Received: by 2002:a05:7412:b10a:b0:f3:1519:9f41 with SMTP id az10csp464943rdb; Thu, 30 Nov 2023 09:12:37 -0800 (PST) X-Google-Smtp-Source: AGHT+IHWWnA+DkZKjYNKjD3Sy8gjLQdQCBg+egmRpdbwzgKH/YrfgAa7aZu0NdPn9TqCGIUpgM/r X-Received: by 2002:a05:6a20:8b24:b0:18b:1a35:542 with SMTP id l36-20020a056a208b2400b0018b1a350542mr21421542pzh.33.1701364356743; Thu, 30 Nov 2023 09:12:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701364356; cv=none; d=google.com; s=arc-20160816; b=0IqNdq+LYZVrliT8zOi4BcU3Ottj9hyQYKCQnd5T/qYa3bPudOAHvfgejfKuEVLhg5 HeZpqXi0NqyRK4imkouZnD1PgLGrDK9qKMWkO6INOYtp2kgq5iOVCVrG8ALyZmukKxLv z8JWR9WJP0MtwMg9+sp5SJ4CCu9mOPfWUXFQdQPPOTJPzEUXGAAQSrmQaUbza6dYvIC1 mA1fiXlHZ3k6a1mdZJ0IANd18zshFHgmdS95vjrDqfC2+3ExJiWKZ6Q92TETwKuFRfsL WbZghujaK4B23w7WGJ5JdFBmybstebMOlliI74b9K3572AszQPPBOs81GsQ8qQK0m+Xw smug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :feedback-id:references:in-reply-to:message-id:subject:cc:from:to :date:dkim-signature; bh=5XDJY6qrdLzFeHm8Cj9m7uNxrkuBz8SBGfRnamorYn0=; fh=yGC6hLtEKxG/qAMK6tCmLY72Pr3WjPw6U6qgCoktHOQ=; b=yZNazUM0Y59NrSAU8bf+ADfWhsdmVyD2RQjS3ePvWpoTSZVxMUxJyJJh0HZDEwWWMN N15jyv037D9wK0nQFHyuW7XfJwOgpfTmKpcGT5+cua9cEJKABSSAbAfqbZTBFVmwLTGj iRMKSSIy/ofgR8lvmosOjeit22B/A8dPhSWb53pyhvIOdUFmfIlVSLm6XCH8TYYr46cc jHuKaEOLxTOuzLRk7610J8QO1ZtJeQgAicgNcWkBqmg5dH/hzC3yRcOzc+xUq8ZEfuik c4KqNhIhou85e4qDWLQHJjtWTU7mo+4SEBY5r5R9mRoTcfmLxe21VMu+4q+Yx4EnD+w7 C0nQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@proton.me header.s=protonmail header.b="F/rnyW1t"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me Return-Path: Received: from fry.vger.email (fry.vger.email. [23.128.96.38]) by mx.google.com with ESMTPS id b2-20020a056a000cc200b006cd9c550815si1567981pfv.288.2023.11.30.09.12.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Nov 2023 09:12:36 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) client-ip=23.128.96.38; Authentication-Results: mx.google.com; dkim=pass header.i=@proton.me header.s=protonmail header.b="F/rnyW1t"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id 05A1A802641D; Thu, 30 Nov 2023 09:12:33 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232176AbjK3RMQ (ORCPT + 99 others); Thu, 30 Nov 2023 12:12:16 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59198 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231837AbjK3RMO (ORCPT ); Thu, 30 Nov 2023 12:12:14 -0500 Received: from mail-4316.protonmail.ch (mail-4316.protonmail.ch [185.70.43.16]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6ACE210DB; Thu, 30 Nov 2023 09:12:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proton.me; s=protonmail; t=1701364338; x=1701623538; bh=5XDJY6qrdLzFeHm8Cj9m7uNxrkuBz8SBGfRnamorYn0=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=F/rnyW1t+fVNykiiDP/o43MmFV6iXVkSn5siXpxdhZwP2zLlFfoQdeV3eiBt7wVz1 K8f8K8aXaWHZ63asa/Zeqt5qcpLqF4o41niAbLYz3se4efNEvNHa9GRhkeEHoyHp0x RRmBKrVpsYBDDKZtRZCpWp0UvA6NQjZLLADR//Lc6/vtyWL/SgyoCPjgBogKbBqyey 7J+GU42Gb9LyVRGiJvORDLGoo0W6z5nezm4/72/0O57X6+BnRGdKFXCo3jk0PRDKfO vvAxaqi7fq+xtIOA/V5lIdN/A5HFtMea3PG+0MLPevN3Z3d3h6Ky7dXvTQUWrOIGuG rUd6YTBcUjJgw== Date: Thu, 30 Nov 2023 17:12:01 +0000 To: Alice Ryhl From: Benno Lossin Cc: Miguel Ojeda , Alex Gaynor , Wedson Almeida Filho , Boqun Feng , Gary Guo , =?utf-8?Q?Bj=C3=B6rn_Roy_Baron?= , Andreas Hindborg , Peter Zijlstra , Alexander Viro , Christian Brauner , Greg Kroah-Hartman , =?utf-8?Q?Arve_Hj=C3=B8nnev=C3=A5g?= , Todd Kjos , Martijn Coenen , Joel Fernandes , Carlos Llamas , Suren Baghdasaryan , Dan Williams , Kees Cook , Matthew Wilcox , Thomas Gleixner , Daniel Xu , linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, linux-fsdevel@vger.kernel.org Subject: Re: [PATCH 6/7] rust: file: add `DeferredFdCloser` Message-ID: In-Reply-To: <20231129-alice-file-v1-6-f81afe8c7261@google.com> References: <20231129-alice-file-v1-0-f81afe8c7261@google.com> <20231129-alice-file-v1-6-f81afe8c7261@google.com> Feedback-ID: 71780778:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Thu, 30 Nov 2023 09:12:33 -0800 (PST) On 11/29/23 14:12, Alice Ryhl wrote: > + /// Schedule a task work that closes the file descriptor when this t= ask returns to userspace. > + pub fn close_fd(mut self, fd: u32) { > + use bindings::task_work_notify_mode_TWA_RESUME as TWA_RESUME; > + > + let file =3D unsafe { bindings::close_fd_get_file(fd) }; > + if file.is_null() { > + // Nothing further to do. The allocation is freed by the des= tructor of `self.inner`. > + return; > + } > + > + self.inner.file =3D file; > + > + // SAFETY: Since `DeferredFdCloserInner` is `#[repr(C)]`, castin= g the pointers gives a > + // pointer to the `twork` field. > + let inner =3D Box::into_raw(self.inner) as *mut bindings::callba= ck_head; Here you can just use `.cast::<...>()`. > + // SAFETY: Getting a pointer to current is always safe. > + let current =3D unsafe { bindings::get_current() }; > + // SAFETY: The `file` pointer points at a valid file. > + unsafe { bindings::get_file(file) }; > + // SAFETY: Due to the above `get_file`, even if the current task= holds an `fdget` to > + // this file right now, the refcount will not drop to zero until= after it is released > + // with `fdput`. This is because when using `fdget`, you must al= ways use `fdput` before > + // returning to userspace, and our task work runs after any `fdg= et` users have returned > + // to userspace. > + // > + // Note: fl_owner_t is currently a void pointer. > + unsafe { bindings::filp_close(file, (*current).files as bindings= ::fl_owner_t) }; > + // SAFETY: The `inner` pointer is compatible with the `do_close_= fd` method. > + unsafe { bindings::init_task_work(inner, Some(Self::do_close_fd)= ) }; > + // SAFETY: The `inner` pointer points at a valid and fully initi= alized task work that is > + // ready to be scheduled. > + unsafe { bindings::task_work_add(current, inner, TWA_RESUME) }; I am a bit confused, when does `do_close_fd` actually run? Does `TWA_RESUME` mean that `inner` is scheduled to run after the current task has been completed? > + } > + > + // SAFETY: This function is an implementation detail of `close_fd`, = so its safety comments > + // should be read in extension of that method. > + unsafe extern "C" fn do_close_fd(inner: *mut bindings::callback_head= ) { > + // SAFETY: In `close_fd` we use this method together with a poin= ter that originates from a > + // `Box`, and we have just been given own= ership of that allocation. > + let inner =3D unsafe { Box::from_raw(inner as *mut DeferredFdClo= serInner) }; In order for this call to be sound, `inner` must be an exclusive pointer (including any possible references into the `callback_head`). Is this the case? --=20 Cheers, Benno > + // SAFETY: This drops a refcount we acquired in `close_fd`. Sinc= e this callback runs in a > + // task work after we return to userspace, it is guaranteed that= the current thread doesn't > + // hold this file with `fdget`, as `fdget` must be released befo= re returning to userspace. > + unsafe { bindings::fput(inner.file) }; > + // Free the allocation. > + drop(inner); > + } > +} > + > /// Represents the `EBADF` error code. > /// > /// Used for methods that can only fail with `EBADF`. >=20 > -- > 2.43.0.rc1.413.gea7ed67945-goog >