Overview of the Linux Virtual File System Original author: Richard Gooch <rgooch@atnf.csiro.au> Last updated on August 25, 2005 Copyright (C) 1999 Richard Gooch Copyright (C) 2005 Pekka Enberg This file is released under the GPLv2. What is it? =========== The Virtual File System (otherwise known as the Virtual Filesystem Switch) is the software layer in the kernel that provides the filesystem interface to userspace programs. It also provides an abstraction within the kernel which allows different filesystem implementations to coexist. A Quick Look At How It Works ============================ In this section I'll briefly describe how things work, before launching into the details. I'll start with describing what happens when user programs open and manipulate files, and then look from the other view which is how a filesystem is supported and subsequently mounted. Opening a File -------------- The VFS implements the open(2), stat(2), chmod(2) and similar system calls. The pathname argument is used by the VFS to search through the directory entry cache (dentry cache or "dcache"). This provides a very fast look-up mechanism to translate a pathname (filename) into a specific dentry. An individual dentry usually has a pointer to an inode. Inodes are the things that live on disc drives, and can be regular files (you know: those things that you write data into), directories, FIFOs and other beasts. Dentries live in RAM and are never saved to disc: they exist only for performance. Inodes live on disc and are copied into memory when required. Later any changes are written back to disc. The inode that lives in RAM is a VFS inode, and it is this which the dentry points to. A single inode can be pointed to by multiple dentries (think about hardlinks). The dcache is meant to be a view into your entire filespace. Unlike Linus, most of us losers can't fit enough dentries into RAM to cover all of our filespace, so the dcache has bits missing. In order to resolve your pathname into a dentry, the VFS may have to resort to creating dentries along the way, and then loading the inode. This is done by looking up the inode. To look up an inode (usually read from disc) requires that the VFS calls the lookup() method of the parent directory inode. This method is installed by the specific filesystem implementation that the inode lives in. There will be more on this later. Once the VFS has the required dentry (and hence the inode), we can do all those boring things like open(2) the file, or stat(2) it to peek at the inode data. The stat(2) operation is fairly simple: once the VFS has the dentry, it peeks at the inode data and passes some of it back to userspace. Opening a file requires another operation: allocation of a file structure (this is the kernel-side implementation of file descriptors). The freshly allocated file structure is initialized with a pointer to the dentry and a set of file operation member functions. These are taken from the inode data. The open() file method is then called so the specific filesystem implementation can do it's work. You can see that this is another switch performed by the VFS. The file structure is placed into the file descriptor table for the process. Reading, writing and closing files (and other assorted VFS operations) is done by using the userspace file descriptor to grab the appropriate file structure, and then calling the required file structure method function to do whatever is required. For as long as the file is open, it keeps the dentry "open" (in use), which in turn means that the VFS inode is still in use. All VFS system calls (i.e. open(2), stat(2), read(2), write(2), chmod(2) and so on) are called from a process context. You should assume that these calls are made without any kernel locks being held. This means that the processes may be executing the same piece of filesystem or driver code at the same time, on different processors. You should ensure that access to shared resources is protected by appropriate locks. Registering and Mounting a Filesystem ------------------------------------- If you want to support a new kind of filesystem in the kernel, all you need to do is call register_filesystem(). You pass a structure describing the filesystem implementation (struct file_system_type) which is then added to an internal table of supported filesystems. You can do: % cat /proc/filesystems to see what filesystems are currently available on your system. When a request is made to mount a block device onto a directory in your filespace the VFS will call the appropriate method for the specific filesystem. The dentry for the mount point will then be updated to point to the root inode for the new filesystem. It's now time to look at things in more detail. struct file_system_type ======================= This describes the filesystem. As of kernel 2.6.13, the following members are defined: struct file_system_type { const char *name; int fs_flags; struct super_block *(*get_sb) (struct file_system_type *, int, const char *, void *); void (*kill_sb) (struct super_block *); struct module *owner; struct file_system_type * next; struct list_head fs_supers; }; name: the name of the filesystem type, such as "ext2", "iso9660", "msdos" and so on fs_flags: various flags (i.e. FS_REQUIRES_DEV, FS_NO_DCACHE, etc.) get_sb: the method to call when a new instance of this filesystem should be mounted kill_sb: the method to call when an instance of this filesystem should be unmounted owner: for internal VFS use: you should initialize this to THIS_MODULE in most cases. next: for internal VFS use: you should initialize this to NULL The get_sb() method has the following arguments: struct super_block *sb: the superblock structure. This is partially initialized by the VFS and the rest must be initialized by the get_sb() method int flags: mount flags const char *dev_name: the device name we are mounting. void *data: arbitrary mount options, usually comes as an ASCII string int silent: whether or not to be silent on error The get_sb() method must determine if the block device specified in the superblock contains a filesystem of the type the method supports. On success the method returns the superblock pointer, on failure it returns NULL. The most interesting member of the superblock structure that the get_sb() method fills in is the "s_op" field. This is a pointer to a "struct super_operations" which describes the next level of the filesystem implementation. Usually, a filesystem uses generic one of the generic get_sb() implementations and provides a fill_super() method instead. The generic methods are: get_sb_bdev: mount a filesystem residing on a block device get_sb_nodev: mount a filesystem that is not backed by a device get_sb_single: mount a filesystem which shares the instance between all mounts A fill_super() method implementation has the following arguments: struct super_block *sb: the superblock structure. The method fill_super() must initialize this properly. void *data: arbitrary mount options, usually comes as an ASCII string int silent: whether or not to be silent on error struct super_operations ======================= This describes how the VFS can manipulate the superblock of your filesystem. As of kernel 2.6.13, the following members are defined: struct super_operations { struct inode *(*alloc_inode)(struct super_block *sb); void (*destroy_inode)(struct inode *); void (*read_inode) (struct inode *); void (*dirty_inode) (struct inode *); int (*write_inode) (struct inode *, int); void (*put_inode) (struct inode *); void (*drop_inode) (struct inode *); void (*delete_inode) (struct inode *); void (*put_super) (struct super_block *); void (*write_super) (struct super_block *); int (*sync_fs)(struct super_block *sb, int wait); void (*write_super_lockfs) (struct super_block *); void (*unlockfs) (struct super_block *); int (*statfs) (struct super_block *, struct kstatfs *); int (*remount_fs) (struct super_block *, int *, char *); void (*clear_inode) (struct inode *); void (*umount_begin) (struct super_block *); void (*sync_inodes) (struct super_block *sb, struct writeback_control *wbc); int (*show_options)(struct seq_file *, struct vfsmount *); ssize_t (*quota_read)(struct super_block *, int, char *, size_t, loff_t); ssize_t (*quota_write)(struct super_block *, int, const char *, size_t, loff_t); }; All methods are called without any locks being held, unless otherwise noted. This means that most methods can block safely. All methods are only called from a process context (i.e. not from an interrupt handler or bottom half). alloc_inode: this method is called by inode_alloc() to allocate memory for struct inode and initialize it. destroy_inode: this method is called by destroy_inode() to release resources allocated for struct inode. read_inode: this method is called to read a specific inode from the mounted filesystem. The i_ino member in the struct inode is initialized by the VFS to indicate which inode to read. Other members are filled in by this method. You can set this to NULL and use iget5_locked() instead of iget() to read inodes. This is necessary for filesystems for which the inode number is not sufficient to identify an inode. dirty_inode: this method is called by the VFS to mark an inode dirty. write_inode: this method is called when the VFS needs to write an inode to disc. The second parameter indicates whether the write should be synchronous or not, not all filesystems check this flag. put_inode: called when the VFS inode is removed from the inode cache. drop_inode: called when the last access to the inode is dropped, with the inode_lock spinlock held. This method should be either NULL (normal UNIX filesystem semantics) or "generic_delete_inode" (for filesystems that do not want to cache inodes - causing "delete_inode" to always be called regardless of the value of i_nlink) The "generic_delete_inode()" behavior is equivalent to the old practice of using "force_delete" in the put_inode() case, but does not have the races that the "force_delete()" approach had. delete_inode: called when the VFS wants to delete an inode put_super: called when the VFS wishes to free the superblock (i.e. unmount). This is called with the superblock lock held write_super: called when the VFS superblock needs to be written to disc. This method is optional sync_fs: called when VFS is writing out all dirty data associated with a superblock. The second parameter indicates whether the method should wait until the write out has been completed. Optional. write_super_lockfs: called when VFS is locking a filesystem and forcing it into a consistent state. This function is currently used by the Logical Volume Manager (LVM). unlockfs: called when VFS is unlocking a filesystem and making it writable again. statfs: called when the VFS needs to get filesystem statistics. This is called with the kernel lock held remount_fs: called when the filesystem is remounted. This is called with the kernel lock held clear_inode: called then the VFS clears the inode. Optional umount_begin: called when the VFS is unmounting a filesystem. sync_inodes: called when the VFS is writing out dirty data associated with a superblock. show_options: called by the VFS to show mount options for /proc/<pid>/mounts. quota_read: called by the VFS to read from filesystem quota file. quota_write: called by the VFS to write to filesystem quota file. The read_inode() method is responsible for filling in the "i_op" field. This is a pointer to a "struct inode_operations" which describes the methods that can be performed on individual inodes. struct inode_operations ======================= This describes how the VFS can manipulate an inode in your filesystem. As of kernel 2.6.13, the following members are defined: struct inode_operations { int (*create) (struct inode *,struct dentry *,int, struct nameidata *); struct dentry * (*lookup) (struct inode *,struct dentry *, struct nameidata *); int (*link) (struct dentry *,struct inode *,struct dentry *); int (*unlink) (struct inode *,struct dentry *); int (*symlink) (struct inode *,struct dentry *,const char *); int (*mkdir) (struct inode *,struct dentry *,int); int (*rmdir) (struct inode *,struct dentry *); int (*mknod) (struct inode *,struct dentry *,int,dev_t); int (*rename) (struct inode *, struct dentry *, struct inode *, struct dentry *); int (*readlink) (struct dentry *, char __user *,int); void * (*follow_link) (struct dentry *, struct nameidata *); void (*put_link) (struct dentry *, struct nameidata *, void *); void (*truncate) (struct inode *); int (*permission) (struct inode *, int, struct nameidata *); int (*setattr) (struct dentry *, struct iattr *); int (*getattr) (struct vfsmount *mnt, struct dentry *, struct kstat *); int (*setxattr) (struct dentry *, const char *,const void *,size_t,int); ssize_t (*getxattr) (struct dentry *, const char *, void *, size_t); ssize_t (*listxattr) (struct dentry *, char *, size_t); int (*removexattr) (struct dentry *, const char *); }; Again, all methods are called without any locks being held, unless otherwise noted. create: called by the open(2) and creat(2) system calls. Only required if you want to support regular files. The dentry you get should not have an inode (i.e. it should be a negative dentry). Here you will probably call d_instantiate() with the dentry and the newly created inode lookup: called when the VFS needs to look up an inode in a parent directory. The name to look for is found in the dentry. This method must call d_add() to insert the found inode into the dentry. The "i_count" field in the inode structure should be incremented. If the named inode does not exist a NULL inode should be inserted into the dentry (this is called a negative dentry). Returning an error code from this routine must only be done on a real error, otherwise creating inodes with system calls like create(2), mknod(2), mkdir(2) and so on will fail. If you wish to overload the dentry methods then you should initialise the "d_dop" field in the dentry; this is a pointer to a struct "dentry_operations". This method is called with the directory inode semaphore held link: called by the link(2) system call. Only required if you want to support hard links. You will probably need to call d_instantiate() just as you would in the create() method unlink: called by the unlink(2) system call. Only required if you want to support deleting inodes symlink: called by the symlink(2) system call. Only required if you want to support symlinks. You will probably need to call d_instantiate() just as you would in the create() method mkdir: called by the mkdir(2) system call. Only required if you want to support creating subdirectories. You will probably need to call d_instantiate() just as you would in the create() method rmdir: called by the rmdir(2) system call. Only required if you want to support deleting subdirectories mknod: called by the mknod(2) system call to create a device (char, block) inode or a named pipe (FIFO) or socket. Only required if you want to support creating these types of inodes. You will probably need to call d_instantiate() just as you would in the create() method readlink: called by the readlink(2) system call. Only required if you want to support reading symbolic links follow_link: called by the VFS to follow a symbolic link to the inode it points to. Only required if you want to support symbolic links. This function returns a void pointer cookie that is passed to put_link(). put_link: called by the VFS to release resources allocated by follow_link(). The cookie returned by follow_link() is passed to to this function as the last parameter. It is used by filesystems such as NFS where page cache is not stable (i.e. page that was installed when the symbolic link walk started might not be in the page cache at the end of the walk). truncate: called by the VFS to change the size of a file. The i_size field of the inode is set to the desired size by the VFS before this function is called. This function is called by the truncate(2) system call and related functionality. permission: called by the VFS to check for access rights on a POSIX-like filesystem. setattr: called by the VFS to set attributes for a file. This function is called by chmod(2) and related system calls. getattr: called by the VFS to get attributes of a file. This function is called by stat(2) and related system calls. setxattr: called by the VFS to set an extended attribute for a file. Extended attribute is a name:value pair associated with an inode. This function is called by setxattr(2) system call. getxattr: called by the VFS to retrieve the value of an extended attribute name. This function is called by getxattr(2) function call. listxattr: called by the VFS to list all extended attributes for a given file. This function is called by listxattr(2) system call. removexattr: called by the VFS to remove an extended attribute from a file. This function is called by removexattr(2) system call. struct address_space_operations =============================== This describes how the VFS can manipulate mapping of a file to page cache in your filesystem. As of kernel 2.6.13, the following members are defined: struct address_space_operations { int (*writepage)(struct page *page, struct writeback_control *wbc); int (*readpage)(struct file *, struct page *); int (*sync_page)(struct page *); int (*writepages)(struct address_space *, struct writeback_control *); int (*set_page_dirty)(struct page *page); int (*readpages)(struct file *filp, struct address_space *mapping, struct list_head *pages, unsigned nr_pages); int (*prepare_write)(struct file *, struct page *, unsigned, unsigned); int (*commit_write)(struct file *, struct page *, unsigned, unsigned); sector_t (*bmap)(struct address_space *, sector_t); int (*invalidatepage) (struct page *, unsigned long); int (*releasepage) (struct page *, int); ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov, loff_t offset, unsigned long nr_segs); struct page* (*get_xip_page)(struct address_space *, sector_t, int); }; writepage: called by the VM write a dirty page to backing store. readpage: called by the VM to read a page from backing store. sync_page: called by the VM to notify the backing store to perform all queued I/O operations for a page. I/O operations for other pages associated with this address_space object may also be performed. writepages: called by the VM to write out pages associated with the address_space object. set_page_dirty: called by the VM to set a page dirty. readpages: called by the VM to read pages associated with the address_space object. prepare_write: called by the generic write path in VM to set up a write request for a page. commit_write: called by the generic write path in VM to write page to its backing store. bmap: called by the VFS to map a logical block offset within object to physical block number. This method is use by for the legacy FIBMAP ioctl. Other uses are discouraged. invalidatepage: called by the VM on truncate to disassociate a page from its address_space mapping. releasepage: called by the VFS to release filesystem specific metadata from a page. direct_IO: called by the VM for direct I/O writes and reads. get_xip_page: called by the VM to translate a block number to a page. The page is valid until the corresponding filesystem is unmounted. Filesystems that want to use execute-in-place (XIP) need to implement it. An example implementation can be found in fs/ext2/xip.c. struct file_operations ====================== This describes how the VFS can manipulate an open file. As of kernel 2.6.13, the following members are defined: struct file_operations { loff_t (*llseek) (struct file *, loff_t, int); ssize_t (*read) (struct file *, char __user *, size_t, loff_t *); ssize_t (*aio_read) (struct kiocb *, char __user *, size_t, loff_t); ssize_t (*write) (struct file *, const char __user *, size_t, loff_t *); ssize_t (*aio_write) (struct kiocb *, const char __user *, size_t, loff_t); int (*readdir) (struct file *, void *, filldir_t); unsigned int (*poll) (struct file *, struct poll_table_struct *); int (*ioctl) (struct inode *, struct file *, unsigned int, unsigned long); long (*unlocked_ioctl) (struct file *, unsigned int, unsigned long); long (*compat_ioctl) (struct file *, unsigned int, unsigned long); int (*mmap) (struct file *, struct vm_area_struct *); int (*open) (struct inode *, struct file *); int (*flush) (struct file *); int (*release) (struct inode *, struct file *); int (*fsync) (struct file *, struct dentry *, int datasync); int (*aio_fsync) (struct kiocb *, int datasync); int (*fasync) (int, struct file *, int); int (*lock) (struct file *, int, struct file_lock *); ssize_t (*readv) (struct file *, const struct iovec *, unsigned long, loff_t *); ssize_t (*writev) (struct file *, const struct iovec *, unsigned long, loff_t *); ssize_t (*sendfile) (struct file *, loff_t *, size_t, read_actor_t, void *); ssize_t (*sendpage) (struct file *, struct page *, int, size_t, loff_t *, int); unsigned long (*get_unmapped_area)(struct file *, unsigned long, unsigned long, unsigned long, unsigned long); int (*check_flags)(int); int (*dir_notify)(struct file *filp, unsigned long arg); int (*flock) (struct file *, int, struct file_lock *); }; Again, all methods are called without any locks being held, unless otherwise noted. llseek: called when the VFS needs to move the file position index read: called by read(2) and related system calls aio_read: called by io_submit(2) and other asynchronous I/O operations write: called by write(2) and related system calls aio_write: called by io_submit(2) and other asynchronous I/O operations readdir: called when the VFS needs to read the directory contents poll: called by the VFS when a process wants to check if there is activity on this file and (optionally) go to sleep until there is activity. Called by the select(2) and poll(2) system calls ioctl: called by the ioctl(2) system call unlocked_ioctl: called by the ioctl(2) system call. Filesystems that do not require the BKL should use this method instead of the ioctl() above. compat_ioctl: called by the ioctl(2) system call when 32 bit system calls are used on 64 bit kernels. mmap: called by the mmap(2) system call open: called by the VFS when an inode should be opened. When the VFS opens a file, it creates a new "struct file". It then calls the open method for the newly allocated file structure. You might think that the open method really belongs in "struct inode_operations", and you may be right. I think it's done the way it is because it makes filesystems simpler to implement. The open() method is a good place to initialize the "private_data" member in the file structure if you want to point to a device structure flush: called by the close(2) system call to flush a file release: called when the last reference to an open file is closed fsync: called by the fsync(2) system call fasync: called by the fcntl(2) system call when asynchronous (non-blocking) mode is enabled for a file lock: called by the fcntl(2) system call for F_GETLK, F_SETLK, and F_SETLKW commands readv: called by the readv(2) system call writev: called by the writev(2) system call sendfile: called by the sendfile(2) system call get_unmapped_area: called by the mmap(2) system call check_flags: called by the fcntl(2) system call for F_SETFL command dir_notify: called by the fcntl(2) system call for F_NOTIFY command flock: called by the flock(2) system call Note that the file operations are implemented by the specific filesystem in which the inode resides. When opening a device node (character or block special) most filesystems will call special support routines in the VFS which will locate the required device driver information. These support routines replace the filesystem file operations with those for the device driver, and then proceed to call the new open() method for the file. This is how opening a device file in the filesystem eventually ends up calling the device driver open() method. Directory Entry Cache (dcache) ============================== struct dentry_operations ------------------------ This describes how a filesystem can overload the standard dentry operations. Dentries and the dcache are the domain of the VFS and the individual filesystem implementations. Device drivers have no business here. These methods may be set to NULL, as they are either optional or the VFS uses a default. As of kernel 2.6.13, the following members are defined: struct dentry_operations { int (*d_revalidate)(struct dentry *, struct nameidata *); int (*d_hash) (struct dentry *, struct qstr *); int (*d_compare) (struct dentry *, struct qstr *, struct qstr *); int (*d_delete)(struct dentry *); void (*d_release)(struct dentry *); void (*d_iput)(struct dentry *, struct inode *); }; d_revalidate: called when the VFS needs to revalidate a dentry. This is called whenever a name look-up finds a dentry in the dcache. Most filesystems leave this as NULL, because all their dentries in the dcache are valid d_hash: called when the VFS adds a dentry to the hash table d_compare: called when a dentry should be compared with another d_delete: called when the last reference to a dentry is deleted. This means no-one is using the dentry, however it is still valid and in the dcache d_release: called when a dentry is really deallocated d_iput: called when a dentry loses its inode (just prior to its being deallocated). The default when this is NULL is that the VFS calls iput(). If you define this method, you must call iput() yourself Each dentry has a pointer to its parent dentry, as well as a hash list of child dentries. Child dentries are basically like files in a directory. Directory Entry Cache APIs -------------------------- There are a number of functions defined which permit a filesystem to manipulate dentries: dget: open a new handle for an existing dentry (this just increments the usage count) dput: close a handle for a dentry (decrements the usage count). If the usage count drops to 0, the "d_delete" method is called and the dentry is placed on the unused list if the dentry is still in its parents hash list. Putting the dentry on the unused list just means that if the system needs some RAM, it goes through the unused list of dentries and deallocates them. If the dentry has already been unhashed and the usage count drops to 0, in this case the dentry is deallocated after the "d_delete" method is called d_drop: this unhashes a dentry from its parents hash list. A subsequent call to dput() will deallocate the dentry if its usage count drops to 0 d_delete: delete a dentry. If there are no other open references to the dentry then the dentry is turned into a negative dentry (the d_iput() method is called). If there are other references, then d_drop() is called instead d_add: add a dentry to its parents hash list and then calls d_instantiate() d_instantiate: add a dentry to the alias hash list for the inode and updates the "d_inode" member. The "i_count" member in the inode structure should be set/incremented. If the inode pointer is NULL, the dentry is called a "negative dentry". This function is commonly called when an inode is created for an existing negative dentry d_lookup: look up a dentry given its parent and path name component It looks up the child of that given name from the dcache hash table. If it is found, the reference count is incremented and the dentry is returned. The caller must use d_put() to free the dentry when it finishes using it. RCU-based dcache locking model ------------------------------ On many workloads, the most common operation on dcache is to look up a dentry, given a parent dentry and the name of the child. Typically, for every open(), stat() etc., the dentry corresponding to the pathname will be looked up by walking the tree starting with the first component of the pathname and using that dentry along with the next component to look up the next level and so on. Since it is a frequent operation for workloads like multiuser environments and web servers, it is important to optimize this path. Prior to 2.5.10, dcache_lock was acquired in d_lookup and thus in every component during path look-up. Since 2.5.10 onwards, fast-walk algorithm changed this by holding the dcache_lock at the beginning and walking as many cached path component dentries as possible. This significantly decreases the number of acquisition of dcache_lock. However it also increases the lock hold time significantly and affects performance in large SMP machines. Since 2.5.62 kernel, dcache has been using a new locking model that uses RCU to make dcache look-up lock-free. The current dcache locking model is not very different from the existing dcache locking model. Prior to 2.5.62 kernel, dcache_lock protected the hash chain, d_child, d_alias, d_lru lists as well as d_inode and several other things like mount look-up. RCU-based changes affect only the way the hash chain is protected. For everything else the dcache_lock must be taken for both traversing as well as updating. The hash chain updates too take the dcache_lock. The significant change is the way d_lookup traverses the hash chain, it doesn't acquire the dcache_lock for this and rely on RCU to ensure that the dentry has not been *freed*. Dcache locking details ---------------------- For many multi-user workloads, open() and stat() on files are very frequently occurring operations. Both involve walking of path names to find the dentry corresponding to the concerned file. In 2.4 kernel, dcache_lock was held during look-up of each path component. Contention and cache-line bouncing of this global lock caused significant scalability problems. With the introduction of RCU in Linux kernel, this was worked around by making the look-up of path components during path walking lock-free. Safe lock-free look-up of dcache hash table =========================================== Dcache is a complex data structure with the hash table entries also linked together in other lists. In 2.4 kernel, dcache_lock protected all the lists. We applied RCU only on hash chain walking. The rest of the lists are still protected by dcache_lock. Some of the important changes are : 1. The deletion from hash chain is done using hlist_del_rcu() macro which doesn't initialize next pointer of the deleted dentry and this allows us to walk safely lock-free while a deletion is happening. 2. Insertion of a dentry into the hash table is done using hlist_add_head_rcu() which take care of ordering the writes - the writes to the dentry must be visible before the dentry is inserted. This works in conjunction with hlist_for_each_rcu() while walking the hash chain. The only requirement is that all initialization to the dentry must be done before hlist_add_head_rcu() since we don't have dcache_lock protection while traversing the hash chain. This isn't different from the existing code. 3. The dentry looked up without holding dcache_lock by cannot be returned for walking if it is unhashed. It then may have a NULL d_inode or other bogosity since RCU doesn't protect the other fields in the dentry. We therefore use a flag DCACHE_UNHASHED to indicate unhashed dentries and use this in conjunction with a per-dentry lock (d_lock). Once looked up without the dcache_lock, we acquire the per-dentry lock (d_lock) and check if the dentry is unhashed. If so, the look-up is failed. If not, the reference count of the dentry is increased and the dentry is returned. 4. Once a dentry is looked up, it must be ensured during the path walk for that component it doesn't go away. In pre-2.5.10 code, this was done holding a reference to the dentry. dcache_rcu does the same. In some sense, dcache_rcu path walking looks like the pre-2.5.10 version. 5. All dentry hash chain updates must take the dcache_lock as well as the per-dentry lock in that order. dput() does this to ensure that a dentry that has just been looked up in another CPU doesn't get deleted before dget() can be done on it. 6. There are several ways to do reference counting of RCU protected objects. One such example is in ipv4 route cache where deferred freeing (using call_rcu()) is done as soon as the reference count goes to zero. This cannot be done in the case of dentries because tearing down of dentries require blocking (dentry_iput()) which isn't supported from RCU callbacks. Instead, tearing down of dentries happen synchronously in dput(), but actual freeing happens later when RCU grace period is over. This allows safe lock-free walking of the hash chains, but a matched dentry may have been partially torn down. The checking of DCACHE_UNHASHED flag with d_lock held detects such dentries and prevents them from being returned from look-up. Maintaining POSIX rename semantics ================================== Since look-up of dentries is lock-free, it can race against a concurrent rename operation. For example, during rename of file A to B, look-up of either A or B must succeed. So, if look-up of B happens after A has been removed from the hash chain but not added to the new hash chain, it may fail. Also, a comparison while the name is being written concurrently by a rename may result in false positive matches violating rename semantics. Issues related to race with rename are handled as described below : 1. Look-up can be done in two ways - d_lookup() which is safe from simultaneous renames and __d_lookup() which is not. If __d_lookup() fails, it must be followed up by a d_lookup() to correctly determine whether a dentry is in the hash table or not. d_lookup() protects look-ups using a sequence lock (rename_lock). 2. The name associated with a dentry (d_name) may be changed if a rename is allowed to happen simultaneously. To avoid memcmp() in __d_lookup() go out of bounds due to a rename and false positive comparison, the name comparison is done while holding the per-dentry lock. This prevents concurrent renames during this operation. 3. Hash table walking during look-up may move to a different bucket as the current dentry is moved to a different bucket due to rename. But we use hlists in dcache hash table and they are null-terminated. So, even if a dentry moves to a different bucket, hash chain walk will terminate. [with a list_head list, it may not since termination is when the list_head in the original bucket is reached]. Since we redo the d_parent check and compare name while holding d_lock, lock-free look-up will not race against d_move(). 4. There can be a theoretical race when a dentry keeps coming back to original bucket due to double moves. Due to this look-up may consider that it has never moved and can end up in a infinite loop. But this is not any worse that theoretical livelocks we already have in the kernel. Important guidelines for filesystem developers related to dcache_rcu ==================================================================== 1. Existing dcache interfaces (pre-2.5.62) exported to filesystem don't change. Only dcache internal implementation changes. However filesystems *must not* delete from the dentry hash chains directly using the list macros like allowed earlier. They must use dcache APIs like d_drop() or __d_drop() depending on the situation. 2. d_flags is now protected by a per-dentry lock (d_lock). All access to d_flags must be protected by it. 3. For a hashed dentry, checking of d_count needs to be protected by d_lock. Papers and other documentation on dcache locking ================================================ 1. Scaling dcache with RCU (http://linuxjournal.com/article.php?sid=7124). 2. http://lse.sourceforge.net/locking/dcache/dcache.html