From nobody Sun Feb 8 09:32:48 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C342EEB64DA for ; Thu, 20 Jul 2023 15:29:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232059AbjGTP3H (ORCPT ); Thu, 20 Jul 2023 11:29:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34134 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231478AbjGTP27 (ORCPT ); Thu, 20 Jul 2023 11:28:59 -0400 Received: from mail-yw1-x114a.google.com (mail-yw1-x114a.google.com [IPv6:2607:f8b0:4864:20::114a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ADD5126B5 for ; Thu, 20 Jul 2023 08:28:44 -0700 (PDT) Received: by mail-yw1-x114a.google.com with SMTP id 00721157ae682-583312344e7so8686547b3.1 for ; Thu, 20 Jul 2023 08:28:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1689866924; x=1690471724; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=lGsQzpftUqu/kmuJWlaGnOlUm9YEsSfvHqOENO4D8dg=; b=HP4VC4yqfpbodAzQdaIPQ4nHY72QwI4xzaASWFSHnM+kJ/oVIJABmevzS7L4fyYt6u uod2tSIWVsovjnMAekiIbWj5Z08qROuyF2g0iu38AQHdWLp9uc/DhQPw2D1NORvQj8rV uva0LfWOLN7B+LKRWA9IWsmwQn8i3ANXZTuq8sB2F2XUzy3s5QLK0dgKqtQUdemy1mOg aYhL5pHQM2Ass9pi9bb1Y6ghGFIr1a/fzbGO3QUOVVsPHCkKnNHGrrFyZ/1q8z8TitC2 WKQTAvs1luUmaoKYOZcHjv3dRyMXEE1AlN1K4jMm4difaM43OPe7/ud3XATXsI+YplQg ffNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689866924; x=1690471724; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=lGsQzpftUqu/kmuJWlaGnOlUm9YEsSfvHqOENO4D8dg=; b=fgmQeuU1+pkBtBf1jWEGJFuqv8PAWoZJAo2Kh6IsLoChUlU+zwaRLsb98kMjURgJsT ZZrBIUYJdwuRbBvg8R3GvfxFTPWDaWyY/OBP5iHkBUn6jlCjR6laI3UWflNNGHTwM3dJ O9IxLHEYqJGqKlAcv20zI8/Aaw7zccMni762k3vuTl3VHKENz3oB04cVnppNmxGq+dU8 kjF7D3Qs3ggVAWUCxAtrHUjfnc5OmidDGDJ0I/UhsXBwRANjvmB8uXjMpCLYgarNN5Nu dD8RjmAlb+67UvqXDJug9LG/3Tc50+hUsPnOKa7YFYOJg0ELJMN0K1Y9ksuQJNbH8qTl ZJMQ== X-Gm-Message-State: ABy/qLYjvMj4q4DAhW94FFcGTLxkzKyJIFbJCVEcof6LoWXbmRyznuSU UlDDgzdrnxa5+ZFBwjDykgJVluCwHKshmgM= X-Google-Smtp-Source: APBJJlHO5O4cMxl3yvu0ac9SIsB/5yliMvkbEyAyJIsejZiEICgCkS5rSMuIcjDr5ooI5wJaXW6Biubwv7IbGS4= X-Received: from aliceryhl.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:6c8]) (user=aliceryhl job=sendgmr) by 2002:a25:ab0e:0:b0:cc5:c7d6:ae13 with SMTP id u14-20020a25ab0e000000b00cc5c7d6ae13mr45030ybi.5.1689866923961; Thu, 20 Jul 2023 08:28:43 -0700 (PDT) Date: Thu, 20 Jul 2023 15:28:16 +0000 In-Reply-To: <20230720152820.3566078-1-aliceryhl@google.com> Mime-Version: 1.0 References: <20230720152820.3566078-1-aliceryhl@google.com> X-Mailer: git-send-email 2.41.0.255.g8b1d071c50-goog Message-ID: <20230720152820.3566078-2-aliceryhl@google.com> Subject: [RFC PATCH v1 1/5] rust: file: add bindings for `struct file` From: Alice Ryhl To: rust-for-linux@vger.kernel.org, linux-fsdevel@vger.kernel.org, Miguel Ojeda , Alexander Viro , Christian Brauner Cc: Wedson Almeida Filho , Alex Gaynor , Boqun Feng , Gary Guo , "=?UTF-8?q?Bj=C3=B6rn=20Roy=20Baron?=" , Benno Lossin , Alice Ryhl , linux-kernel@vger.kernel.org, patches@lists.linux.dev, Wedson Almeida Filho , Daniel Xu Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Wedson Almeida Filho Using these bindings it becomes possible to access files from drivers written in Rust. This patch only adds support for accessing the flags, and for managing the refcount of the file. Signed-off-by: Wedson Almeida Filho Co-Developed-by: Daniel Xu Signed-off-by: Daniel Xu Co-Developed-by: Alice Ryhl Signed-off-by: Alice Ryhl --- In this patch, I am defining an error type called `BadFdError`. I'd like your thoughts on doing it this way vs just using the normal `Error` type. Pros: * The type system makes it clear that the function can only fail with EBADF, and that no other errors are possible. * Since the compiler knows that `ARef` cannot be null and that `BadFdError` has only one possible value, the return type of `File::from_fd` is represented as a pointer with null being an error. Cons: * Defining additional error types involves boilerplate. * The return type becomes a tagged union, making it larger than a pointer. * The question mark operator will only utilize the `From` trait once, which prevents you from using the question mark operator on `BadFdError` in methods that return some third error type that the kernel `Error` is convertible into. rust/bindings/bindings_helper.h | 2 + rust/helpers.c | 7 ++ rust/kernel/file.rs | 176 ++++++++++++++++++++++++++++++++ rust/kernel/lib.rs | 1 + 4 files changed, 186 insertions(+) create mode 100644 rust/kernel/file.rs diff --git a/rust/kernel/file.rs b/rust/kernel/file.rs new file mode 100644 index 000000000000..99657adf2472 --- /dev/null +++ b/rust/kernel/file.rs @@ -0,0 +1,176 @@ +// SPDX-License-Identifier: GPL-2.0 + +//! Files and file descriptors. +//! +//! C headers: [`include/linux/fs.h`](../../../../include/linux/fs.h) and +//! [`include/linux/file.h`](../../../../include/linux/file.h) + +use crate::{ + bindings, + error::{code::*, Error, Result}, + types::{ARef, AlwaysRefCounted, Opaque}, +}; +use core::ptr; + +/// Flags associated with a [`File`]. +pub mod flags { + /// File is opened in append mode. + pub const O_APPEND: u32 =3D bindings::O_APPEND; + + /// Signal-driven I/O is enabled. + pub const O_ASYNC: u32 =3D bindings::FASYNC; + + /// Close-on-exec flag is set. + pub const O_CLOEXEC: u32 =3D bindings::O_CLOEXEC; + + /// File was created if it didn't already exist. + pub const O_CREAT: u32 =3D bindings::O_CREAT; + + /// Direct I/O is enabled for this file. + pub const O_DIRECT: u32 =3D bindings::O_DIRECT; + + /// File must be a directory. + pub const O_DIRECTORY: u32 =3D bindings::O_DIRECTORY; + + /// Like [`O_SYNC`] except metadata is not synced. + pub const O_DSYNC: u32 =3D bindings::O_DSYNC; + + /// Ensure that this file is created with the `open(2)` call. + pub const O_EXCL: u32 =3D bindings::O_EXCL; + + /// Large file size enabled (`off64_t` over `off_t`). + pub const O_LARGEFILE: u32 =3D bindings::O_LARGEFILE; + + /// Do not update the file last access time. + pub const O_NOATIME: u32 =3D bindings::O_NOATIME; + + /// File should not be used as process's controlling terminal. + pub const O_NOCTTY: u32 =3D bindings::O_NOCTTY; + + /// If basename of path is a symbolic link, fail open. + pub const O_NOFOLLOW: u32 =3D bindings::O_NOFOLLOW; + + /// File is using nonblocking I/O. + pub const O_NONBLOCK: u32 =3D bindings::O_NONBLOCK; + + /// Also known as `O_NDELAY`. + /// + /// This is effectively the same flag as [`O_NONBLOCK`] on all archite= ctures + /// except SPARC64. + pub const O_NDELAY: u32 =3D bindings::O_NDELAY; + + /// Used to obtain a path file descriptor. + pub const O_PATH: u32 =3D bindings::O_PATH; + + /// Write operations on this file will flush data and metadata. + pub const O_SYNC: u32 =3D bindings::O_SYNC; + + /// This file is an unnamed temporary regular file. + pub const O_TMPFILE: u32 =3D bindings::O_TMPFILE; + + /// File should be truncated to length 0. + pub const O_TRUNC: u32 =3D bindings::O_TRUNC; + + /// Bitmask for access mode flags. + /// + /// # Examples + /// + /// ``` + /// use kernel::file; + /// # fn do_something() {} + /// # let flags =3D 0; + /// if (flags & file::flags::O_ACCMODE) =3D=3D file::flags::O_RDONLY { + /// do_something(); + /// } + /// ``` + pub const O_ACCMODE: u32 =3D bindings::O_ACCMODE; + + /// File is read only. + pub const O_RDONLY: u32 =3D bindings::O_RDONLY; + + /// File is write only. + pub const O_WRONLY: u32 =3D bindings::O_WRONLY; + + /// File can be both read and written. + pub const O_RDWR: u32 =3D bindings::O_RDWR; +} + +/// Wraps the kernel's `struct file`. +/// +/// # Invariants +/// +/// Instances of this type are always ref-counted, that is, a call to `get= _file` ensures that the +/// allocation remains valid at least until the matching call to `fput`. +#[repr(transparent)] +pub struct File(Opaque); + +// SAFETY: By design, the only way to access a `File` is via an immutable = reference or an `ARef`. +// This means that the only situation in which a `File` can be accessed mu= tably is when the +// refcount drops to zero and the destructor runs. It is safe for that to = happen on any thread, so +// it is ok for this type to be `Send`. +unsafe impl Send for File {} + +// SAFETY: It's OK to access `File` through shared references from other t= hreads because we're +// either accessing properties that don't change or that are properly sync= hronised by C code. +unsafe impl Sync for File {} + +impl File { + /// Constructs a new `struct file` wrapper from a file descriptor. + /// + /// The file descriptor belongs to the current process. + pub fn from_fd(fd: u32) -> Result, BadFdError> { + // SAFETY: FFI call, there are no requirements on `fd`. + let ptr =3D ptr::NonNull::new(unsafe { bindings::fget(fd) }).ok_or= (BadFdError)?; + + // SAFETY: `fget` increments the refcount before returning. + Ok(unsafe { ARef::from_raw(ptr.cast()) }) + } + + /// Creates a reference to a [`File`] from a valid pointer. + /// + /// # Safety + /// + /// The caller must ensure that `ptr` points at a valid file and that = its refcount does not + /// reach zero until after the end of the lifetime 'a. + pub unsafe fn from_ptr<'a>(ptr: *const bindings::file) -> &'a File { + // SAFETY: The safety requirements guarantee the validity of the d= ereference, while the + // `File` type being transparent makes the cast ok. + unsafe { &*ptr.cast() } + } + + /// Returns the flags associated with the file. + /// + /// The flags are a combination of the constants in [`flags`]. + pub fn flags(&self) -> u32 { + // SAFETY: The file is valid because the shared reference guarante= es a nonzero refcount. + // + // This uses a volatile read because C code may be modifying this = field in parallel using + // non-atomic unsynchronized writes. This corresponds to how the C= macro READ_ONCE is + // implemented. + unsafe { core::ptr::addr_of!((*self.0.get()).f_flags).read_volatil= e() } + } +} + +// SAFETY: The type invariants guarantee that `File` is always ref-counted. +unsafe impl AlwaysRefCounted for File { + fn inc_ref(&self) { + // SAFETY: The existence of a shared reference means that the refc= ount is nonzero. + unsafe { bindings::get_file(self.0.get()) }; + } + + unsafe fn dec_ref(obj: ptr::NonNull) { + // SAFETY: The safety requirements guarantee that the refcount is = nonzero. + unsafe { bindings::fput(obj.cast().as_ptr()) } + } +} + +/// Represents the EBADF error code. +/// +/// Used for methods that can only fail with EBADF. +pub struct BadFdError; + +impl From for Error { + fn from(_: BadFdError) -> Error { + EBADF + } +} diff --git a/rust/kernel/lib.rs b/rust/kernel/lib.rs index 85b261209977..650bfffc1e6f 100644 --- a/rust/kernel/lib.rs +++ b/rust/kernel/lib.rs @@ -32,6 +32,7 @@ mod allocator; mod build_assert; pub mod error; +pub mod file; pub mod init; pub mod ioctl; pub mod prelude; diff --git a/rust/bindings/bindings_helper.h b/rust/bindings/bindings_helpe= r.h index 3e601ce2548d..c5b2cfd02bac 100644 --- a/rust/bindings/bindings_helper.h +++ b/rust/bindings/bindings_helper.h @@ -7,6 +7,8 @@ */ =20 #include +#include +#include #include #include #include diff --git a/rust/helpers.c b/rust/helpers.c index f946f2ea640a..072f7ef80ea5 100644 --- a/rust/helpers.c +++ b/rust/helpers.c @@ -24,6 +24,7 @@ #include #include #include +#include #include #include #include @@ -137,6 +138,12 @@ void rust_helper_put_task_struct(struct task_struct *t) } EXPORT_SYMBOL_GPL(rust_helper_put_task_struct); =20 +struct file *rust_helper_get_file(struct file *f) +{ + return get_file(f); +} +EXPORT_SYMBOL_GPL(rust_helper_get_file); + /* * We use `bindgen`'s `--size_t-is-usize` option to bind the C `size_t` ty= pe * as the Rust `usize` type, so we can use it in contexts where Rust --=20 2.41.0.255.g8b1d071c50-goog From nobody Sun Feb 8 09:32:48 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DF7FBC001DC for ; Thu, 20 Jul 2023 15:29:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232412AbjGTP3M (ORCPT ); Thu, 20 Jul 2023 11:29:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34200 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231800AbjGTP3C (ORCPT ); Thu, 20 Jul 2023 11:29:02 -0400 Received: from mail-yw1-x1149.google.com (mail-yw1-x1149.google.com [IPv6:2607:f8b0:4864:20::1149]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3EDD126B8 for ; Thu, 20 Jul 2023 08:28:48 -0700 (PDT) Received: by mail-yw1-x1149.google.com with SMTP id 00721157ae682-573d70da2dcso8525007b3.1 for ; Thu, 20 Jul 2023 08:28:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1689866927; x=1690471727; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=IQBUPgxHkhflJuYPJ1CvCZCjp5mdRng6N97hOUv3RDI=; b=umjfMOmncgfgLKwMNiEIs8577emiyzixkvve2v76Ldzq9BfJ2Gsva1zZuV7MmD+zEm V73fo4vHJKN3JL0aZkO4wToR1GGZI6zAUng+M3D7w8R7KOD5DI5XFt33icbHulyHxvhl D5+UKe8+wLNlI3Y0OlBtcRaD9X/Oh4SoHkKCK5pTRUk6deSnW5vy3T1AIqtzp6PAXLY5 Dlwwx0Wxi+sgy88xAvX+Vq1+H+9JH46daacQaxG5vBeKlL61m/L52VErUYkIIgC/iY1p UgL6blkD2v7rwH7l2W/hozK4eWoRgzOMEkTe1YkafDUYMyaQvNAIvZ9dR7lwzd+z0uDI kQ3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689866927; x=1690471727; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=IQBUPgxHkhflJuYPJ1CvCZCjp5mdRng6N97hOUv3RDI=; b=i/lz1tF8eeMWTdqPVKzSoHwDr05l4EzvWSvCfsLefwtWxfW2HFd8BskFhKL4R/9qXN S1McSERpiV3cjhpH9cTu7tsn29OsCLKUNu9Ux7Vzpp6EunnIgvM9M3GAyVdgp3iFqCv1 p1kddaFjniCpeFOlvpQLxvLpOPQylkwiJHiZ8QtrYW5q32XsGmQ3/nfXm6x5GzJXPdKa UysA5n9Oe8KHUwHnSvPs+jg4NUM5IJWy1KVmxRr6oe3yOkqEAKPA1Y47YWsV3lbzTp8K tFXfkYkpGrFM7Nu/6Ea1vgFI/2/po14B9WGLtTxSrhRv5eVvdYS/qA7AxYz9ASuOyKiP nd2w== X-Gm-Message-State: ABy/qLbDu12MZ3WkdKfssNqLJk/TNywfIus6FQ8Snr2M2uhk/DP95sru myT+gQqsK0BMLmkat6a4KIVW8Q5d6xiwo30= X-Google-Smtp-Source: APBJJlHVd3IS4h3/Z8+ztRjFttwDDD2vfU5J2lXiiefal1S5tDdZhnFP6jIvagOyWXs0jg7XbB3rIbKvJmNJOGM= X-Received: from aliceryhl.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:6c8]) (user=aliceryhl job=sendgmr) by 2002:a81:ac4c:0:b0:57a:141f:b4f5 with SMTP id z12-20020a81ac4c000000b0057a141fb4f5mr61560ywj.7.1689866927507; Thu, 20 Jul 2023 08:28:47 -0700 (PDT) Date: Thu, 20 Jul 2023 15:28:17 +0000 In-Reply-To: <20230720152820.3566078-1-aliceryhl@google.com> Mime-Version: 1.0 References: <20230720152820.3566078-1-aliceryhl@google.com> X-Mailer: git-send-email 2.41.0.255.g8b1d071c50-goog Message-ID: <20230720152820.3566078-3-aliceryhl@google.com> Subject: [RFC PATCH v1 2/5] rust: cred: add Rust bindings for `struct cred` From: Alice Ryhl To: rust-for-linux@vger.kernel.org, linux-fsdevel@vger.kernel.org, Miguel Ojeda , Alexander Viro , Christian Brauner Cc: Wedson Almeida Filho , Alex Gaynor , Boqun Feng , Gary Guo , "=?UTF-8?q?Bj=C3=B6rn=20Roy=20Baron?=" , Benno Lossin , Alice Ryhl , linux-kernel@vger.kernel.org, patches@lists.linux.dev, Wedson Almeida Filho Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Wedson Almeida Filho Make it possible to access credentials from Rust drivers. In particular, this patch makes it possible to get the id for the security context of a given file. Signed-off-by: Wedson Almeida Filho Co-Developed-by: Alice Ryhl Signed-off-by: Alice Ryhl --- rust/bindings/bindings_helper.h | 2 + rust/helpers.c | 22 +++++++++++ rust/kernel/cred.rs | 66 +++++++++++++++++++++++++++++++++ rust/kernel/file.rs | 15 ++++++++ rust/kernel/lib.rs | 1 + 5 files changed, 106 insertions(+) create mode 100644 rust/kernel/cred.rs diff --git a/rust/kernel/cred.rs b/rust/kernel/cred.rs new file mode 100644 index 000000000000..ca3fac4851a2 --- /dev/null +++ b/rust/kernel/cred.rs @@ -0,0 +1,66 @@ +// SPDX-License-Identifier: GPL-2.0 + +//! Credentials management. +//! +//! C header: [`include/linux/cred.h`](../../../../include/linux/cred.h) +//! +//! Reference: + +use crate::{ + bindings, + types::{AlwaysRefCounted, Opaque}, +}; + +/// Wraps the kernel's `struct cred`. +/// +/// # Invariants +/// +/// Instances of this type are always ref-counted, that is, a call to `get= _cred` ensures that the +/// allocation remains valid at least until the matching call to `put_cred= `. +#[repr(transparent)] +pub struct Credential(pub(crate) Opaque); + +// SAFETY: By design, the only way to access a `Credential` is via an immu= table reference or an +// `ARef`. This means that the only situation in which a `Credential` can = be accessed mutably is +// when the refcount drops to zero and the destructor runs. It is safe for= that to happen on any +// thread, so it is ok for this type to be `Send`. +unsafe impl Send for Credential {} + +// SAFETY: It's OK to access `Credential` through shared references from o= ther threads because +// we're either accessing properties that don't change or that are properl= y synchronised by C code. +unsafe impl Sync for Credential {} + +impl Credential { + /// Creates a reference to a [`Credential`] from a valid pointer. + /// + /// # Safety + /// + /// The caller must ensure that `ptr` is valid and remains valid for t= he lifetime of the + /// returned [`Credential`] reference. + pub unsafe fn from_ptr<'a>(ptr: *const bindings::cred) -> &'a Credenti= al { + // SAFETY: The safety requirements guarantee the validity of the d= ereference, while the + // `Credential` type being transparent makes the cast ok. + unsafe { &*ptr.cast() } + } + + /// Get the id for this security context. + pub fn get_secid(&self) -> u32 { + let mut secid =3D 0; + // SAFETY: The invariants of this type ensures that the pointer is= valid. + unsafe { bindings::security_cred_getsecid(self.0.get(), &mut secid= ) }; + secid + } +} + +// SAFETY: The type invariants guarantee that `Credential` is always ref-c= ounted. +unsafe impl AlwaysRefCounted for Credential { + fn inc_ref(&self) { + // SAFETY: The existence of a shared reference means that the refc= ount is nonzero. + unsafe { bindings::get_cred(self.0.get()) }; + } + + unsafe fn dec_ref(obj: core::ptr::NonNull) { + // SAFETY: The safety requirements guarantee that the refcount is = nonzero. + unsafe { bindings::put_cred(obj.cast().as_ptr()) }; + } +} diff --git a/rust/kernel/file.rs b/rust/kernel/file.rs index 99657adf2472..d379ae2906d9 100644 --- a/rust/kernel/file.rs +++ b/rust/kernel/file.rs @@ -7,6 +7,7 @@ =20 use crate::{ bindings, + cred::Credential, error::{code::*, Error, Result}, types::{ARef, AlwaysRefCounted, Opaque}, }; @@ -138,6 +139,20 @@ pub unsafe fn from_ptr<'a>(ptr: *const bindings::file)= -> &'a File { unsafe { &*ptr.cast() } } =20 + /// Returns the credentials of the task that originally opened the fil= e. + pub fn cred(&self) -> &Credential { + // SAFETY: The file is valid because the shared reference guarante= es a nonzero refcount. + // + // This uses a volatile read because C code may be modifying this = field in parallel using + // non-atomic unsynchronized writes. This corresponds to how the C= macro READ_ONCE is + // implemented. + let ptr =3D unsafe { core::ptr::addr_of!((*self.0.get()).f_cred).r= ead_volatile() }; + // SAFETY: The lifetimes of `self` and `Credential` are tied, so i= t is guaranteed that + // the credential pointer remains valid (because the file is still= alive, and it doesn't + // change over the lifetime of a file). + unsafe { Credential::from_ptr(ptr) } + } + /// Returns the flags associated with the file. /// /// The flags are a combination of the constants in [`flags`]. diff --git a/rust/kernel/lib.rs b/rust/kernel/lib.rs index 650bfffc1e6f..07258bfa8960 100644 --- a/rust/kernel/lib.rs +++ b/rust/kernel/lib.rs @@ -31,6 +31,7 @@ #[cfg(not(testlib))] mod allocator; mod build_assert; +pub mod cred; pub mod error; pub mod file; pub mod init; diff --git a/rust/bindings/bindings_helper.h b/rust/bindings/bindings_helpe= r.h index c5b2cfd02bac..d89f0df93615 100644 --- a/rust/bindings/bindings_helper.h +++ b/rust/bindings/bindings_helper.h @@ -6,9 +6,11 @@ * Sorted alphabetically. */ =20 +#include #include #include #include +#include #include #include #include diff --git a/rust/helpers.c b/rust/helpers.c index 072f7ef80ea5..e13a7da430b1 100644 --- a/rust/helpers.c +++ b/rust/helpers.c @@ -22,12 +22,14 @@ =20 #include #include +#include #include #include #include #include #include #include +#include #include #include =20 @@ -144,6 +146,26 @@ struct file *rust_helper_get_file(struct file *f) } EXPORT_SYMBOL_GPL(rust_helper_get_file); =20 +const struct cred *rust_helper_get_cred(const struct cred *cred) +{ + return get_cred(cred); +} +EXPORT_SYMBOL_GPL(rust_helper_get_cred); + +void rust_helper_put_cred(const struct cred *cred) +{ + put_cred(cred); +} +EXPORT_SYMBOL_GPL(rust_helper_put_cred); + +#ifndef CONFIG_SECURITY +void rust_helper_security_cred_getsecid(const struct cred *c, u32 *secid) +{ + security_cred_getsecid(c, secid); +} +EXPORT_SYMBOL_GPL(rust_helper_security_cred_getsecid); +#endif + /* * We use `bindgen`'s `--size_t-is-usize` option to bind the C `size_t` ty= pe * as the Rust `usize` type, so we can use it in contexts where Rust --=20 2.41.0.255.g8b1d071c50-goog From nobody Sun Feb 8 09:32:48 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D4974EB64DA for ; Thu, 20 Jul 2023 15:29:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232525AbjGTP3Q (ORCPT ); Thu, 20 Jul 2023 11:29:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34170 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231293AbjGTP3D (ORCPT ); Thu, 20 Jul 2023 11:29:03 -0400 Received: from mail-ej1-x649.google.com (mail-ej1-x649.google.com [IPv6:2a00:1450:4864:20::649]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3F1FE1B9 for ; Thu, 20 Jul 2023 08:28:52 -0700 (PDT) Received: by mail-ej1-x649.google.com with SMTP id a640c23a62f3a-993eeb3a950so70923766b.2 for ; Thu, 20 Jul 2023 08:28:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1689866931; x=1690471731; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=EyZV70aSLRGUBSW3Idz74sX+TofVqWIQD1mh1640q38=; b=RqS707yH9iuG7p6GJXSLRTbTgG0a3UfXdNmkgzKXyq+LZAk/vDmF962f9cun/ZxZCg 7d44NcEuve934uCnCmHBq7kvmoXcMgE8vYD2El840R8evkmUt6iB4SguESYzPUmKs136 pcRKzjfCHFo51fe3uLQ8VtOzzYCmY7RUStmHPVdkrUlC+8ku7Pp6CEefLRS5aIo53e8p OY9bAVtCRHmJh/24zpIY+BvIeuDWITw0KryIPXViTV+QktgVYIYQbQaYHISUNt6cyX5Z KJiJ81aEPRXETKLR/BgpiqXSvxeDfS6e4nf+/0XDdPzyofbowKZ44ErJDP1tOrhygDtm fGDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689866931; x=1690471731; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=EyZV70aSLRGUBSW3Idz74sX+TofVqWIQD1mh1640q38=; b=AO122V3k4okxv5KC+rdr4ofZOm3F67ME+hZNWpdlIM8DD51EvxgOP9bCPKXYc6wVIt NLY2AnaKoyJMx6uLTBUV3lCRrin4pVhVTDb798dmq+zz20We7d0ttc8oh+WbhEs5oG5z Ldxh35F6sNZOhfHRqrG4HXukLcBwtMC7N9jzGfX/ZVYFR5DdtyuM3Cmm0g+ZbCWkTI4j t89nztX9hzJHfAMPTzXKixSktxrITGhqee7haPjf8+Ux8a6DFNwPzDYvhPu4Kz1aGhTk YzA/c1bAbWpJRrYwKzZR4udrE9/abf3ljs1HMiLxejvHSQIz2yohd9TN2hBKOKcu4DKJ EmMg== X-Gm-Message-State: ABy/qLYJSLr/YafcS1qAm01PYT1ItZpwF/pjRaFv1TSBS8S6Ca2TAIg9 KUVKjut8R9AU6x8oVHpns+PtwPlZLtIpoSA= X-Google-Smtp-Source: APBJJlFcX1Wvv8T28heLGJIvE2Ykm8T7nFeE/WdA341Y+SWLJMzAB39fF5oIw+mdh2BWhXmtFjKIfxadaKRwNy4= X-Received: from aliceryhl.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:6c8]) (user=aliceryhl job=sendgmr) by 2002:a17:907:2bd7:b0:98e:1a1b:9c21 with SMTP id gv23-20020a1709072bd700b0098e1a1b9c21mr15466ejc.5.1689866930843; Thu, 20 Jul 2023 08:28:50 -0700 (PDT) Date: Thu, 20 Jul 2023 15:28:18 +0000 In-Reply-To: <20230720152820.3566078-1-aliceryhl@google.com> Mime-Version: 1.0 References: <20230720152820.3566078-1-aliceryhl@google.com> X-Mailer: git-send-email 2.41.0.255.g8b1d071c50-goog Message-ID: <20230720152820.3566078-4-aliceryhl@google.com> Subject: [RFC PATCH v1 3/5] rust: file: add `FileDescriptorReservation` From: Alice Ryhl To: rust-for-linux@vger.kernel.org, linux-fsdevel@vger.kernel.org, Miguel Ojeda , Alexander Viro , Christian Brauner Cc: Wedson Almeida Filho , Alex Gaynor , Boqun Feng , Gary Guo , "=?UTF-8?q?Bj=C3=B6rn=20Roy=20Baron?=" , Benno Lossin , Alice Ryhl , linux-kernel@vger.kernel.org, patches@lists.linux.dev, Wedson Almeida Filho Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Wedson Almeida Filho This allows the creation of a file descriptor in two steps: first, we reserve a slot for it, then we commit or drop the reservation. The first step may fail (e.g., the current process ran out of available slots), but commit and drop never fail (and are mutually exclusive). Co-Developed-by: Alice Ryhl Signed-off-by: Wedson Almeida Filho Signed-off-by: Alice Ryhl --- rust/kernel/file.rs | 61 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 60 insertions(+), 1 deletion(-) diff --git a/rust/kernel/file.rs b/rust/kernel/file.rs index d379ae2906d9..8ddf8f04ae0f 100644 --- a/rust/kernel/file.rs +++ b/rust/kernel/file.rs @@ -11,7 +11,7 @@ error::{code::*, Error, Result}, types::{ARef, AlwaysRefCounted, Opaque}, }; -use core::ptr; +use core::{marker::PhantomData, ptr}; =20 /// Flags associated with a [`File`]. pub mod flags { @@ -179,6 +179,65 @@ unsafe fn dec_ref(obj: ptr::NonNull) { } } =20 +/// A file descriptor reservation. +/// +/// This allows the creation of a file descriptor in two steps: first, we = reserve a slot for it, +/// then we commit or drop the reservation. The first step may fail (e.g.,= the current process ran +/// out of available slots), but commit and drop never fail (and are mutua= lly exclusive). +/// +/// # Invariants +/// +/// The fd stored in this struct must correspond to a reserved file descri= ptor of the current task. +pub struct FileDescriptorReservation { + fd: u32, + /// Prevent values of this type from being moved to a different task. + /// + /// This is necessary because the C FFI calls assume that `current` is= set to the task that + /// owns the fd in question. + _not_send_sync: PhantomData<*mut ()>, +} + +impl FileDescriptorReservation { + /// Creates a new file descriptor reservation. + pub fn new(flags: u32) -> Result { + // SAFETY: FFI call, there are no safety requirements on `flags`. + let fd: i32 =3D unsafe { bindings::get_unused_fd_flags(flags) }; + if fd < 0 { + return Err(Error::from_errno(fd)); + } + Ok(Self { + fd: fd as _, + _not_send_sync: PhantomData, + }) + } + + /// Returns the file descriptor number that was reserved. + pub fn reserved_fd(&self) -> u32 { + self.fd + } + + /// Commits the reservation. + /// + /// The previously reserved file descriptor is bound to `file`. + pub fn commit(self, file: ARef) { + // SAFETY: `self.fd` was previously returned by `get_unused_fd_fla= gs`, and `file.ptr` is + // guaranteed to have an owned ref count by its type invariants. + unsafe { bindings::fd_install(self.fd, file.0.get()) }; + + // `fd_install` consumes both the file descriptor and the file ref= erence, so we cannot run + // the destructors. + core::mem::forget(self); + core::mem::forget(file); + } +} + +impl Drop for FileDescriptorReservation { + fn drop(&mut self) { + // SAFETY: `self.fd` was returned by a previous call to `get_unuse= d_fd_flags`. + unsafe { bindings::put_unused_fd(self.fd) }; + } +} + /// Represents the EBADF error code. /// /// Used for methods that can only fail with EBADF. --=20 2.41.0.255.g8b1d071c50-goog From nobody Sun Feb 8 09:32:48 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5272CEB64DA for ; Thu, 20 Jul 2023 15:29:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232543AbjGTP3T (ORCPT ); Thu, 20 Jul 2023 11:29:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34208 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231919AbjGTP3D (ORCPT ); Thu, 20 Jul 2023 11:29:03 -0400 Received: from mail-yb1-xb4a.google.com (mail-yb1-xb4a.google.com [IPv6:2607:f8b0:4864:20::b4a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 26BBF2701 for ; Thu, 20 Jul 2023 08:28:55 -0700 (PDT) Received: by mail-yb1-xb4a.google.com with SMTP id 3f1490d57ef6-c64ef5bde93so773687276.0 for ; Thu, 20 Jul 2023 08:28:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1689866934; x=1690471734; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=8tH3XEerZJwrZmU22bF8N/0qUJWteANYMAoh9Uhhjis=; b=iIbHUoHVCIkaKMm/BUsR4YwpCcAILtijBEEpiPzLGsxFloPgn0f7EOrpei60KDIcvk 8t9TBzVqQs+AkQvHturJdtqihaNRMzMFCKXFW+yYzJtUuSGFzvt6b7X4xrQ742/qZmKU PvEKOBKF4OD/QkC7sV6V53SmlhclUJxyOXH9z0797NDGNgsxIgCVTE77X5wl3hBXbpX4 CUYQc58iS7Vz7i0p4RGy5F1G9zOILpr96cQBOoIdxky3VX2EsWb49rl1/kluJqBrvrQt WqjWtykIW08YaMiVbMm4RK5QZ+3LafZMQodf7O1gjLNykfiDOSypoIOhwMpCer+173uW j3fA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689866934; x=1690471734; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=8tH3XEerZJwrZmU22bF8N/0qUJWteANYMAoh9Uhhjis=; b=MQ26Pg6CCJTf8oxondeajr4YGhimCSoHc4GoPigpAO80qRzwAG6qvRkKED3J5VaAFN u3Oz+TMOEN8PRH4sNPHMFZDs0rZDe0BgIKdy/17TnSXH7dm8oOvWi7oizP2KMp5UWRCr 1n3SP1ugT5ObCO3Qd1gRCeT8R/xTUcizodLa1uuhCMo+hNzJ6KNdbZeUy3IzyAAwVykP ffUaX5mRBqTB8mUGZ5rtS+zwvmtLmEvOsu528vtdME5swh0c6f0I8glrOUBTduqcuhUZ tbq7BEzWjvEBE482/NBJ+msA1fiC6GJXyloz+amQIVFPmsaLXK0rEp1EnU+6M+cRpkNB Kvdg== X-Gm-Message-State: ABy/qLZ7EgFLwfO/pZSiiV0aTPOEvpUU6PUu5PMEmZFshcbv91kZj8UZ 8WxORwg9N1RdUIClc1y6hiRqMJJ2MP3zOdU= X-Google-Smtp-Source: APBJJlF6cATeLhYEkc+Kltokpd6Fuo8ex9iPNH0A4q6at8KTHctN4S63Ew8lL0snobh9IN2IF6MQLjmL7RBatPk= X-Received: from aliceryhl.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:6c8]) (user=aliceryhl job=sendgmr) by 2002:a25:2551:0:b0:c86:e7cf:4064 with SMTP id l78-20020a252551000000b00c86e7cf4064mr39916ybl.6.1689866934433; Thu, 20 Jul 2023 08:28:54 -0700 (PDT) Date: Thu, 20 Jul 2023 15:28:19 +0000 In-Reply-To: <20230720152820.3566078-1-aliceryhl@google.com> Mime-Version: 1.0 References: <20230720152820.3566078-1-aliceryhl@google.com> X-Mailer: git-send-email 2.41.0.255.g8b1d071c50-goog Message-ID: <20230720152820.3566078-5-aliceryhl@google.com> Subject: [RFC PATCH v1 4/5] rust: file: add bindings for `poll_table` From: Alice Ryhl To: rust-for-linux@vger.kernel.org, linux-fsdevel@vger.kernel.org, Miguel Ojeda , Alexander Viro , Christian Brauner Cc: Wedson Almeida Filho , Alex Gaynor , Boqun Feng , Gary Guo , "=?UTF-8?q?Bj=C3=B6rn=20Roy=20Baron?=" , Benno Lossin , Alice Ryhl , linux-kernel@vger.kernel.org, patches@lists.linux.dev Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" These bindings make it possible to register a `struct poll_table` with a `CondVar` so that notifying the condition variable will mark a given file as notified in the poll table. This patch introduces a wrapper around `CondVar` (which is just a wrapper around `wait_list`) rather than extending `CondVar` itself because using the condition variable with poll tables makes it necessary to use `POLLHUP | POLLFREE` to clear the wait list when the condition variable is destroyed. This is not necessary with the ordinary `CondVar` because all of its methods will borrow the `CondVar` for longer than the duration in which it enqueues something to the wait list. This is not the case when registering a `PollTable`. Signed-off-by: Alice Ryhl --- rust/bindings/bindings_helper.h | 2 + rust/bindings/lib.rs | 1 + rust/kernel/file.rs | 3 ++ rust/kernel/file/poll_table.rs | 93 +++++++++++++++++++++++++++++++++ rust/kernel/sync/condvar.rs | 2 +- 5 files changed, 100 insertions(+), 1 deletion(-) create mode 100644 rust/kernel/file/poll_table.rs diff --git a/rust/kernel/file/poll_table.rs b/rust/kernel/file/poll_table.rs new file mode 100644 index 000000000000..d6d134355088 --- /dev/null +++ b/rust/kernel/file/poll_table.rs @@ -0,0 +1,93 @@ +// SPDX-License-Identifier: GPL-2.0 + +//! Utilities for working with `struct poll_table`. + +use crate::{ + bindings, + file::File, + prelude::*, + sync::{CondVar, LockClassKey}, + types::Opaque, +}; +use core::ops::Deref; + +/// Creates a [`PollCondVar`] initialiser with the given name and a newly-= created lock class. +#[macro_export] +macro_rules! new_poll_condvar { + ($($name:literal)?) =3D> { + $crate::file::PollCondVar::new($crate::optional_name!($($name)?), = $crate::static_lock_class!()) + }; +} + +/// Wraps the kernel's `struct poll_table`. +#[repr(transparent)] +pub struct PollTable(Opaque); + +impl PollTable { + /// Creates a reference to a [`PollTable`] from a valid pointer. + /// + /// # Safety + /// + /// The caller must ensure that for the duration of 'a, the pointer wi= ll point at a valid poll + /// table, and that it is only accessed via the returned reference. + pub unsafe fn from_ptr<'a>(ptr: *mut bindings::poll_table) -> &'a mut = PollTable { + // SAFETY: The safety requirements guarantee the validity of the d= ereference, while the + // `PollTable` type being transparent makes the cast ok. + unsafe { &mut *ptr.cast() } + } + + fn get_qproc(&self) -> bindings::poll_queue_proc { + let ptr =3D self.0.get(); + // SAFETY: The `ptr` is valid because it originates from a referen= ce, and the `_qproc` + // field is not modified concurrently with this call. + unsafe { (*ptr)._qproc } + } + + /// Register this [`PollTable`] with the provided [`PollCondVar`], so = that it can be notified + /// using the condition variable. + pub fn register_wait(&mut self, file: &File, cv: &PollCondVar) { + if let Some(qproc) =3D self.get_qproc() { + // SAFETY: The pointers to `self` and `file` are valid because= they are references. + // + // Before the wait list is destroyed, the destructor of `PollC= ondVar` will clear + // everything in the wait list, so the wait list is not used a= fter it is freed. + unsafe { qproc(file.0.get() as _, cv.wait_list.get(), self.0.g= et()) }; + } + } +} + +/// A wrapper around [`CondVar`] that makes it usable with [`PollTable`]. +/// +/// [`CondVar`]: crate::sync::CondVar +#[pin_data(PinnedDrop)] +pub struct PollCondVar { + #[pin] + inner: CondVar, +} + +impl PollCondVar { + /// Constructs a new condvar initialiser. + #[allow(clippy::new_ret_no_self)] + pub fn new(name: &'static CStr, key: &'static LockClassKey) -> impl Pi= nInit { + pin_init!(Self { + inner <- CondVar::new(name, key), + }) + } +} + +// Make the `CondVar` methods callable on `PollCondVar`. +impl Deref for PollCondVar { + type Target =3D CondVar; + + fn deref(&self) -> &CondVar { + &self.inner + } +} + +#[pinned_drop] +impl PinnedDrop for PollCondVar { + fn drop(self: Pin<&mut Self>) { + // Clear anything registered using `register_wait`. + self.inner.notify(1, bindings::POLLHUP | bindings::POLLFREE); + } +} diff --git a/rust/kernel/sync/condvar.rs b/rust/kernel/sync/condvar.rs index ed353399c4e5..699ecac2db89 100644 --- a/rust/kernel/sync/condvar.rs +++ b/rust/kernel/sync/condvar.rs @@ -144,7 +144,7 @@ pub fn wait_uninterruptible(&sel= f, guard: &mut Guard<'_, } =20 /// Calls the kernel function to notify the appropriate number of thre= ads with the given flags. - fn notify(&self, count: i32, flags: u32) { + pub(crate) fn notify(&self, count: i32, flags: u32) { // SAFETY: `wait_list` points to valid memory. unsafe { bindings::__wake_up( diff --git a/rust/kernel/file.rs b/rust/kernel/file.rs index 8ddf8f04ae0f..7281264cbaa1 100644 --- a/rust/kernel/file.rs +++ b/rust/kernel/file.rs @@ -13,6 +13,9 @@ }; use core::{marker::PhantomData, ptr}; =20 +mod poll_table; +pub use self::poll_table::{PollCondVar, PollTable}; + /// Flags associated with a [`File`]. pub mod flags { /// File is opened in append mode. diff --git a/rust/bindings/bindings_helper.h b/rust/bindings/bindings_helpe= r.h index d89f0df93615..7d83e1a7a362 100644 --- a/rust/bindings/bindings_helper.h +++ b/rust/bindings/bindings_helper.h @@ -10,6 +10,7 @@ #include #include #include +#include #include #include #include @@ -19,3 +20,4 @@ /* `bindgen` gets confused at certain things. */ const gfp_t BINDINGS_GFP_KERNEL =3D GFP_KERNEL; const gfp_t BINDINGS___GFP_ZERO =3D __GFP_ZERO; +const __poll_t BINDINGS_POLLFREE =3D POLLFREE; diff --git a/rust/bindings/lib.rs b/rust/bindings/lib.rs index 9bcbea04dac3..eeb291cc60db 100644 --- a/rust/bindings/lib.rs +++ b/rust/bindings/lib.rs @@ -51,3 +51,4 @@ mod bindings_helper { =20 pub const GFP_KERNEL: gfp_t =3D BINDINGS_GFP_KERNEL; pub const __GFP_ZERO: gfp_t =3D BINDINGS___GFP_ZERO; +pub const POLLFREE: __poll_t =3D BINDINGS_POLLFREE; --=20 2.41.0.255.g8b1d071c50-goog From nobody Sun Feb 8 09:32:48 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EC2BDEB64DC for ; Thu, 20 Jul 2023 15:29:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232549AbjGTP3V (ORCPT ); Thu, 20 Jul 2023 11:29:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34198 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230366AbjGTP3D (ORCPT ); Thu, 20 Jul 2023 11:29:03 -0400 Received: from mail-ed1-x54a.google.com (mail-ed1-x54a.google.com [IPv6:2a00:1450:4864:20::54a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C60B7270E for ; Thu, 20 Jul 2023 08:28:59 -0700 (PDT) Received: by mail-ed1-x54a.google.com with SMTP id 4fb4d7f45d1cf-51a595bc30dso1236318a12.0 for ; Thu, 20 Jul 2023 08:28:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1689866938; x=1690471738; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=d/u9EQyW+X21UxdbxspElMqoKZgJyUHYdK5EQ3Z7BOw=; b=3Hwd44nZ28dd7XQpwbotYQrWBx55skJp3Gg5KtDbRpDdMOffpWdvgIzNW860/54HaT Azxf/5by8rXcrok2m41Mqp1TMzDWRinsNR8PQskZDazzTs+Gp7tZqhBOc1yUUgTuJmRr kksHZP3kh1tFtsq2GBDhXDOpYxYoVGwh08aplvBGp9TKQ48GqSDmZqAyZ2GTmAZhYpJ1 o2H8FoOGoPqkY2ao9JEaJJHSfeUSbfw+8DSGPm6uorPl8pnz36deNwerOjK72eTjgqXq PVbSr14PujluBch8hecMx3je20sH5Q9iXokyshWyBaVVH59tY43OZqL9Vt46qTAXsIUY M1Kg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689866938; x=1690471738; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=d/u9EQyW+X21UxdbxspElMqoKZgJyUHYdK5EQ3Z7BOw=; b=i/apRflH7GBUxVWusztM43I/kb3wk+gb28PNJah3yic5lkqywl1V7+kA2+U8xH18Nh nLib2rZ7TvxFASz7FcwAmVMjVFsm7AYyjk1fE7EG4kotX7iMGz92JM//SyEKPLIJnOeP fMIGQ2NyrXRvyvjyrJiTQzwPgDXBDSmTJFw4aiZA9cicsmZUnStToQbxOrd3rWG5A1j4 7f8SdAk9PTKs5Jg3nAva7/w1bJhYZ4YHlHzvk6TtHV1ih9TydrDPDz4GjLuEPBhRq63Q 4GrDHTj9hQZpHBUVnjqy9mtmOV+hnhyrl2RUyt6MoF+2DFb525ZSWahot6jZAeRXm79d MQVw== X-Gm-Message-State: ABy/qLarUcizh8uoUk6cxzkT13sgL7fm+tOz6IycH6A1nJykN22IVV+4 SSPPDYezSMbTM9SAUqW+r5IdKtkFiJgXFuA= X-Google-Smtp-Source: APBJJlHVWjVGueX9/R76s//0Z49bMtlWlMtdOLYEUW5lsDUqEawxcfhDALGNUuPtRnFpdXqSHdO1FkhKZsz5mhM= X-Received: from aliceryhl.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:6c8]) (user=aliceryhl job=sendgmr) by 2002:a05:6402:e9c:b0:51e:3810:e3b1 with SMTP id h28-20020a0564020e9c00b0051e3810e3b1mr39802eda.1.1689866938115; Thu, 20 Jul 2023 08:28:58 -0700 (PDT) Date: Thu, 20 Jul 2023 15:28:20 +0000 In-Reply-To: <20230720152820.3566078-1-aliceryhl@google.com> Mime-Version: 1.0 References: <20230720152820.3566078-1-aliceryhl@google.com> X-Mailer: git-send-email 2.41.0.255.g8b1d071c50-goog Message-ID: <20230720152820.3566078-6-aliceryhl@google.com> Subject: [RFC PATCH v1 5/5] rust: file: add `DeferredFdCloser` From: Alice Ryhl To: rust-for-linux@vger.kernel.org, linux-fsdevel@vger.kernel.org, Miguel Ojeda , Alexander Viro , Christian Brauner Cc: Wedson Almeida Filho , Alex Gaynor , Boqun Feng , Gary Guo , "=?UTF-8?q?Bj=C3=B6rn=20Roy=20Baron?=" , Benno Lossin , Alice Ryhl , linux-kernel@vger.kernel.org, patches@lists.linux.dev Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" This adds a new type called `DeferredFdCloser` that can be used to close files by their fd in a way that is safe even if the file is currently held using `fdget`. This is done by grabbing an extra refcount to the file and dropping it in a task work once we return to userspace. See comments on `binder_do_fd_close` and commit `80cd795630d65` for motivation. Signed-off-by: Alice Ryhl --- This is an implementation of `binder_deferred_fd_close` in Rust. I think the fact that binder needs to close fds in this way raises the question of how we want the Rust APIs for closing files to look. Apparently, fdget is not just used in easily reviewable regions, but also around things like the ioctl syscall, meaning that all ioctls must abide by the fdget safety requirements. rust/bindings/bindings_helper.h | 2 + rust/helpers.c | 7 +++ rust/kernel/file.rs | 80 ++++++++++++++++++++++++++++++++- 3 files changed, 88 insertions(+), 1 deletion(-) diff --git a/rust/kernel/file.rs b/rust/kernel/file.rs index 7281264cbaa1..9b1f4efdf7ac 100644 --- a/rust/kernel/file.rs +++ b/rust/kernel/file.rs @@ -11,7 +11,8 @@ error::{code::*, Error, Result}, types::{ARef, AlwaysRefCounted, Opaque}, }; -use core::{marker::PhantomData, ptr}; +use alloc::boxed::Box; +use core::{alloc::AllocError, marker::PhantomData, mem, ptr}; =20 mod poll_table; pub use self::poll_table::{PollCondVar, PollTable}; @@ -241,6 +242,83 @@ fn drop(&mut self) { } } =20 +/// Helper used for closing file descriptors in a way that is safe even if= the file is currently +/// held using `fdget`. +/// +/// See comments on `binder_do_fd_close` and commit `80cd795630d65`. +pub struct DeferredFdCloser { + inner: Box, +} + +/// SAFETY: This just holds an allocation with no real content, so there's= no safety issue with +/// moving it across threads. +unsafe impl Send for DeferredFdCloser {} +unsafe impl Sync for DeferredFdCloser {} + +#[repr(C)] +struct DeferredFdCloserInner { + twork: mem::MaybeUninit, + file: *mut bindings::file, +} + +impl DeferredFdCloser { + /// Create a new `DeferredFdCloser`. + pub fn new() -> Result { + Ok(Self { + inner: Box::try_new(DeferredFdCloserInner { + twork: mem::MaybeUninit::uninit(), + file: core::ptr::null_mut(), + })?, + }) + } + + /// Schedule a task work that closes the file descriptor when this tas= k returns to userspace. + pub fn close_fd(mut self, fd: u32) { + let file =3D unsafe { bindings::close_fd_get_file(fd) }; + if !file.is_null() { + self.inner.file =3D file; + + // SAFETY: Since DeferredFdCloserInner is `#[repr(C)]`, castin= g the pointers gives a + // pointer to the `twork` field. + let inner =3D Box::into_raw(self.inner) as *mut bindings::call= back_head; + + // SAFETY: Getting a pointer to current is always safe. + let current =3D unsafe { bindings::get_current() }; + // SAFETY: The `file` pointer points at a valid file. + unsafe { bindings::get_file(file) }; + // SAFETY: Due to the above `get_file`, even if the current ta= sk holds an `fdget` to + // this file right now, the refcount will not drop to zero unt= il after it is released + // with `fdput`. This is because when using `fdget`, you must = always use `fdput` before + // returning to userspace, and our task work runs after any `f= dget` users have returned + // to user space. + // + // Note: fl_owner_t is currently a void pointer. + unsafe { bindings::filp_close(file, current as bindings::fl_ow= ner_t) }; + // SAFETY: The `inner` pointer is compatible with the `do_clos= e_fd` method. + // + // The call to `task_work_add` can't fail, because we are sche= duling the task work to + // the current task. + unsafe { + bindings::init_task_work(inner, Some(Self::do_close_fd)); + bindings::task_work_add(current, inner, bindings::task_wor= k_notify_mode_TWA_RESUME); + } + } else { + // Free the allocation. + drop(self.inner); + } + } + + unsafe extern "C" fn do_close_fd(inner: *mut bindings::callback_head) { + // SAFETY: In `close_fd` we use this method together with a pointe= r that originates from a + // `Box`, and we have just been given owner= ship of that allocation. + let inner =3D unsafe { Box::from_raw(inner as *mut DeferredFdClose= rInner) }; + // SAFETY: This drops a refcount we acquired in `close_fd`. + unsafe { bindings::fput(inner.file) }; + // Free the allocation. + drop(inner); + } +} + /// Represents the EBADF error code. /// /// Used for methods that can only fail with EBADF. diff --git a/rust/bindings/bindings_helper.h b/rust/bindings/bindings_helpe= r.h index 7d83e1a7a362..6d0d044fa8cd 100644 --- a/rust/bindings/bindings_helper.h +++ b/rust/bindings/bindings_helper.h @@ -8,6 +8,7 @@ =20 #include #include +#include #include #include #include @@ -16,6 +17,7 @@ #include #include #include +#include =20 /* `bindgen` gets confused at certain things. */ const gfp_t BINDINGS_GFP_KERNEL =3D GFP_KERNEL; diff --git a/rust/helpers.c b/rust/helpers.c index e13a7da430b1..d147ec5bc0a3 100644 --- a/rust/helpers.c +++ b/rust/helpers.c @@ -31,6 +31,7 @@ #include #include #include +#include #include =20 __noreturn void rust_helper_BUG(void) @@ -166,6 +167,12 @@ void rust_helper_security_cred_getsecid(const struct c= red *c, u32 *secid) EXPORT_SYMBOL_GPL(rust_helper_security_cred_getsecid); #endif =20 +void rust_helper_init_task_work(struct callback_head *twork, task_work_fun= c_t func) +{ + init_task_work(twork, func); +} +EXPORT_SYMBOL_GPL(rust_helper_init_task_work); + /* * We use `bindgen`'s `--size_t-is-usize` option to bind the C `size_t` ty= pe * as the Rust `usize` type, so we can use it in contexts where Rust --=20 2.41.0.255.g8b1d071c50-goog