From nobody Mon Feb 9 10:25:45 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EC2BDEB64DC for ; Thu, 20 Jul 2023 15:29:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232549AbjGTP3V (ORCPT ); Thu, 20 Jul 2023 11:29:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34198 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230366AbjGTP3D (ORCPT ); Thu, 20 Jul 2023 11:29:03 -0400 Received: from mail-ed1-x54a.google.com (mail-ed1-x54a.google.com [IPv6:2a00:1450:4864:20::54a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C60B7270E for ; Thu, 20 Jul 2023 08:28:59 -0700 (PDT) Received: by mail-ed1-x54a.google.com with SMTP id 4fb4d7f45d1cf-51a595bc30dso1236318a12.0 for ; Thu, 20 Jul 2023 08:28:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1689866938; x=1690471738; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=d/u9EQyW+X21UxdbxspElMqoKZgJyUHYdK5EQ3Z7BOw=; b=3Hwd44nZ28dd7XQpwbotYQrWBx55skJp3Gg5KtDbRpDdMOffpWdvgIzNW860/54HaT Azxf/5by8rXcrok2m41Mqp1TMzDWRinsNR8PQskZDazzTs+Gp7tZqhBOc1yUUgTuJmRr kksHZP3kh1tFtsq2GBDhXDOpYxYoVGwh08aplvBGp9TKQ48GqSDmZqAyZ2GTmAZhYpJ1 o2H8FoOGoPqkY2ao9JEaJJHSfeUSbfw+8DSGPm6uorPl8pnz36deNwerOjK72eTjgqXq PVbSr14PujluBch8hecMx3je20sH5Q9iXokyshWyBaVVH59tY43OZqL9Vt46qTAXsIUY M1Kg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689866938; x=1690471738; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=d/u9EQyW+X21UxdbxspElMqoKZgJyUHYdK5EQ3Z7BOw=; b=i/apRflH7GBUxVWusztM43I/kb3wk+gb28PNJah3yic5lkqywl1V7+kA2+U8xH18Nh nLib2rZ7TvxFASz7FcwAmVMjVFsm7AYyjk1fE7EG4kotX7iMGz92JM//SyEKPLIJnOeP fMIGQ2NyrXRvyvjyrJiTQzwPgDXBDSmTJFw4aiZA9cicsmZUnStToQbxOrd3rWG5A1j4 7f8SdAk9PTKs5Jg3nAva7/w1bJhYZ4YHlHzvk6TtHV1ih9TydrDPDz4GjLuEPBhRq63Q 4GrDHTj9hQZpHBUVnjqy9mtmOV+hnhyrl2RUyt6MoF+2DFb525ZSWahot6jZAeRXm79d MQVw== X-Gm-Message-State: ABy/qLarUcizh8uoUk6cxzkT13sgL7fm+tOz6IycH6A1nJykN22IVV+4 SSPPDYezSMbTM9SAUqW+r5IdKtkFiJgXFuA= X-Google-Smtp-Source: APBJJlHVWjVGueX9/R76s//0Z49bMtlWlMtdOLYEUW5lsDUqEawxcfhDALGNUuPtRnFpdXqSHdO1FkhKZsz5mhM= X-Received: from aliceryhl.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:6c8]) (user=aliceryhl job=sendgmr) by 2002:a05:6402:e9c:b0:51e:3810:e3b1 with SMTP id h28-20020a0564020e9c00b0051e3810e3b1mr39802eda.1.1689866938115; Thu, 20 Jul 2023 08:28:58 -0700 (PDT) Date: Thu, 20 Jul 2023 15:28:20 +0000 In-Reply-To: <20230720152820.3566078-1-aliceryhl@google.com> Mime-Version: 1.0 References: <20230720152820.3566078-1-aliceryhl@google.com> X-Mailer: git-send-email 2.41.0.255.g8b1d071c50-goog Message-ID: <20230720152820.3566078-6-aliceryhl@google.com> Subject: [RFC PATCH v1 5/5] rust: file: add `DeferredFdCloser` From: Alice Ryhl To: rust-for-linux@vger.kernel.org, linux-fsdevel@vger.kernel.org, Miguel Ojeda , Alexander Viro , Christian Brauner Cc: Wedson Almeida Filho , Alex Gaynor , Boqun Feng , Gary Guo , "=?UTF-8?q?Bj=C3=B6rn=20Roy=20Baron?=" , Benno Lossin , Alice Ryhl , linux-kernel@vger.kernel.org, patches@lists.linux.dev Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" This adds a new type called `DeferredFdCloser` that can be used to close files by their fd in a way that is safe even if the file is currently held using `fdget`. This is done by grabbing an extra refcount to the file and dropping it in a task work once we return to userspace. See comments on `binder_do_fd_close` and commit `80cd795630d65` for motivation. Signed-off-by: Alice Ryhl --- This is an implementation of `binder_deferred_fd_close` in Rust. I think the fact that binder needs to close fds in this way raises the question of how we want the Rust APIs for closing files to look. Apparently, fdget is not just used in easily reviewable regions, but also around things like the ioctl syscall, meaning that all ioctls must abide by the fdget safety requirements. rust/bindings/bindings_helper.h | 2 + rust/helpers.c | 7 +++ rust/kernel/file.rs | 80 ++++++++++++++++++++++++++++++++- 3 files changed, 88 insertions(+), 1 deletion(-) diff --git a/rust/kernel/file.rs b/rust/kernel/file.rs index 7281264cbaa1..9b1f4efdf7ac 100644 --- a/rust/kernel/file.rs +++ b/rust/kernel/file.rs @@ -11,7 +11,8 @@ error::{code::*, Error, Result}, types::{ARef, AlwaysRefCounted, Opaque}, }; -use core::{marker::PhantomData, ptr}; +use alloc::boxed::Box; +use core::{alloc::AllocError, marker::PhantomData, mem, ptr}; =20 mod poll_table; pub use self::poll_table::{PollCondVar, PollTable}; @@ -241,6 +242,83 @@ fn drop(&mut self) { } } =20 +/// Helper used for closing file descriptors in a way that is safe even if= the file is currently +/// held using `fdget`. +/// +/// See comments on `binder_do_fd_close` and commit `80cd795630d65`. +pub struct DeferredFdCloser { + inner: Box, +} + +/// SAFETY: This just holds an allocation with no real content, so there's= no safety issue with +/// moving it across threads. +unsafe impl Send for DeferredFdCloser {} +unsafe impl Sync for DeferredFdCloser {} + +#[repr(C)] +struct DeferredFdCloserInner { + twork: mem::MaybeUninit, + file: *mut bindings::file, +} + +impl DeferredFdCloser { + /// Create a new `DeferredFdCloser`. + pub fn new() -> Result { + Ok(Self { + inner: Box::try_new(DeferredFdCloserInner { + twork: mem::MaybeUninit::uninit(), + file: core::ptr::null_mut(), + })?, + }) + } + + /// Schedule a task work that closes the file descriptor when this tas= k returns to userspace. + pub fn close_fd(mut self, fd: u32) { + let file =3D unsafe { bindings::close_fd_get_file(fd) }; + if !file.is_null() { + self.inner.file =3D file; + + // SAFETY: Since DeferredFdCloserInner is `#[repr(C)]`, castin= g the pointers gives a + // pointer to the `twork` field. + let inner =3D Box::into_raw(self.inner) as *mut bindings::call= back_head; + + // SAFETY: Getting a pointer to current is always safe. + let current =3D unsafe { bindings::get_current() }; + // SAFETY: The `file` pointer points at a valid file. + unsafe { bindings::get_file(file) }; + // SAFETY: Due to the above `get_file`, even if the current ta= sk holds an `fdget` to + // this file right now, the refcount will not drop to zero unt= il after it is released + // with `fdput`. This is because when using `fdget`, you must = always use `fdput` before + // returning to userspace, and our task work runs after any `f= dget` users have returned + // to user space. + // + // Note: fl_owner_t is currently a void pointer. + unsafe { bindings::filp_close(file, current as bindings::fl_ow= ner_t) }; + // SAFETY: The `inner` pointer is compatible with the `do_clos= e_fd` method. + // + // The call to `task_work_add` can't fail, because we are sche= duling the task work to + // the current task. + unsafe { + bindings::init_task_work(inner, Some(Self::do_close_fd)); + bindings::task_work_add(current, inner, bindings::task_wor= k_notify_mode_TWA_RESUME); + } + } else { + // Free the allocation. + drop(self.inner); + } + } + + unsafe extern "C" fn do_close_fd(inner: *mut bindings::callback_head) { + // SAFETY: In `close_fd` we use this method together with a pointe= r that originates from a + // `Box`, and we have just been given owner= ship of that allocation. + let inner =3D unsafe { Box::from_raw(inner as *mut DeferredFdClose= rInner) }; + // SAFETY: This drops a refcount we acquired in `close_fd`. + unsafe { bindings::fput(inner.file) }; + // Free the allocation. + drop(inner); + } +} + /// Represents the EBADF error code. /// /// Used for methods that can only fail with EBADF. diff --git a/rust/bindings/bindings_helper.h b/rust/bindings/bindings_helpe= r.h index 7d83e1a7a362..6d0d044fa8cd 100644 --- a/rust/bindings/bindings_helper.h +++ b/rust/bindings/bindings_helper.h @@ -8,6 +8,7 @@ =20 #include #include +#include #include #include #include @@ -16,6 +17,7 @@ #include #include #include +#include =20 /* `bindgen` gets confused at certain things. */ const gfp_t BINDINGS_GFP_KERNEL =3D GFP_KERNEL; diff --git a/rust/helpers.c b/rust/helpers.c index e13a7da430b1..d147ec5bc0a3 100644 --- a/rust/helpers.c +++ b/rust/helpers.c @@ -31,6 +31,7 @@ #include #include #include +#include #include =20 __noreturn void rust_helper_BUG(void) @@ -166,6 +167,12 @@ void rust_helper_security_cred_getsecid(const struct c= red *c, u32 *secid) EXPORT_SYMBOL_GPL(rust_helper_security_cred_getsecid); #endif =20 +void rust_helper_init_task_work(struct callback_head *twork, task_work_fun= c_t func) +{ + init_task_work(twork, func); +} +EXPORT_SYMBOL_GPL(rust_helper_init_task_work); + /* * We use `bindgen`'s `--size_t-is-usize` option to bind the C `size_t` ty= pe * as the Rust `usize` type, so we can use it in contexts where Rust --=20 2.41.0.255.g8b1d071c50-goog