union_subr.c   [plain text]

/*
 * Copyright (c) 2000-2008 Apple Inc. All rights reserved.
 *
 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. The rights granted to you under the License
 * may not be used to create, or enable the creation or redistribution of,
 * unlawful or unlicensed copies of an Apple operating system, or to
 * circumvent, violate, or enable the circumvention or violation of, any
 * terms of an Apple operating system software license agreement.
 * 
 * Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
 */
/* Copyright (c) 1995 NeXT Computer, Inc. All Rights Reserved */
/*
 * Copyright (c) 1994 Jan-Simon Pendry
 * Copyright (c) 1994
 *	The Regents of the University of California.  All rights reserved.
 *
 * This code is derived from software contributed to Berkeley by
 * Jan-Simon Pendry.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *	This product includes software developed by the University of
 *	California, Berkeley and its contributors.
 * 4. Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 *	@(#)union_subr.c	8.20 (Berkeley) 5/20/95
 */
/*
 * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce
 * support for mandatory and extensible security protections.  This notice
 * is included in support of clause 2.2 (b) of the Apple Public License,
 * Version 2.0.
 */

#include <sys/param.h>
#include <sys/systm.h>
#include <sys/proc_internal.h>
#include <sys/kauth.h>
#include <sys/time.h>
#include <sys/kernel.h>
#include <sys/vnode_internal.h>
#include <sys/namei.h>
#include <sys/malloc.h>
#include <sys/file_internal.h>
#include <sys/filedesc.h>
#include <sys/queue.h>
#include <sys/mount_internal.h>
#include <sys/stat.h>
#include <sys/ubc.h>
#include <sys/uio_internal.h>
#include <miscfs/union/union.h>
#include <sys/lock.h>
#include <sys/kdebug.h>
#if CONFIG_MACF
#include <security/mac_framework.h>
#endif


static int union_vn_close(struct vnode *vp, int fmode, vfs_context_t ctx);

/* must be power of two, otherwise change UNION_HASH() */
#define NHASH 32

/* unsigned int ... */
#define UNION_HASH(u, l) \
	(((((uintptr_t) (u)) + ((uintptr_t) l)) >> 8) & (NHASH-1))

static LIST_HEAD(unhead, union_node) unhead[NHASH];
static int unvplock[NHASH];

static lck_grp_t * union_lck_grp;
static lck_grp_attr_t * union_lck_grp_attr;
static lck_attr_t * union_lck_attr;
static lck_mtx_t *  union_mtxp;

static int union_dircheck(struct vnode **, struct fileproc *, vfs_context_t ctx);
static void union_newlower(struct union_node *, struct vnode *);
static void union_newupper(struct union_node *, struct vnode *);


int
union_init(__unused struct vfsconf *vfsp)
{
	int i;

	union_lck_grp_attr= lck_grp_attr_alloc_init();
#if DIAGNOSTIC
	lck_grp_attr_setstat(union_lck_grp_attr);
#endif
	union_lck_grp = lck_grp_alloc_init("union",  union_lck_grp_attr);
	union_lck_attr = lck_attr_alloc_init();
#if DIAGNOSTIC
	lck_attr_setdebug(union_lck_attr);
#endif
	union_mtxp = lck_mtx_alloc_init(union_lck_grp, union_lck_attr);

	for (i = 0; i < NHASH; i++)
		LIST_INIT(&unhead[i]);
	bzero((caddr_t) unvplock, sizeof(unvplock));
	/* add the hook for getdirentries */
	union_dircheckp = union_dircheck;
	
	return (0);
}

void
union_lock()
{
	lck_mtx_lock(union_mtxp);
}

void
union_unlock()
{
	lck_mtx_unlock(union_mtxp);
}


static int
union_list_lock(int ix)
{

	if (unvplock[ix] & UNVP_LOCKED) {
		unvplock[ix] |= UNVP_WANT;
		msleep((caddr_t) &unvplock[ix], union_mtxp, PINOD, "union_list_lock", NULL);
		return (1);
	}

	unvplock[ix] |= UNVP_LOCKED;

	return (0);
}

static void
union_list_unlock(int ix)
{

	unvplock[ix] &= ~UNVP_LOCKED;

	if (unvplock[ix] & UNVP_WANT) {
		unvplock[ix] &= ~UNVP_WANT;
		wakeup((caddr_t) &unvplock[ix]);
	}
}

/*
 *	union_updatevp:
 *
 *	The uppervp, if not NULL, must be referenced and not locked by us
 *	The lowervp, if not NULL, must be referenced.
 *
 *	If uppervp and lowervp match pointers already installed, then
 *	nothing happens. The passed vp's (when matching) are not adjusted.
 *
 *	This routine may only be called by union_newupper() and
 *	union_newlower().
 */

/* always called with union lock held */
void
union_updatevp(struct union_node *un, struct vnode *uppervp,
		struct vnode *lowervp)
{
	int ohash = UNION_HASH(un->un_uppervp, un->un_lowervp);
	int nhash = UNION_HASH(uppervp, lowervp);
	int docache = (lowervp != NULLVP || uppervp != NULLVP);
	int lhash, uhash;
	vnode_t freevp;
	vnode_t freedirvp;
	caddr_t freepath;

	/*
	 * Ensure locking is ordered from lower to higher
	 * to avoid deadlocks.
	 */
	if (nhash < ohash) {
		lhash = nhash;
		uhash = ohash;
	} else {
		lhash = ohash;
		uhash = nhash;
	}

	if (lhash != uhash) {
		while (union_list_lock(lhash))
			continue;
	}

	while (union_list_lock(uhash))
		continue;

	if (ohash != nhash || !docache) {
		if (un->un_flags & UN_CACHED) {
			un->un_flags &= ~UN_CACHED;
			LIST_REMOVE(un, un_cache);
		}
	}

	if (ohash != nhash)
		union_list_unlock(ohash);

	if (un->un_lowervp != lowervp) {
		freevp = freedirvp = NULLVP;
		freepath = (caddr_t)0;
		if (un->un_lowervp) {
			freevp = un->un_lowervp;
			un->un_lowervp = lowervp;
			if (un->un_path) {
				freepath = un->un_path; 
				un->un_path = 0;
			}
			if (un->un_dirvp) {
				freedirvp = un->un_dirvp;
				un->un_dirvp = NULLVP;
			}
			union_unlock();
			if (freevp)
				vnode_put(freevp);
			if (freedirvp)
				vnode_put(freedirvp);
			if (freepath)
				_FREE(un->un_path, M_TEMP);
			union_lock();
		} else 
			un->un_lowervp = lowervp;
		if (lowervp != NULLVP)
			un->un_lowervid = vnode_vid(lowervp);
		un->un_lowersz = VNOVAL;
	}

	if (un->un_uppervp != uppervp) {
		freevp = NULLVP;
		if (un->un_uppervp) {
			freevp = un->un_uppervp;
		}
		un->un_uppervp = uppervp;
		if (uppervp != NULLVP)
			un->un_uppervid = vnode_vid(uppervp);
		un->un_uppersz = VNOVAL;
		union_unlock();
		if (freevp)
			vnode_put(freevp);
		union_lock();
	}

	if (docache && (ohash != nhash)) {
		LIST_INSERT_HEAD(&unhead[nhash], un, un_cache);
		un->un_flags |= UN_CACHED;
	}

	union_list_unlock(nhash);
}

/*
 * Set a new lowervp.  The passed lowervp must be referenced and will be
 * stored in the vp in a referenced state. 
 */
/* always called with union lock held */

static void
union_newlower(un, lowervp)
	struct union_node *un;
	struct vnode *lowervp;
{
	union_updatevp(un, un->un_uppervp, lowervp);
}

/*
 * Set a new uppervp.  The passed uppervp must be locked and will be 
 * stored in the vp in a locked state.  The caller should not unlock
 * uppervp.
 */

/* always called with union lock held */
static void
union_newupper(un, uppervp)
	struct union_node *un;
	struct vnode *uppervp;
{
	union_updatevp(un, uppervp, un->un_lowervp);
}

/*
 * Keep track of size changes in the underlying vnodes.
 * If the size changes, then callback to the vm layer
 * giving priority to the upper layer size.
 */
/* always called with union lock held */
void
union_newsize(vp, uppersz, lowersz)
	struct vnode *vp;
	off_t uppersz, lowersz;
{
	struct union_node *un;
	off_t sz;

	/* only interested in regular files */
	if (vp->v_type != VREG)
		return;

	un = VTOUNION(vp);
	sz = VNOVAL;

	if ((uppersz != VNOVAL) && (un->un_uppersz != uppersz)) {
		un->un_uppersz = uppersz;
		if (sz == VNOVAL)
			sz = un->un_uppersz;
	}

	if ((lowersz != VNOVAL) && (un->un_lowersz != lowersz)) {
		un->un_lowersz = lowersz;
		if (sz == VNOVAL)
			sz = un->un_lowersz;
	}

	if (sz != VNOVAL) {
#ifdef UNION_DIAGNOSTIC
		printf("union: %s size now %ld\n",
			uppersz != VNOVAL ? "upper" : "lower", (long) sz);
#endif
		union_unlock();
		ubc_setsize(vp, sz);
		union_lock();
	}
}

/*
 *	union_allocvp:	allocate a union_node and associate it with a
 *			parent union_node and one or two vnodes.
 *
 *	vpp	Holds the returned vnode locked and referenced if no 
 *		error occurs.
 *
 *	mp	Holds the mount point.  mp may or may not be busied. 
 *		allocvp() makes no changes to mp.
 *
 *	dvp	Holds the parent union_node to the one we wish to create.
 *		XXX may only be used to traverse an uncopied lowervp-based
 *		tree?  XXX
 *
 *		dvp may or may not be locked.  allocvp() makes no changes
 *		to dvp.
 *
 *	upperdvp Holds the parent vnode to uppervp, generally used along
 *		with path component information to create a shadow of
 *		lowervp when uppervp does not exist.
 *
 *		upperdvp is referenced but unlocked on entry, and will be
 *		dereferenced on return.
 *
 *	uppervp	Holds the new uppervp vnode to be stored in the 
 *		union_node we are allocating.  uppervp is referenced but
 *		not locked, and will be dereferenced on return.
 *
 *	lowervp	Holds the new lowervp vnode to be stored in the
 *		union_node we are allocating.  lowervp is referenced but
 *		not locked, and will be dereferenced on return.
 * 
 *	cnp	Holds path component information to be coupled with
 *		lowervp and upperdvp to allow unionfs to create an uppervp
 *		later on.  Only used if lowervp is valid.  The contents
 *		of cnp is only valid for the duration of the call.
 *
 *	docache	Determine whether this node should be entered in the
 *		cache or whether it should be destroyed as soon as possible.
 *
 * All union_nodes are maintained on a singly-linked
 * list.  New nodes are only allocated when they cannot
 * be found on this list.  Entries on the list are
 * removed when the vfs reclaim entry is called.
 *
 * A single lock is kept for the entire list.  This is
 * needed because the getnewvnode() function can block
 * waiting for a vnode to become free, in which case there
 * may be more than one process trying to get the same
 * vnode.  This lock is only taken if we are going to
 * call getnewvnode(), since the kernel itself is single-threaded.
 *
 * If an entry is found on the list, then call vget() to
 * take a reference.  This is done because there may be
 * zero references to it and so it needs to removed from
 * the vnode free list.
 */

/* always called with union lock held */

int
union_allocvp(struct vnode **vpp,
	struct mount *mp,
	struct vnode *undvp,
	struct vnode *dvp,
	struct componentname *cnp,
	struct vnode *uppervp,
	struct vnode *lowervp,
	int docache)
{
	int error;
	struct union_node *un = NULL;
	struct union_node *unp;
	struct vnode *xlowervp = NULLVP;
	struct union_mount *um = MOUNTTOUNIONMOUNT(mp);
	int hash = 0;		/* protected by docache */
	int markroot;
	int try;
	struct vnode_fsparam vfsp;
	enum vtype vtype;

	if (uppervp == NULLVP && lowervp == NULLVP)
		panic("union: unidentifiable allocation");

	/*
	 * if both upper and lower vp are provided and are off different type
	 * consider lowervp as NULL
	 */
	if (uppervp && lowervp && (uppervp->v_type != lowervp->v_type)) {
		xlowervp = lowervp;
		lowervp = NULLVP;
	}

	/* detect the root vnode (and aliases) */
	markroot = 0;
	if ((uppervp == um->um_uppervp) &&
	    ((lowervp == NULLVP) || lowervp == um->um_lowervp)) {
		if (lowervp == NULLVP) {
			lowervp = um->um_lowervp;
			if (lowervp != NULLVP) {
				union_unlock();
				vnode_get(lowervp);
				union_lock();
			}
		}
		markroot = VROOT;
	}

loop:
	if (!docache) {
		un = NULL;
	} else for (try = 0; try < 3; try++) {
		switch (try) {
		case 0:
			if (lowervp == NULLVP)
				continue;
			hash = UNION_HASH(uppervp, lowervp);
			break;

		case 1:
			if (uppervp == NULLVP)
				continue;
			hash = UNION_HASH(uppervp, NULLVP);
			break;

		case 2:
			if (lowervp == NULLVP)
				continue;
			/* Not sure how this path gets exercised ? */
			hash = UNION_HASH(NULLVP, lowervp);
			break;
		}

		while (union_list_lock(hash))
			continue;

		for (un = unhead[hash].lh_first; un != 0;
					un = un->un_cache.le_next) {
			if ((un->un_lowervp == lowervp ||
			     un->un_lowervp == NULLVP) &&
			    (un->un_uppervp == uppervp ||
			     un->un_uppervp == NULLVP) &&
			    (un->un_mount == mp)) {
				break;
			}
		}

		union_list_unlock(hash);

		if (un)
			break;
	}

	if (un) {
		/*
		 * Obtain a lock on the union_node.
		 * uppervp is locked, though un->un_uppervp
		 * may not be.  this doesn't break the locking
		 * hierarchy since in the case that un->un_uppervp
		 * is not yet locked it will be vnode_put'd and replaced
		 * with uppervp.
		 */

		if (un->un_flags & UN_LOCKED) {
			un->un_flags |= UN_WANT;
			msleep((caddr_t) &un->un_flags, union_mtxp, PINOD, "union node locked", 0);
			goto loop;
		}       
		un->un_flags |= UN_LOCKED;
                        
		union_unlock();
		if (UNIONTOV(un) == NULLVP)
			panic("null vnode in union node\n");
		if (vnode_get(UNIONTOV(un))) {
			union_lock();
			un->un_flags &= ~UN_LOCKED;
			if ((un->un_flags & UN_WANT) == UN_WANT) {
				un->un_flags &=  ~UN_LOCKED;
				wakeup(&un->un_flags);
			}
			goto loop;
		}
		union_lock();

		/*
		 * At this point, the union_node is locked,
		 * un->un_uppervp may not be locked, and uppervp
		 * is locked or nil.
		 */

		/*
		 * Save information about the upper layer.
		 */
		if (uppervp != un->un_uppervp) {
			union_newupper(un, uppervp);
		} else if (uppervp) {
			union_unlock();
			vnode_put(uppervp);
			union_lock();
		}

		/*
		 * Save information about the lower layer.
		 * This needs to keep track of pathname
		 * and directory information which union_vn_create
		 * might need.
		 */
		if (lowervp != un->un_lowervp) {
			union_newlower(un, lowervp);
			if (cnp && (lowervp != NULLVP)) {
				un->un_hash = cnp->cn_hash;
				union_unlock();
				MALLOC(un->un_path, caddr_t, cnp->cn_namelen+1,
						M_TEMP, M_WAITOK);
				bcopy(cnp->cn_nameptr, un->un_path,
						cnp->cn_namelen);
				vnode_get(dvp);
				union_lock();
				un->un_path[cnp->cn_namelen] = '\0';
				un->un_dirvp = dvp;
			}
		} else if (lowervp) {
			union_unlock();
			vnode_put(lowervp);
			union_lock();
		}
		*vpp = UNIONTOV(un);
		un->un_flags &= ~UN_LOCKED;
		if ((un->un_flags & UN_WANT) == UN_WANT) {
			un->un_flags &= ~UN_WANT;
			wakeup(&un->un_flags);
		}
		return (0);
	}

	if (docache) {
		/*
		 * otherwise lock the vp list while we call getnewvnode
		 * since that can block.
		 */ 
		hash = UNION_HASH(uppervp, lowervp);

		if (union_list_lock(hash))
			goto loop;
	}

	union_unlock();
	MALLOC(unp, void *, sizeof(struct union_node), M_TEMP, M_WAITOK);
	union_lock();

	bzero(unp, sizeof(struct union_node));
	un = unp;
	un->un_uppervp = uppervp;
	if (uppervp != NULLVP)
		un->un_uppervid = vnode_vid(uppervp);
	un->un_uppersz = VNOVAL;
	un->un_lowervp = lowervp;
	if (lowervp != NULLVP)
		un->un_lowervid = vnode_vid(lowervp);
	un->un_lowersz = VNOVAL;
	un->un_pvp = undvp;
	if (undvp != NULLVP)
		vnode_get(undvp);
	un->un_dircache = 0;
	un->un_openl = 0;
	un->un_mount = mp;
	un->un_flags = UN_LOCKED;
#ifdef FAULTFS
	if (UNION_FAULTIN(um))
		un->un_flags |= UN_FAULTFS;
#endif

	if (docache) {
		/* Insert with lock held */
		LIST_INSERT_HEAD(&unhead[hash], un, un_cache);
		un->un_flags |= UN_CACHED;
		union_list_unlock(hash);
	}

	union_unlock();

	if (uppervp)
		vtype = uppervp->v_type;
	else
		vtype = lowervp->v_type;

	bzero(&vfsp, sizeof(struct vnode_fsparam));
	vfsp.vnfs_mp = mp;
	vfsp.vnfs_vtype = vtype;
	vfsp.vnfs_str = "unionfs";
	vfsp.vnfs_dvp = undvp;
	vfsp.vnfs_fsnode = unp;
	vfsp.vnfs_cnp = cnp;
	vfsp.vnfs_vops = union_vnodeop_p;
	vfsp.vnfs_rdev = 0;
	vfsp.vnfs_filesize = 0;
	vfsp.vnfs_flags = VNFS_NOCACHE | VNFS_CANTCACHE;
	vfsp.vnfs_marksystem = 0;
	vfsp.vnfs_markroot = markroot;

	error = vnode_create(VNCREATE_FLAVOR, VCREATESIZE, &vfsp, vpp);
	if (error) {
		/*  XXXXX Is this right ????  XXXXXXX */
		if (uppervp) {
		        vnode_put(uppervp);
		}
		if (lowervp)
			vnode_put(lowervp);

		union_lock();
		if (un->un_flags & UN_CACHED) {
			un->un_flags &= ~UN_CACHED;
			LIST_REMOVE(un, un_cache);
		}
		if (docache)
			union_list_unlock(hash);

		FREE(unp, M_TEMP);

		return (error);
	}

	if (cnp && (lowervp != NULLVP)) {
		un->un_hash = cnp->cn_hash;
		un->un_path = _MALLOC(cnp->cn_namelen+1, M_TEMP, M_WAITOK);
		bcopy(cnp->cn_nameptr, un->un_path, cnp->cn_namelen);
		un->un_path[cnp->cn_namelen] = '\0';
		vnode_get(dvp);
		un->un_dirvp = dvp;
	} else {
		un->un_hash = 0;
		un->un_path = 0;
		un->un_dirvp = 0;
	}

	if (xlowervp)
		vnode_put(xlowervp);

	union_lock();

	vnode_settag(*vpp, VT_UNION);
	un->un_vnode = *vpp;
	if (un->un_vnode->v_type == VDIR) {
		if (un->un_uppervp == NULLVP) {
			panic("faulting fs and no upper vp for dir?");
		}

	}


	un->un_flags &= ~UN_LOCKED;
	if ((un->un_flags & UN_WANT) == UN_WANT) {
		un->un_flags &=  ~UN_WANT;
		wakeup(&un->un_flags);
	} 

	return(error);

}

/* always called with union lock held */
int
union_freevp(struct vnode *vp)
{
	struct union_node *un = VTOUNION(vp);

	if (un->un_flags & UN_CACHED) {
		un->un_flags &= ~UN_CACHED;
		LIST_REMOVE(un, un_cache);
	}

	union_unlock();
	if (un->un_pvp != NULLVP)
		vnode_put(un->un_pvp);
	if (un->un_uppervp != NULLVP)
		vnode_put(un->un_uppervp);
	if (un->un_lowervp != NULLVP)
		vnode_put(un->un_lowervp);
	if (un->un_dirvp != NULLVP)
		vnode_put(un->un_dirvp);
	if (un->un_path)
		_FREE(un->un_path, M_TEMP);

	FREE(vp->v_data, M_TEMP);
	vp->v_data = 0;
	union_lock();

	return (0);
}

/*
 * copyfile.  copy the vnode (fvp) to the vnode (tvp)
 * using a sequence of reads and writes.  both (fvp)
 * and (tvp) are locked on entry and exit.
 */
/* called with no union lock held */
int
union_copyfile(struct vnode *fvp, struct vnode *tvp, vfs_context_t context)
{
	char *bufp;
	struct uio *auio;
	char uio_buf [ UIO_SIZEOF(1) ];
	int error = 0;

	/*
	 * strategy:
	 * allocate a buffer of size MAXPHYSIO.
	 * loop doing reads and writes, keeping track
	 * of the current uio offset.
	 * give up at the first sign of trouble.
	 */

	auio = uio_createwithbuffer(1, 0, UIO_SYSSPACE,
		UIO_READ /* will change */, &uio_buf, sizeof(uio_buf));

	bufp = _MALLOC(MAXPHYSIO, M_TEMP, M_WAITOK);
	if (bufp == NULL) {
		return ENOMEM;
	}

	/* ugly loop follows... */
	do {
		off_t offset = uio_offset(auio);

		uio_reset(auio, offset, UIO_SYSSPACE, UIO_READ);
		uio_addiov(auio, (uintptr_t)bufp, MAXPHYSIO);
		error = VNOP_READ(fvp, auio, 0, context);

		if (error == 0) {
			user_ssize_t resid = uio_resid(auio);

			uio_reset(auio, offset, UIO_SYSSPACE, UIO_WRITE);
			uio_addiov(auio, (uintptr_t)bufp, MAXPHYSIO - resid);

			if (uio_resid(auio) == 0)
				break;

			do {
				error = VNOP_WRITE(tvp, auio, 0, context);
			} while ((uio_resid(auio) > 0) && (error == 0));
		}

	} while (error == 0);

	_FREE(bufp, M_TEMP);
	return (error);
}

/*
 * (un) is assumed to be locked on entry and remains
 * locked on exit.
 */
/* always called with union lock held */
int
union_copyup(struct union_node *un, int docopy, vfs_context_t context)
{
	int error;
	struct vnode *lvp, *uvp;
	struct vnode_attr vattr;
	mode_t  cmode = 0;

	
	lvp = un->un_lowervp;

	union_unlock();

	if (UNNODE_FAULTIN(un)) {
		/* Need to inherit exec mode in faulting fs */
		VATTR_INIT(&vattr);
		VATTR_WANTED(&vattr, va_flags);
		if (vnode_getattr(lvp, &vattr, context) == 0 )
			cmode = vattr.va_mode;
		
	}
	error = union_vn_create(&uvp, un, cmode, context);
	if (error) {
		union_lock();
		if (error == EEXIST) {
			if (uvp != NULLVP) {
				union_newupper(un, uvp);
				error = 0;	
			} 
		}
		return (error);
	}

	union_lock();
	/* at this point, uppervp is locked */
	union_newupper(un, uvp);
	union_unlock();


	if (docopy) {
		/*
		 * XX - should not ignore errors
		 * from vnop_close
		 */
		error = VNOP_OPEN(lvp, FREAD, context);
		if (error == 0) {
			error = union_copyfile(lvp, uvp, context);
			(void) VNOP_CLOSE(lvp, FREAD, context);
		}
#ifdef UNION_DIAGNOSTIC
		if (error == 0)
			uprintf("union: copied up %s\n", un->un_path);
#endif

	}
	union_vn_close(uvp, FWRITE, context);

	/*
	 * Subsequent IOs will go to the top layer, so
	 * call close on the lower vnode and open on the
	 * upper vnode to ensure that the filesystem keeps
	 * its references counts right.  This doesn't do
	 * the right thing with (cred) and (FREAD) though.
	 * Ignoring error returns is not right, either.
	 */

	/* No need to hold the lock as the union node should be locked for this(it is in faultin mode) */
	if (error == 0) {
		int i;

		for (i = 0; i < un->un_openl; i++) {
			(void) VNOP_CLOSE(lvp, FREAD, context);
			(void) VNOP_OPEN(uvp, FREAD, context);
		}
		un->un_openl = 0;
	}

	union_lock();

	return (error);

}


int 
union_faultin_copyup(struct vnode **vpp, vnode_t udvp, vnode_t lvp, struct componentname * cnp, vfs_context_t context)
{
	int error;
	struct vnode *uvp;
	struct vnode_attr vattr;
	struct vnode_attr *vap;
	mode_t  cmode = 0;
	int fmode = FFLAGS(O_WRONLY|O_CREAT|O_TRUNC|O_EXCL);
	struct proc * p = vfs_context_proc(context);
	struct componentname cn;
	

	vap = &vattr;
	VATTR_INIT(vap);
	VATTR_WANTED(vap, va_flags);
	if (vnode_getattr(lvp, vap, context) == 0 )
		cmode = vattr.va_mode;
		
	*vpp = NULLVP;


	if (cmode == (mode_t)0)
		cmode = UN_FILEMODE & ~p->p_fd->fd_cmask;
	else
		cmode = cmode & ~p->p_fd->fd_cmask;


	/*
	 * Build a new componentname structure (for the same
	 * reasons outlines in union_mkshadow()).
	 * The difference here is that the file is owned by
	 * the current user, rather than by the person who
	 * did the mount, since the current user needs to be
	 * able to write the file (that's why it is being
	 * copied in the first place).
	 */
	bzero(&cn, sizeof(struct componentname));

	cn.cn_namelen = cnp->cn_namelen;
	cn.cn_pnbuf = (caddr_t) _MALLOC_ZONE(cn.cn_namelen+1,
						M_NAMEI, M_WAITOK);
	cn.cn_pnlen = cn.cn_namelen+1;
	bcopy(cnp->cn_nameptr, cn.cn_pnbuf, cn.cn_namelen+1);
	cn.cn_nameiop = CREATE;
	cn.cn_flags = (HASBUF|SAVENAME|SAVESTART|ISLASTCN|UNIONCREATED);
	cn.cn_context = context;
	cn.cn_nameptr = cn.cn_pnbuf;
	cn.cn_hash = 0;
	cn.cn_consume = 0;

	/*
	 * Pass dvp unlocked and referenced on call to relookup().
	 *
	 * If an error occurs, dvp will be returned unlocked and dereferenced.
	 */
	if ((error = relookup(udvp, &uvp, &cn)) != 0) {
		goto out;
	}

	/*
	 * If no error occurs, dvp will be returned locked with the reference
	 * left as before, and vpp will be returned referenced and locked.
	 */
	if (uvp) {
		*vpp = uvp;
		error = EEXIST;
		goto out;
	}

	/*
	 * Good - there was no race to create the file
	 * so go ahead and create it.  The permissions
	 * on the file will be 0666 modified by the
	 * current user's umask.  Access to the file, while
	 * it is unioned, will require access to the top *and*
	 * bottom files.  Access when not unioned will simply
	 * require access to the top-level file.
	 *
	 * TODO: confirm choice of access permissions.
	 *       decide on authorisation behaviour
	 */
	
	VATTR_INIT(vap);
	VATTR_SET(vap, va_type, VREG);
	VATTR_SET(vap, va_mode, cmode);

	cn.cn_flags |= (UNIONCREATED);
	if ((error = vn_create(udvp, &uvp, &cn, vap, 0, context)) != 0) {
		goto out;
	}

	
	if ((error = VNOP_OPEN(uvp, fmode, context)) != 0) {
		vn_clearunionwait(uvp, 0);
		vnode_recycle(uvp);
		vnode_put(uvp);
		goto out;
	}

	error = vnode_ref_ext(uvp, fmode);
	if (error ) {
		vn_clearunionwait(uvp, 0);
		VNOP_CLOSE(uvp, fmode, context);
		vnode_recycle(uvp);
		vnode_put(uvp);
		goto out;
	}


	/*
	 * XX - should not ignore errors
	 * from vnop_close
	 */
	error = VNOP_OPEN(lvp, FREAD, context);
	if (error == 0) {
		error = union_copyfile(lvp, uvp, context);
		(void) VNOP_CLOSE(lvp, FREAD, context);
	}

	VNOP_CLOSE(uvp, fmode, context);
	vnode_rele_ext(uvp, fmode, 0);
	vn_clearunionwait(uvp, 0);

	*vpp = uvp;
out:
	if ((cn.cn_flags & HASBUF) == HASBUF) {
		FREE_ZONE(cn.cn_pnbuf, cn.cn_pnlen, M_NAMEI);
		cn.cn_flags &= ~HASBUF;
	}
	return (error);
}


/*
 *	union_relookup:
 *
 *	dvp should be locked on entry and will be locked on return.  No
 *	net change in the ref count will occur.
 *
 *	If an error is returned, *vpp will be invalid, otherwise it
 *	will hold a locked, referenced vnode.  If *vpp == dvp then
 *	remember that only one exclusive lock is held.
 */

/* No union lock held for this call */
static int
union_relookup(
#ifdef XXX_HELP_ME
	struct union_mount *um,
#else	/* !XXX_HELP_ME */
	__unused struct union_mount *um,
#endif	/* !XXX_HELP_ME */
	struct vnode *dvp,
	struct vnode **vpp,
	struct componentname *cnp,
	struct componentname *cn,
	char *path,
	int pathlen)
{
	int error;

	/*
	 * A new componentname structure must be faked up because
	 * there is no way to know where the upper level cnp came
	 * from or what it is being used for.  This must duplicate
	 * some of the work done by NDINIT, some of the work done
	 * by namei, some of the work done by lookup and some of
	 * the work done by vnop_lookup when given a CREATE flag.
	 * Conclusion: Horrible.
	 */
	cn->cn_namelen = pathlen;
	cn->cn_pnbuf = _MALLOC_ZONE(cn->cn_namelen+1, M_NAMEI, M_WAITOK);
	cn->cn_pnlen = cn->cn_namelen+1;
	bcopy(path, cn->cn_pnbuf, cn->cn_namelen);
	cn->cn_pnbuf[cn->cn_namelen] = '\0';

	cn->cn_nameiop = CREATE;
	cn->cn_flags = (HASBUF|SAVENAME|SAVESTART|ISLASTCN );
#ifdef XXX_HELP_ME
	cn->cn_proc = cnp->cn_proc;
	if (um->um_op == UNMNT_ABOVE)
		cn->cn_cred = cnp->cn_cred;
	else
		cn->cn_cred = um->um_cred;
#endif
	cn->cn_context = cnp->cn_context;	/* XXX !UNMNT_ABOVE  case ??? */
	cn->cn_nameptr = cn->cn_pnbuf;
	cn->cn_hash = 0;
	cn->cn_consume = cnp->cn_consume;

	vnode_get(dvp);
	error = relookup(dvp, vpp, cn);
	vnode_put(dvp);

	return (error);
}

/*
 * Create a shadow directory in the upper layer.
 * The new vnode is returned locked.
 *
 * (um) points to the union mount structure for access to the
 * the mounting process's credentials.
 * (dvp) is the directory in which to create the shadow directory,
 * It is locked (but not ref'd) on entry and return.
 * (cnp) is the component name to be created.
 * (vpp) is the returned newly created shadow directory, which
 * is returned locked and ref'd
 */
/* No union lock held for this call */
int
union_mkshadow(um, dvp, cnp, vpp)
	struct union_mount *um;
	struct vnode *dvp;
	struct componentname *cnp;
	struct vnode **vpp;
{
	int error;
	struct vnode_attr va;
	struct componentname cn;

	bzero(&cn, sizeof(struct componentname));


	error = union_relookup(um, dvp, vpp, cnp, &cn,
			cnp->cn_nameptr, cnp->cn_namelen);
	if (error) 
		goto out;

	if (*vpp) {
		error = EEXIST;
		goto out;
	}

	/*
	 * Policy: when creating the shadow directory in the
	 * upper layer, create it owned by the user who did
	 * the mount, group from parent directory, and mode
	 * 777 modified by umask (ie mostly identical to the
	 * mkdir syscall).  (jsp, kb)
	 */

	VATTR_INIT(&va);
	VATTR_SET(&va, va_type, VDIR);
	VATTR_SET(&va, va_mode, um->um_cmode);

	error = vn_create(dvp, vpp, &cn, &va, 0, cnp->cn_context);
out:
	if ((cn.cn_flags & HASBUF) == HASBUF) {
		FREE_ZONE(cn.cn_pnbuf, cn.cn_pnlen, M_NAMEI);
		cn.cn_flags &= ~HASBUF;
	}
	return (error);
}

/*
 * Create a whiteout entry in the upper layer.
 *
 * (um) points to the union mount structure for access to the
 * the mounting process's credentials.
 * (dvp) is the directory in which to create the whiteout.
 * it is locked on entry and exit.
 * (cnp) is the componentname to be created.
 */
/* No union lock held for this call */
int
union_mkwhiteout(um, dvp, cnp, path)
	struct union_mount *um;
	struct vnode *dvp;
	struct componentname *cnp;
	char *path;
{
	int error;
	struct vnode *wvp;
	struct componentname cn;

	bzero(&cn, sizeof(struct componentname));

	error = union_relookup(um, dvp, &wvp, cnp, &cn, path, strlen(path));
	if (error) {
		goto out;
	}
	if (wvp) {
		error = EEXIST;
		goto out;
	}

	error = VNOP_WHITEOUT(dvp, &cn, CREATE, cnp->cn_context);

out:
	if ((cn.cn_flags & HASBUF) == HASBUF) {
		FREE_ZONE(cn.cn_pnbuf, cn.cn_pnlen, M_NAMEI);
		cn.cn_flags &= ~HASBUF;
	}
	return (error);
}


/*
 * union_vn_create: creates and opens a new shadow file
 * on the upper union layer.  This function is similar
 * in spirit to calling vn_open() but it avoids calling namei().
 * The problem with calling namei() is that a) it locks too many
 * things, and b) it doesn't start at the "right" directory,
 * whereas relookup() is told where to start.
 *
 * On entry, the vnode associated with un is locked.  It remains locked
 * on return.
 *
 * If no error occurs, *vpp contains a locked referenced vnode for your
 * use.  If an error occurs *vpp iis undefined.
 */
/* called with no union lock held */
int
union_vn_create(struct vnode **vpp, struct union_node *un, mode_t cmode, vfs_context_t  context)
{
	struct vnode *vp;
	struct vnode_attr vat;
	struct vnode_attr *vap = &vat;
	int fmode = FFLAGS(O_WRONLY|O_CREAT|O_TRUNC|O_EXCL);
	int error;
	struct proc * p = vfs_context_proc(context);
	struct componentname cn;

	bzero(&cn, sizeof(struct componentname));
	*vpp = NULLVP;

	if (cmode == (mode_t)0)
		cmode = UN_FILEMODE & ~p->p_fd->fd_cmask;
	else
		cmode = cmode & ~p->p_fd->fd_cmask;


	/*
	 * Build a new componentname structure (for the same
	 * reasons outlines in union_mkshadow()).
	 * The difference here is that the file is owned by
	 * the current user, rather than by the person who
	 * did the mount, since the current user needs to be
	 * able to write the file (that's why it is being
	 * copied in the first place).
	 */
	cn.cn_namelen = strlen(un->un_path);
	cn.cn_pnbuf = (caddr_t) _MALLOC_ZONE(cn.cn_namelen+1,
						M_NAMEI, M_WAITOK);
	cn.cn_pnlen = cn.cn_namelen+1;
	bcopy(un->un_path, cn.cn_pnbuf, cn.cn_namelen+1);
	cn.cn_nameiop = CREATE;
	if (UNNODE_FAULTIN(un))
		cn.cn_flags = (HASBUF|SAVENAME|SAVESTART|ISLASTCN|UNIONCREATED);
	else
		cn.cn_flags = (HASBUF|SAVENAME|SAVESTART|ISLASTCN);
	cn.cn_context = context;
	cn.cn_nameptr = cn.cn_pnbuf;
	cn.cn_hash = un->un_hash;
	cn.cn_consume = 0;

	/*
	 * Pass dvp unlocked and referenced on call to relookup().
	 *
	 * If an error occurs, dvp will be returned unlocked and dereferenced.
	 */
	vnode_get(un->un_dirvp);
	if ((error = relookup(un->un_dirvp, &vp, &cn)) != 0) {
		vnode_put(un->un_dirvp);
		goto out;
	}
	vnode_put(un->un_dirvp);

	/*
	 * If no error occurs, dvp will be returned locked with the reference
	 * left as before, and vpp will be returned referenced and locked.
	 */
	if (vp) {
		*vpp = vp;
		error = EEXIST;
		goto out;
	}

	/*
	 * Good - there was no race to create the file
	 * so go ahead and create it.  The permissions
	 * on the file will be 0666 modified by the
	 * current user's umask.  Access to the file, while
	 * it is unioned, will require access to the top *and*
	 * bottom files.  Access when not unioned will simply
	 * require access to the top-level file.
	 *
	 * TODO: confirm choice of access permissions.
	 *       decide on authorisation behaviour
	 */
	
	VATTR_INIT(vap);
	VATTR_SET(vap, va_type, VREG);
	VATTR_SET(vap, va_mode, cmode);

	if ((error = vn_create(un->un_dirvp, &vp, &cn, vap, 0, context)) != 0) {
		goto out;
	}

	if ((error = VNOP_OPEN(vp, fmode, context)) != 0) {
		vnode_put(vp);
		goto out;
	}

	vnode_lock(vp);
	if (++vp->v_writecount <= 0)
		panic("union: v_writecount");
	vnode_unlock(vp);
	*vpp = vp;
	error = 0;

out:
	if ((cn.cn_flags & HASBUF) == HASBUF) {
		FREE_ZONE(cn.cn_pnbuf, cn.cn_pnlen, M_NAMEI);
		cn.cn_flags &= ~HASBUF;
	}
	return(error);
}

/* called with no union lock held */
static int
union_vn_close(struct vnode *vp, int fmode, vfs_context_t context)
{

	if (fmode & FWRITE) {
		vnode_lock(vp);
		--vp->v_writecount;
		vnode_unlock(vp);
	}
	return (VNOP_CLOSE(vp, fmode, context));
}

/*
 *	union_removed_upper:
 *
 *	An upper-only file/directory has been removed; un-cache it so
 *	that unionfs vnode gets reclaimed and the last uppervp reference
 *	disappears.
 *
 *	Called with union_node unlocked.
 */
/* always called with union lock held */
void
union_removed_upper(un)
	struct union_node *un;
{
	union_newupper(un, NULLVP);
	if (un->un_flags & UN_CACHED) {
		un->un_flags &= ~UN_CACHED;
		LIST_REMOVE(un, un_cache);
	}

}

#if 0
struct vnode *
union_lowervp(vp)
	struct vnode *vp;
{
	struct union_node *un = VTOUNION(vp);

	if ((un->un_lowervp != NULLVP) &&
	    (vp->v_type == un->un_lowervp->v_type)) {
		if (vnode_get(un->un_lowervp) == 0)
			return (un->un_lowervp);
	}

	return (NULLVP);
}
#endif

/*
 * Determine whether a whiteout is needed
 * during a remove/rmdir operation.
 */
/* called with no union lock held */
int
union_dowhiteout(struct union_node *un, vfs_context_t ctx)
{
	struct vnode_attr va;

	if (UNNODE_FAULTIN(un))
		return(0);

	if ((un->un_lowervp != NULLVP) )
		return (1);

	VATTR_INIT(&va);
	VATTR_WANTED(&va, va_flags);
	if (vnode_getattr(un->un_uppervp, &va, ctx) == 0 &&
	    (va.va_flags & OPAQUE))
		return (1);

	return (0);
}

/* called with no union lock held */
static void
union_dircache_r(struct vnode *vp, struct vnode ***vppp, int *cntp)
{
	struct union_node *un;

	if (vp->v_op != union_vnodeop_p) {
		if (vppp) {
			vnode_get(vp);
			*(*vppp)++ = vp;
			if (--(*cntp) == 0)
				panic("union: dircache table too small");
		} else {
			(*cntp)++;
		}

		return;
	}

	un = VTOUNION(vp);
	if (un->un_uppervp != NULLVP)
		union_dircache_r(un->un_uppervp, vppp, cntp);
	if (un->un_lowervp != NULLVP)
		union_dircache_r(un->un_lowervp, vppp, cntp);
}

/* called with no union lock held */
struct vnode *
union_dircache(struct vnode *vp, __unused vfs_context_t context)
{
	int count;
	struct vnode *nvp, *lvp;
	struct vnode **vpp;
	struct vnode **dircache, **newdircache;
	struct union_node *un;
	int error;
	int alloced = 0;

	union_lock();
	newdircache = NULL;

	nvp = NULLVP;
	un = VTOUNION(vp);

	dircache = un->un_dircache;
	if (dircache == 0) {
		union_unlock();
		count = 0;
		union_dircache_r(vp, 0, &count);
		count++;
#if 0
		/* too bad; we need Union now! */
#if MAC_XXX
                panic("MAC Framework doesn't support unionfs (yet)\n");
#endif /* MAC */
#endif

		dircache = (struct vnode **)
				_MALLOC(count * sizeof(struct vnode *),
					M_TEMP, M_WAITOK);
		if (dircache == NULL) {
			goto out;
		}
		newdircache = dircache;
		alloced = 1;
		vpp = dircache;
		union_dircache_r(vp, &vpp, &count);
		*vpp = NULLVP;
		vpp = dircache + 1;
		union_lock();
	} else {
		vpp = dircache;
		do {
			if (*vpp++ == un->un_uppervp)
				break;
		} while (*vpp != NULLVP);
	}

	lvp = *vpp;
	union_unlock();
	if (lvp == NULLVP) {
		goto out;
	}

	vnode_get(lvp);
	union_lock();

	error = union_allocvp(&nvp, vp->v_mount, NULLVP, NULLVP, 0, lvp, NULLVP, 0);
	if (error) {
		union_unlock();
		vnode_put(lvp);
		goto out;
	}

	un->un_dircache = 0;
	un = VTOUNION(nvp);
#if 0
	if ((alloced != 0) && (un->un_dircache != 0)) {
		union_unlock();
		for (vpp = newdircache; *vpp != NULLVP; vpp++)
			vnode_put(*vpp);
		_FREE(newdircache, M_TEMP);
		newdircache = NULL;
		union_lock();
		if (nvp != NULLVP)
			union_freevp(nvp);
		goto loop;
	}
#endif
	un->un_dircache = dircache;
	un->un_flags |= UN_DIRENVN;
	
	newdircache = NULL;
	union_unlock();
	return (nvp);

out:
	/*
	 * If we allocated a new dircache and couldn't attach
	 * it to a new vp, free the resources we allocated.
	 */
	if (newdircache) {
		for (vpp = newdircache; *vpp != NULLVP; vpp++)
			vnode_put(*vpp);
		_FREE(newdircache, M_TEMP);
	}
	return (NULLVP);
}

/*
 * Module glue to remove #ifdef UNION from vfs_syscalls.c
 */
/* Called with no union lock, the union_dircache takes locks when necessary */
static int
union_dircheck(struct vnode **vpp, struct fileproc *fp, vfs_context_t ctx)
{
	int error = 0;
	vnode_t vp = *vpp;
	
	if (vp->v_op == union_vnodeop_p) {
		struct vnode *lvp;

		lvp = union_dircache(vp, ctx);
		if (lvp != NULLVP) {
			struct vnode_attr va;
			/*
			 * If the directory is opaque,
			 * then don't show lower entries
			 */
			VATTR_INIT(&va);
			VATTR_WANTED(&va, va_flags);
			error = vnode_getattr(vp, &va, ctx);
			if (va.va_flags & OPAQUE) {
				vnode_put(lvp);
				lvp = NULL;
			}
		}

		if (lvp != NULLVP) {
#if CONFIG_MACF
			error = mac_vnode_check_open(ctx, lvp, FREAD);
			if (error) {
				vnode_put(lvp);
				return(error);
			}
#endif /* MAC */
			error = VNOP_OPEN(lvp, FREAD, ctx);
			if (error) {
				vnode_put(lvp);
				return(error);
			}
			vnode_ref(lvp);
			fp->f_fglob->fg_data = (caddr_t) lvp;
			fp->f_fglob->fg_offset = 0;

			error = VNOP_CLOSE(vp, FREAD, ctx);
			vnode_rele(vp);
			vnode_put(vp);
			if (error)
				return(error);

			*vpp = lvp;
			return -1;	/* goto unionread */
		}
	}
	return error;
}

/*  called from inactive with union lock held */
void
union_dircache_free(struct union_node *un)
{
	struct vnode **vpp;

	vpp = un->un_dircache;
	un->un_dircache = NULL;
	union_unlock();	
	
	for (; *vpp != NULLVP; vpp++)
		vnode_put(*vpp);
	_FREE(un->un_dircache, M_TEMP);
	union_lock();
}