s_umount was taken under open_mutex have been fixed up.
1055
1056---
1057
1058**mandatory**
1059
1060export_operations ->encode_fh() no longer has a default implementation to
1061encode FILEID_INO32_GEN* file handles.
1062Filesystems that used the default implementation may use the generic helper
1063generic_encode_ino32_fh() explicitly.
1064
1065---
1066
1067**mandatory**
1068
1069If ->rename() update of .. on cross-directory move needs an exclusion with
1070directory modifications, do *not* lock the subdirectory in question in your
1071->rename() - it's done by the caller now [that item should've been added in
107228eceeda130f "fs: Lock moved directories"].
1073
1074---
1075
1076**mandatory**
1077
1078On same-directory ->rename() the (tautological) update of .. is not protected
1079by any locks; just don't do it if the old parent is the same as the new one.
1080We really can't lock two subdirectories in same-directory rename - not without
1081deadlocks.
1082
1083---
1084
1085**mandatory**
1086
1087lock_rename() and lock_rename_child() may fail in cross-directory case, if
1088their arguments do not have a common ancestor. In that case ERR_PTR(-EXDEV)
1089is returned, with no locks taken. In-tree users updated; out-of-tree ones
1090would need to do so.
1091
1092---
1093
1094**mandatory**
1095
1096The list of children anchored in parent dentry got turned into hlist now.
1097Field names got changed (->d_children/->d_sib instead of ->d_subdirs/->d_child
1098for anchor/entries resp.), so any affected places will be immediately caught
1099by compiler.
1100
1101---
1102
1103**mandatory**
1104
1105->d_delete() instances are now called for dentries with ->d_lock held
1106and refcount equal to 0. They are not permitted to drop/regain ->d_lock.
1107None of in-tree instances did anything of that sort. Make sure yours do not...
1108
1109---
1110
1111**mandatory**
1112
1113->d_prune() instances are now called without ->d_lock held on the parent.
1114->d_lock on dentry itself is still held; if you need per-parent exclusions (none
1115of the in-tree instances did), use your own spinlock.
1116
1117->d_iput() and ->d_release() are called with victim dentry still in the
1118list of parent's children. It is still unhashed, marked killed, etc., just not
1119removed from parent's ->d_children yet.
1120
1121Anyone iterating through the list of children needs to be aware of the
1122half-killed dentries that might be seen there; taking ->d_lock on those will
1123see them negative, unhashed and with negative refcount, which means that most
1124of the in-kernel users would've done the right thing anyway without any adjustment.
1125
1126---
1127
1128**recommended**
1129
1130Block device freezing and thawing have been moved to holder operations.
1131
1132Before this change, get_active_super() would only be able to find the
1133superblock of the main block device, i.e., the one stored in sb->s_bdev. Block
1134device freezing now works for any block device owned by a given superblock, not
1135just the main block device. The get_active_super() helper and bd_fsfreeze_sb
1136pointer are gone.
1137
1138---
1139
1140**mandatory**
1141
1142set_blocksize() takes opened struct file instead of struct block_device now
1143and it *must* be opened exclusive.
1====================
2Changes since 2.5.0:
3====================
4
5---
6
7**recommended**
8
9New helpers: sb_bread(), sb_getblk(), sb_find_get_block(), set_bh(),
10sb_set_blocksize() and sb_min_blocksize().
11
12Use them.
13
14(sb_find_get_block() replaces 2.4's get_hash_table())
15
16---
17
18**recommended**
19
20New methods: ->alloc_inode() and ->destroy_inode().
21
22Remove inode->u.foo_inode_i
23
24Declare::
25
26 struct foo_inode_info {
27 /* fs-private stuff */
28 struct inode vfs_inode;
29 };
30 static inline struct foo_inode_info *FOO_I(struct inode *inode)
31 {
32 return list_entry(inode, struct foo_inode_info, vfs_inode);
33 }
34
35Use FOO_I(inode) instead of &inode->u.foo_inode_i;
36
37Add foo_alloc_inode() and foo_destroy_inode() - the former should allocate
38foo_inode_info and return the address of ->vfs_inode, the latter should free
39FOO_I(inode) (see in-tree filesystems for examples).
40
41Make them ->alloc_inode and ->destroy_inode in your super_operations.
42
43Keep in mind that now you need explicit initialization of private data
44typically between calling iget_locked() and unlocking the inode.
45
46At some point that will become mandatory.
47
48---
49
50**mandatory**
51
52Change of file_system_type method (->read_super to ->get_sb)
53
54->read_super() is no more. Ditto for DECLARE_FSTYPE and DECLARE_FSTYPE_DEV.
55
56Turn your foo_read_super() into a function that would return 0 in case of
57success and negative number in case of error (-EINVAL unless you have more
58informative error value to report). Call it foo_fill_super(). Now declare::
59
60 int foo_get_sb(struct file_system_type *fs_type,
61 int flags, const char *dev_name, void *data, struct vfsmount *mnt)
62 {
63 return get_sb_bdev(fs_type, flags, dev_name, data, foo_fill_super,
64 mnt);
65 }
66
67(or similar with s/bdev/nodev/ or s/bdev/single/, depending on the kind of
68filesystem).
69
70Replace DECLARE_FSTYPE... with explicit initializer and have ->get_sb set as
71foo_get_sb.
72
73---
74
75**mandatory**
76
77Locking change: ->s_vfs_rename_sem is taken only by cross-directory renames.
78Most likely there is no need to change anything, but if you relied on
79global exclusion between renames for some internal purpose - you need to
80change your internal locking. Otherwise exclusion warranties remain the
81same (i.e. parents and victim are locked, etc.).
82
83---
84
85**informational**
86
87Now we have the exclusion between ->lookup() and directory removal (by
88->rmdir() and ->rename()). If you used to need that exclusion and do
89it by internal locking (most of filesystems couldn't care less) - you
90can relax your locking.
91
92---
93
94**mandatory**
95
96->lookup(), ->truncate(), ->create(), ->unlink(), ->mknod(), ->mkdir(),
97->rmdir(), ->link(), ->lseek(), ->symlink(), ->rename()
98and ->readdir() are called without BKL now. Grab it on entry, drop upon return
99- that will guarantee the same locking you used to have. If your method or its
100parts do not need BKL - better yet, now you can shift lock_kernel() and
101unlock_kernel() so that they would protect exactly what needs to be
102protected.
103
104---
105
106**mandatory**
107
108BKL is also moved from around sb operations. BKL should have been shifted into
109individual fs sb_op functions. If you don't need it, remove it.
110
111---
112
113**informational**
114
115check for ->link() target not being a directory is done by callers. Feel
116free to drop it...
117
118---
119
120**informational**
121
122->link() callers hold ->i_mutex on the object we are linking to. Some of your
123problems might be over...
124
125---
126
127**mandatory**
128
129new file_system_type method - kill_sb(superblock). If you are converting
130an existing filesystem, set it according to ->fs_flags::
131
132 FS_REQUIRES_DEV - kill_block_super
133 FS_LITTER - kill_litter_super
134 neither - kill_anon_super
135
136FS_LITTER is gone - just remove it from fs_flags.
137
138---
139
140**mandatory**
141
142FS_SINGLE is gone (actually, that had happened back when ->get_sb()
143went in - and hadn't been documented ;-/). Just remove it from fs_flags
144(and see ->get_sb() entry for other actions).
145
146---
147
148**mandatory**
149
150->setattr() is called without BKL now. Caller _always_ holds ->i_mutex, so
151watch for ->i_mutex-grabbing code that might be used by your ->setattr().
152Callers of notify_change() need ->i_mutex now.
153
154---
155
156**recommended**
157
158New super_block field ``struct export_operations *s_export_op`` for
159explicit support for exporting, e.g. via NFS. The structure is fully
160documented at its declaration in include/linux/fs.h, and in
161Documentation/filesystems/nfs/exporting.rst.
162
163Briefly it allows for the definition of decode_fh and encode_fh operations
164to encode and decode filehandles, and allows the filesystem to use
165a standard helper function for decode_fh, and provide file-system specific
166support for this helper, particularly get_parent.
167
168It is planned that this will be required for exporting once the code
169settles down a bit.
170
171**mandatory**
172
173s_export_op is now required for exporting a filesystem.
174isofs, ext2, ext3, resierfs, fat
175can be used as examples of very different filesystems.
176
177---
178
179**mandatory**
180
181iget4() and the read_inode2 callback have been superseded by iget5_locked()
182which has the following prototype::
183
184 struct inode *iget5_locked(struct super_block *sb, unsigned long ino,
185 int (*test)(struct inode *, void *),
186 int (*set)(struct inode *, void *),
187 void *data);
188
189'test' is an additional function that can be used when the inode
190number is not sufficient to identify the actual file object. 'set'
191should be a non-blocking function that initializes those parts of a
192newly created inode to allow the test function to succeed. 'data' is
193passed as an opaque value to both test and set functions.
194
195When the inode has been created by iget5_locked(), it will be returned with the
196I_NEW flag set and will still be locked. The filesystem then needs to finalize
197the initialization. Once the inode is initialized it must be unlocked by
198calling unlock_new_inode().
199
200The filesystem is responsible for setting (and possibly testing) i_ino
201when appropriate. There is also a simpler iget_locked function that
202just takes the superblock and inode number as arguments and does the
203test and set for you.
204
205e.g.::
206
207 inode = iget_locked(sb, ino);
208 if (inode->i_state & I_NEW) {
209 err = read_inode_from_disk(inode);
210 if (err < 0) {
211 iget_failed(inode);
212 return err;
213 }
214 unlock_new_inode(inode);
215 }
216
217Note that if the process of setting up a new inode fails, then iget_failed()
218should be called on the inode to render it dead, and an appropriate error
219should be passed back to the caller.
220
221---
222
223**recommended**
224
225->getattr() finally getting used. See instances in nfs, minix, etc.
226
227---
228
229**mandatory**
230
231->revalidate() is gone. If your filesystem had it - provide ->getattr()
232and let it call whatever you had as ->revlidate() + (for symlinks that
233had ->revalidate()) add calls in ->follow_link()/->readlink().
234
235---
236
237**mandatory**
238
239->d_parent changes are not protected by BKL anymore. Read access is safe
240if at least one of the following is true:
241
242 * filesystem has no cross-directory rename()
243 * we know that parent had been locked (e.g. we are looking at
244 ->d_parent of ->lookup() argument).
245 * we are called from ->rename().
246 * the child's ->d_lock is held
247
248Audit your code and add locking if needed. Notice that any place that is
249not protected by the conditions above is risky even in the old tree - you
250had been relying on BKL and that's prone to screwups. Old tree had quite
251a few holes of that kind - unprotected access to ->d_parent leading to
252anything from oops to silent memory corruption.
253
254---
255
256**mandatory**
257
258FS_NOMOUNT is gone. If you use it - just set SB_NOUSER in flags
259(see rootfs for one kind of solution and bdev/socket/pipe for another).
260
261---
262
263**recommended**
264
265Use bdev_read_only(bdev) instead of is_read_only(kdev). The latter
266is still alive, but only because of the mess in drivers/s390/block/dasd.c.
267As soon as it gets fixed is_read_only() will die.
268
269---
270
271**mandatory**
272
273->permission() is called without BKL now. Grab it on entry, drop upon
274return - that will guarantee the same locking you used to have. If
275your method or its parts do not need BKL - better yet, now you can
276shift lock_kernel() and unlock_kernel() so that they would protect
277exactly what needs to be protected.
278
279---
280
281**mandatory**
282
283->statfs() is now called without BKL held. BKL should have been
284shifted into individual fs sb_op functions where it's not clear that
285it's safe to remove it. If you don't need it, remove it.
286
287---
288
289**mandatory**
290
291is_read_only() is gone; use bdev_read_only() instead.
292
293---
294
295**mandatory**
296
297destroy_buffers() is gone; use invalidate_bdev().
298
299---
300
301**mandatory**
302
303fsync_dev() is gone; use fsync_bdev(). NOTE: lvm breakage is
304deliberate; as soon as struct block_device * is propagated in a reasonable
305way by that code fixing will become trivial; until then nothing can be
306done.
307
308**mandatory**
309
310block truncatation on error exit from ->write_begin, and ->direct_IO
311moved from generic methods (block_write_begin, cont_write_begin,
312nobh_write_begin, blockdev_direct_IO*) to callers. Take a look at
313ext2_write_failed and callers for an example.
314
315**mandatory**
316
317->truncate is gone. The whole truncate sequence needs to be
318implemented in ->setattr, which is now mandatory for filesystems
319implementing on-disk size changes. Start with a copy of the old inode_setattr
320and vmtruncate, and the reorder the vmtruncate + foofs_vmtruncate sequence to
321be in order of zeroing blocks using block_truncate_page or similar helpers,
322size update and on finally on-disk truncation which should not fail.
323setattr_prepare (which used to be inode_change_ok) now includes the size checks
324for ATTR_SIZE and must be called in the beginning of ->setattr unconditionally.
325
326**mandatory**
327
328->clear_inode() and ->delete_inode() are gone; ->evict_inode() should
329be used instead. It gets called whenever the inode is evicted, whether it has
330remaining links or not. Caller does *not* evict the pagecache or inode-associated
331metadata buffers; the method has to use truncate_inode_pages_final() to get rid
332of those. Caller makes sure async writeback cannot be running for the inode while
333(or after) ->evict_inode() is called.
334
335->drop_inode() returns int now; it's called on final iput() with
336inode->i_lock held and it returns true if filesystems wants the inode to be
337dropped. As before, generic_drop_inode() is still the default and it's been
338updated appropriately. generic_delete_inode() is also alive and it consists
339simply of return 1. Note that all actual eviction work is done by caller after
340->drop_inode() returns.
341
342As before, clear_inode() must be called exactly once on each call of
343->evict_inode() (as it used to be for each call of ->delete_inode()). Unlike
344before, if you are using inode-associated metadata buffers (i.e.
345mark_buffer_dirty_inode()), it's your responsibility to call
346invalidate_inode_buffers() before clear_inode().
347
348NOTE: checking i_nlink in the beginning of ->write_inode() and bailing out
349if it's zero is not *and* *never* *had* *been* enough. Final unlink() and iput()
350may happen while the inode is in the middle of ->write_inode(); e.g. if you blindly
351free the on-disk inode, you may end up doing that while ->write_inode() is writing
352to it.
353
354---
355
356**mandatory**
357
358.d_delete() now only advises the dcache as to whether or not to cache
359unreferenced dentries, and is now only called when the dentry refcount goes to
3600. Even on 0 refcount transition, it must be able to tolerate being called 0,
3611, or more times (eg. constant, idempotent).
362
363---
364
365**mandatory**
366
367.d_compare() calling convention and locking rules are significantly
368changed. Read updated documentation in Documentation/filesystems/vfs.rst (and
369look at examples of other filesystems) for guidance.
370
371---
372
373**mandatory**
374
375.d_hash() calling convention and locking rules are significantly
376changed. Read updated documentation in Documentation/filesystems/vfs.rst (and
377look at examples of other filesystems) for guidance.
378
379---
380
381**mandatory**
382
383dcache_lock is gone, replaced by fine grained locks. See fs/dcache.c
384for details of what locks to replace dcache_lock with in order to protect
385particular things. Most of the time, a filesystem only needs ->d_lock, which
386protects *all* the dcache state of a given dentry.
387
388---
389
390**mandatory**
391
392Filesystems must RCU-free their inodes, if they can have been accessed
393via rcu-walk path walk (basically, if the file can have had a path name in the
394vfs namespace).
395
396Even though i_dentry and i_rcu share storage in a union, we will
397initialize the former in inode_init_always(), so just leave it alone in
398the callback. It used to be necessary to clean it there, but not anymore
399(starting at 3.2).
400
401---
402
403**recommended**
404
405vfs now tries to do path walking in "rcu-walk mode", which avoids
406atomic operations and scalability hazards on dentries and inodes (see
407Documentation/filesystems/path-lookup.txt). d_hash and d_compare changes
408(above) are examples of the changes required to support this. For more complex
409filesystem callbacks, the vfs drops out of rcu-walk mode before the fs call, so
410no changes are required to the filesystem. However, this is costly and loses
411the benefits of rcu-walk mode. We will begin to add filesystem callbacks that
412are rcu-walk aware, shown below. Filesystems should take advantage of this
413where possible.
414
415---
416
417**mandatory**
418
419d_revalidate is a callback that is made on every path element (if
420the filesystem provides it), which requires dropping out of rcu-walk mode. This
421may now be called in rcu-walk mode (nd->flags & LOOKUP_RCU). -ECHILD should be
422returned if the filesystem cannot handle rcu-walk. See
423Documentation/filesystems/vfs.rst for more details.
424
425permission is an inode permission check that is called on many or all
426directory inodes on the way down a path walk (to check for exec permission). It
427must now be rcu-walk aware (mask & MAY_NOT_BLOCK). See
428Documentation/filesystems/vfs.rst for more details.
429
430---
431
432**mandatory**
433
434In ->fallocate() you must check the mode option passed in. If your
435filesystem does not support hole punching (deallocating space in the middle of a
436file) you must return -EOPNOTSUPP if FALLOC_FL_PUNCH_HOLE is set in mode.
437Currently you can only have FALLOC_FL_PUNCH_HOLE with FALLOC_FL_KEEP_SIZE set,
438so the i_size should not change when hole punching, even when puching the end of
439a file off.
440
441---
442
443**mandatory**
444
445->get_sb() is gone. Switch to use of ->mount(). Typically it's just
446a matter of switching from calling ``get_sb_``... to ``mount_``... and changing
447the function type. If you were doing it manually, just switch from setting
448->mnt_root to some pointer to returning that pointer. On errors return
449ERR_PTR(...).
450
451---
452
453**mandatory**
454
455->permission() and generic_permission()have lost flags
456argument; instead of passing IPERM_FLAG_RCU we add MAY_NOT_BLOCK into mask.
457
458generic_permission() has also lost the check_acl argument; ACL checking
459has been taken to VFS and filesystems need to provide a non-NULL ->i_op->get_acl
460to read an ACL from disk.
461
462---
463
464**mandatory**
465
466If you implement your own ->llseek() you must handle SEEK_HOLE and
467SEEK_DATA. You can hanle this by returning -EINVAL, but it would be nicer to
468support it in some way. The generic handler assumes that the entire file is
469data and there is a virtual hole at the end of the file. So if the provided
470offset is less than i_size and SEEK_DATA is specified, return the same offset.
471If the above is true for the offset and you are given SEEK_HOLE, return the end
472of the file. If the offset is i_size or greater return -ENXIO in either case.
473
474**mandatory**
475
476If you have your own ->fsync() you must make sure to call
477filemap_write_and_wait_range() so that all dirty pages are synced out properly.
478You must also keep in mind that ->fsync() is not called with i_mutex held
479anymore, so if you require i_mutex locking you must make sure to take it and
480release it yourself.
481
482---
483
484**mandatory**
485
486d_alloc_root() is gone, along with a lot of bugs caused by code
487misusing it. Replacement: d_make_root(inode). On success d_make_root(inode)
488allocates and returns a new dentry instantiated with the passed in inode.
489On failure NULL is returned and the passed in inode is dropped so the reference
490to inode is consumed in all cases and failure handling need not do any cleanup
491for the inode. If d_make_root(inode) is passed a NULL inode it returns NULL
492and also requires no further error handling. Typical usage is::
493
494 inode = foofs_new_inode(....);
495 s->s_root = d_make_root(inode);
496 if (!s->s_root)
497 /* Nothing needed for the inode cleanup */
498 return -ENOMEM;
499 ...
500
501---
502
503**mandatory**
504
505The witch is dead! Well, 2/3 of it, anyway. ->d_revalidate() and
506->lookup() do *not* take struct nameidata anymore; just the flags.
507
508---
509
510**mandatory**
511
512->create() doesn't take ``struct nameidata *``; unlike the previous
513two, it gets "is it an O_EXCL or equivalent?" boolean argument. Note that
514local filesystems can ignore tha argument - they are guaranteed that the
515object doesn't exist. It's remote/distributed ones that might care...
516
517---
518
519**mandatory**
520
521FS_REVAL_DOT is gone; if you used to have it, add ->d_weak_revalidate()
522in your dentry operations instead.
523
524---
525
526**mandatory**
527
528vfs_readdir() is gone; switch to iterate_dir() instead
529
530---
531
532**mandatory**
533
534->readdir() is gone now; switch to ->iterate()
535
536**mandatory**
537
538vfs_follow_link has been removed. Filesystems must use nd_set_link
539from ->follow_link for normal symlinks, or nd_jump_link for magic
540/proc/<pid> style links.
541
542---
543
544**mandatory**
545
546iget5_locked()/ilookup5()/ilookup5_nowait() test() callback used to be
547called with both ->i_lock and inode_hash_lock held; the former is *not*
548taken anymore, so verify that your callbacks do not rely on it (none
549of the in-tree instances did). inode_hash_lock is still held,
550of course, so they are still serialized wrt removal from inode hash,
551as well as wrt set() callback of iget5_locked().
552
553---
554
555**mandatory**
556
557d_materialise_unique() is gone; d_splice_alias() does everything you
558need now. Remember that they have opposite orders of arguments ;-/
559
560---
561
562**mandatory**
563
564f_dentry is gone; use f_path.dentry, or, better yet, see if you can avoid
565it entirely.
566
567---
568
569**mandatory**
570
571never call ->read() and ->write() directly; use __vfs_{read,write} or
572wrappers; instead of checking for ->write or ->read being NULL, look for
573FMODE_CAN_{WRITE,READ} in file->f_mode.
574
575---
576
577**mandatory**
578
579do _not_ use new_sync_{read,write} for ->read/->write; leave it NULL
580instead.
581
582---
583
584**mandatory**
585 ->aio_read/->aio_write are gone. Use ->read_iter/->write_iter.
586
587---
588
589**recommended**
590
591for embedded ("fast") symlinks just set inode->i_link to wherever the
592symlink body is and use simple_follow_link() as ->follow_link().
593
594---
595
596**mandatory**
597
598calling conventions for ->follow_link() have changed. Instead of returning
599cookie and using nd_set_link() to store the body to traverse, we return
600the body to traverse and store the cookie using explicit void ** argument.
601nameidata isn't passed at all - nd_jump_link() doesn't need it and
602nd_[gs]et_link() is gone.
603
604---
605
606**mandatory**
607
608calling conventions for ->put_link() have changed. It gets inode instead of
609dentry, it does not get nameidata at all and it gets called only when cookie
610is non-NULL. Note that link body isn't available anymore, so if you need it,
611store it as cookie.
612
613---
614
615**mandatory**
616
617any symlink that might use page_follow_link_light/page_put_link() must
618have inode_nohighmem(inode) called before anything might start playing with
619its pagecache. No highmem pages should end up in the pagecache of such
620symlinks. That includes any preseeding that might be done during symlink
621creation. __page_symlink() will honour the mapping gfp flags, so once
622you've done inode_nohighmem() it's safe to use, but if you allocate and
623insert the page manually, make sure to use the right gfp flags.
624
625---
626
627**mandatory**
628
629->follow_link() is replaced with ->get_link(); same API, except that
630
631 * ->get_link() gets inode as a separate argument
632 * ->get_link() may be called in RCU mode - in that case NULL
633 dentry is passed
634
635---
636
637**mandatory**
638
639->get_link() gets struct delayed_call ``*done`` now, and should do
640set_delayed_call() where it used to set ``*cookie``.
641
642->put_link() is gone - just give the destructor to set_delayed_call()
643in ->get_link().
644
645---
646
647**mandatory**
648
649->getxattr() and xattr_handler.get() get dentry and inode passed separately.
650dentry might be yet to be attached to inode, so do _not_ use its ->d_inode
651in the instances. Rationale: !@#!@# security_d_instantiate() needs to be
652called before we attach dentry to inode.
653
654---
655
656**mandatory**
657
658symlinks are no longer the only inodes that do *not* have i_bdev/i_cdev/
659i_pipe/i_link union zeroed out at inode eviction. As the result, you can't
660assume that non-NULL value in ->i_nlink at ->destroy_inode() implies that
661it's a symlink. Checking ->i_mode is really needed now. In-tree we had
662to fix shmem_destroy_callback() that used to take that kind of shortcut;
663watch out, since that shortcut is no longer valid.
664
665---
666
667**mandatory**
668
669->i_mutex is replaced with ->i_rwsem now. inode_lock() et.al. work as
670they used to - they just take it exclusive. However, ->lookup() may be
671called with parent locked shared. Its instances must not
672
673 * use d_instantiate) and d_rehash() separately - use d_add() or
674 d_splice_alias() instead.
675 * use d_rehash() alone - call d_add(new_dentry, NULL) instead.
676 * in the unlikely case when (read-only) access to filesystem
677 data structures needs exclusion for some reason, arrange it
678 yourself. None of the in-tree filesystems needed that.
679 * rely on ->d_parent and ->d_name not changing after dentry has
680 been fed to d_add() or d_splice_alias(). Again, none of the
681 in-tree instances relied upon that.
682
683We are guaranteed that lookups of the same name in the same directory
684will not happen in parallel ("same" in the sense of your ->d_compare()).
685Lookups on different names in the same directory can and do happen in
686parallel now.
687
688---
689
690**recommended**
691
692->iterate_shared() is added; it's a parallel variant of ->iterate().
693Exclusion on struct file level is still provided (as well as that
694between it and lseek on the same struct file), but if your directory
695has been opened several times, you can get these called in parallel.
696Exclusion between that method and all directory-modifying ones is
697still provided, of course.
698
699Often enough ->iterate() can serve as ->iterate_shared() without any
700changes - it is a read-only operation, after all. If you have any
701per-inode or per-dentry in-core data structures modified by ->iterate(),
702you might need something to serialize the access to them. If you
703do dcache pre-seeding, you'll need to switch to d_alloc_parallel() for
704that; look for in-tree examples.
705
706Old method is only used if the new one is absent; eventually it will
707be removed. Switch while you still can; the old one won't stay.
708
709---
710
711**mandatory**
712
713->atomic_open() calls without O_CREAT may happen in parallel.
714
715---
716
717**mandatory**
718
719->setxattr() and xattr_handler.set() get dentry and inode passed separately.
720dentry might be yet to be attached to inode, so do _not_ use its ->d_inode
721in the instances. Rationale: !@#!@# security_d_instantiate() needs to be
722called before we attach dentry to inode and !@#!@##!@$!$#!@#$!@$!@$ smack
723->d_instantiate() uses not just ->getxattr() but ->setxattr() as well.
724
725---
726
727**mandatory**
728
729->d_compare() doesn't get parent as a separate argument anymore. If you
730used it for finding the struct super_block involved, dentry->d_sb will
731work just as well; if it's something more complicated, use dentry->d_parent.
732Just be careful not to assume that fetching it more than once will yield
733the same value - in RCU mode it could change under you.
734
735---
736
737**mandatory**
738
739->rename() has an added flags argument. Any flags not handled by the
740filesystem should result in EINVAL being returned.
741
742---
743
744
745**recommended**
746
747->readlink is optional for symlinks. Don't set, unless filesystem needs
748to fake something for readlink(2).
749
750---
751
752**mandatory**
753
754->getattr() is now passed a struct path rather than a vfsmount and
755dentry separately, and it now has request_mask and query_flags arguments
756to specify the fields and sync type requested by statx. Filesystems not
757supporting any statx-specific features may ignore the new arguments.
758
759---
760
761**mandatory**
762
763->atomic_open() calling conventions have changed. Gone is ``int *opened``,
764along with FILE_OPENED/FILE_CREATED. In place of those we have
765FMODE_OPENED/FMODE_CREATED, set in file->f_mode. Additionally, return
766value for 'called finish_no_open(), open it yourself' case has become
7670, not 1. Since finish_no_open() itself is returning 0 now, that part
768does not need any changes in ->atomic_open() instances.
769
770---
771
772**mandatory**
773
774alloc_file() has become static now; two wrappers are to be used instead.
775alloc_file_pseudo(inode, vfsmount, name, flags, ops) is for the cases
776when dentry needs to be created; that's the majority of old alloc_file()
777users. Calling conventions: on success a reference to new struct file
778is returned and callers reference to inode is subsumed by that. On
779failure, ERR_PTR() is returned and no caller's references are affected,
780so the caller needs to drop the inode reference it held.
781alloc_file_clone(file, flags, ops) does not affect any caller's references.
782On success you get a new struct file sharing the mount/dentry with the
783original, on failure - ERR_PTR().
784
785---
786
787**mandatory**
788
789->clone_file_range() and ->dedupe_file_range have been replaced with
790->remap_file_range(). See Documentation/filesystems/vfs.rst for more
791information.
792
793---
794
795**recommended**
796
797->lookup() instances doing an equivalent of::
798
799 if (IS_ERR(inode))
800 return ERR_CAST(inode);
801 return d_splice_alias(inode, dentry);
802
803don't need to bother with the check - d_splice_alias() will do the
804right thing when given ERR_PTR(...) as inode. Moreover, passing NULL
805inode to d_splice_alias() will also do the right thing (equivalent of
806d_add(dentry, NULL); return NULL;), so that kind of special cases
807also doesn't need a separate treatment.
808
809---
810
811**strongly recommended**
812
813take the RCU-delayed parts of ->destroy_inode() into a new method -
814->free_inode(). If ->destroy_inode() becomes empty - all the better,
815just get rid of it. Synchronous work (e.g. the stuff that can't
816be done from an RCU callback, or any WARN_ON() where we want the
817stack trace) *might* be movable to ->evict_inode(); however,
818that goes only for the things that are not needed to balance something
819done by ->alloc_inode(). IOW, if it's cleaning up the stuff that
820might have accumulated over the life of in-core inode, ->evict_inode()
821might be a fit.
822
823Rules for inode destruction:
824
825 * if ->destroy_inode() is non-NULL, it gets called
826 * if ->free_inode() is non-NULL, it gets scheduled by call_rcu()
827 * combination of NULL ->destroy_inode and NULL ->free_inode is
828 treated as NULL/free_inode_nonrcu, to preserve the compatibility.
829
830Note that the callback (be it via ->free_inode() or explicit call_rcu()
831in ->destroy_inode()) is *NOT* ordered wrt superblock destruction;
832as the matter of fact, the superblock and all associated structures
833might be already gone. The filesystem driver is guaranteed to be still
834there, but that's it. Freeing memory in the callback is fine; doing
835more than that is possible, but requires a lot of care and is best
836avoided.
837
838---
839
840**mandatory**
841
842DCACHE_RCUACCESS is gone; having an RCU delay on dentry freeing is the
843default. DCACHE_NORCU opts out, and only d_alloc_pseudo() has any
844business doing so.
845
846---
847
848**mandatory**
849
850d_alloc_pseudo() is internal-only; uses outside of alloc_file_pseudo() are
851very suspect (and won't work in modules). Such uses are very likely to
852be misspelled d_alloc_anon().
853
854---
855
856**mandatory**
857
858[should've been added in 2016] stale comment in finish_open() nonwithstanding,
859failure exits in ->atomic_open() instances should *NOT* fput() the file,
860no matter what. Everything is handled by the caller.
861
862---
863
864**mandatory**
865
866clone_private_mount() returns a longterm mount now, so the proper destructor of
867its result is kern_unmount() or kern_unmount_array().