Received: by 2002:a05:6500:1b8f:b0:1fa:5c73:8e2d with SMTP id df15csp359800lqb; Tue, 28 May 2024 19:09:38 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUAXV6Ef4zAGGR2uizUvbSrHNUNEKwOxRUv+owVwHh5AlNpkT1FknTiiK4HUIy35lKPEHi2Fmj///tBcIih5VGbe9VxUrDhLuODDXVw8w== X-Google-Smtp-Source: AGHT+IGG+EsR+7IlA8A7/RsZlF3Ztly4RvihUPaLul8evv/aiUKnbZSwYTA8ar5TR7BpQB5wrtlX X-Received: by 2002:a05:6a20:dd9f:b0:1ae:3359:a2de with SMTP id adf61e73a8af0-1b259acf741mr880689637.28.1716948578548; Tue, 28 May 2024 19:09:38 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716948578; cv=pass; d=google.com; s=arc-20160816; b=QLAPZ/YV1iENNfMZ+ZxKk5IUkXkVfDsSraDi47F2b2MQWrtbwEOMVT1CKeIeVU3sWf LifM3rni5hIbpBcxAg9v+lMhqbf9aecT+Zkg2mQeEPNmP4Y5397aWuo2bQHCOW7JrrzZ cIRwA+rhdG0iNGIvPCxm9ehd91PdzxB7jJ59Z1Gq/eom81ApiK6eBKs02mRiav1uwkZl RJtrPMrnxIQEiw0xR830N8UlfT8gIDWffJc1EGqg9opjPsEHwqvrZkiK58hL+ltsD0YA ke8bmO1vR9cIus1wMoGB34wAdctGqNfYJpfcSeUmJdvQkakut4gMEA7xW5CrPpaBfTTn /h/w== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:in-reply-to:content-disposition:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:references :message-id:subject:cc:to:from:date:dkim-signature; bh=1hlkMQxRIEdCpGnrp8gqv9h5AashnbOh2AOuFzZyuXo=; fh=4F8CUVsPcqhCnitCAFHQFeBl9JPOaYmNf8CfEVh5tec=; b=Jge87xcmLDyi6eGWuueNo/0xoNVaW3qV7mHi6OYzBz0MEoOGdcyjN8M/0Le4b2SJiB i/gt1cbtXcxVfu+q0JWtR5NFKxoMMMLx+C/CqMTV08/IokDc0EP1ZGGHTcLwcNRkQr2Y AEoZFnmJLseZEzhvuwikMGvf21+quCY3IXIWwes7ekKK3iSQQRCbHJ5KX8j9QEDWKD1x +8H0BuHk/yfKx8ww0xVK4dezyYl/zuCvKtYzkbVU4vsFx5xBu+9YL1jmi9ZblPxf6XO0 nwwUPkJD0OP2UBRmjMZ6U7LwcuQCdB3twR+73rRXhf43A4K6FMeFW/E7sTyVyXfyc5hU px+A==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linux.org.uk header.s=zeniv-20220401 header.b="t8/UWoUu"; arc=pass (i=1 dkim=pass dkdomain=linux.org.uk dmarc=pass fromdomain=zeniv.linux.org.uk); spf=pass (google.com: domain of linux-kernel+bounces-193084-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-193084-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zeniv.linux.org.uk Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id 41be03b00d2f7-6822779bbfcsi9358823a12.397.2024.05.28.19.09.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 May 2024 19:09:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-193084-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.org.uk header.s=zeniv-20220401 header.b="t8/UWoUu"; arc=pass (i=1 dkim=pass dkdomain=linux.org.uk dmarc=pass fromdomain=zeniv.linux.org.uk); spf=pass (google.com: domain of linux-kernel+bounces-193084-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-193084-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zeniv.linux.org.uk Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 602AC283B99 for ; Tue, 28 May 2024 20:59:57 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 6347417B408; Tue, 28 May 2024 20:59:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linux.org.uk header.i=@linux.org.uk header.b="t8/UWoUu" Received: from zeniv.linux.org.uk (zeniv.linux.org.uk [62.89.141.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 08A236A33F; Tue, 28 May 2024 20:59:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=62.89.141.173 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716929986; cv=none; b=lV4oE5WRmxK8gh03ZrzjVzwFcHTMCxBde9KtSexAzwYNq6J0lIF0HIF9/8zLBhxA5HYmaeK9IN3fZf+AAUhoIL+WeFMzshwqB74z8RMHXDuC4Si+8dxuN/ylCSKqLGue0KOTRqjeHxnPvhl9aJ7AdzFRVXvitgo1jag9a6dWXUY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716929986; c=relaxed/simple; bh=PLXFcu8sKJkyE4JeTWpuz+MKwoHU4DkF9JJyJXCaCCM=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=O0kdda4n+bhEvsFiyNYLh+Ji2ESRGa3QulTWxlD5YEQ9lLaVrxQe6jzlKhaG1o6DIvSByUk9JPlpnKrMfXKOZtVGVUNddBQDX6zoZldzTB4I5BRMz4XoAkXJoHxIo+4QmZk0dYSniF2K70k6eVnxp5MokBdAO4nITFzBzMhTywE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=zeniv.linux.org.uk; spf=none smtp.mailfrom=ftp.linux.org.uk; dkim=pass (2048-bit key) header.d=linux.org.uk header.i=@linux.org.uk header.b=t8/UWoUu; arc=none smtp.client-ip=62.89.141.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=zeniv.linux.org.uk Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=ftp.linux.org.uk DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=linux.org.uk; s=zeniv-20220401; h=Sender:In-Reply-To:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=1hlkMQxRIEdCpGnrp8gqv9h5AashnbOh2AOuFzZyuXo=; b=t8/UWoUuvp2VSP8PT5TOhsIbJy nEy4xgsPykl6zjSmMYIkH1Vm+pLRxsUY4jN0a5/kKQri9MCsvFpjMJiKuKW7gB7a6o+kSiSE80A5Q YNj/ss8hy5VyDX5cad+CzO1i9i5MUZhcOjxUerRv3Eao263YlHROFVSxGB9bvaiwGq2TaYVR2YN45 sqWosP2jyQni3ve+r5EKzVvInAbz0xKxoHqe2QK/eBlsL56rzrQ2JjDtQcC0xqlSxgMWqH6MFCGhS 6KyjlJH45gsik2YJxTiNOyM+XnB3eUreuzVQMBecKTIBgvAwTE+6ToCXrz2Ai1t2gywvqYtTp3buD YgcaiS6g==; Received: from viro by zeniv.linux.org.uk with local (Exim 4.96 #2 (Red Hat Linux)) id 1sC3uf-001C35-2M; Tue, 28 May 2024 20:59:17 +0000 Date: Tue, 28 May 2024 21:59:17 +0100 From: Al Viro To: Alice Ryhl Cc: a.hindborg@samsung.com, alex.gaynor@gmail.com, arve@android.com, benno.lossin@proton.me, bjorn3_gh@protonmail.com, boqun.feng@gmail.com, brauner@kernel.org, cmllamas@google.com, dan.j.williams@intel.com, dxu@dxuuu.xyz, gary@garyguo.net, gregkh@linuxfoundation.org, joel@joelfernandes.org, keescook@chromium.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, maco@android.com, ojeda@kernel.org, peterz@infradead.org, rust-for-linux@vger.kernel.org, surenb@google.com, tglx@linutronix.de, tkjos@android.com, tmgross@umich.edu, wedsonaf@gmail.com, willy@infradead.org, yakoyoku@gmail.com, Linus Torvalds Subject: Re: [PATCH v6 3/8] rust: file: add Rust abstraction for `struct file` Message-ID: <20240528205917.GI2118490@ZenIV> References: <20240524213245.GT2118490@ZenIV> <20240527160356.3909000-1-aliceryhl@google.com> <20240528193624.GH2118490@ZenIV> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: Al Viro On Tue, May 28, 2024 at 10:29:03PM +0200, Alice Ryhl wrote: > > Incidentally, I'm very tempted to unexport close_fd(); in addition to > > being a source of bugs when called from ioctl on user-supplied descriptor > > it encourages racy crap - just look at e.g. 1819200166ce > > "drm/amdkfd: Export DMABufs from KFD using GEM handles", where we > > call drm_gem_prime_handle_to_fd(), immediately followed by > > dmabuf = dma_buf_get(fd); > > close_fd(fd); > > dup2() from another thread with guessed descriptor number as target and > > you've got a problem... It's not a violation of fdget() use rules > > (it is called from ioctl, but descriptor is guaranteed to be different > > from the one passed to ioctl(2)), but it's still wrong. Would take > > some work, though... > > Wait, what's going on there? It adds the fd and then immediately > removes it again, or? It creates an object and associated struct file, using a primitive that shoves the reference to that new struct file into descriptor table and returns the slot number. Then it looks the file up by the returned descriptor, tries to pick the object out of it and closes the descriptor. If that descriptor table is shared, well... pray the descriptor still refers to the same file by the time you try to look the file up. It's bogus; the song and dance with putting it into descriptor table makes sense for the primary user (ioctl that returns the descriptor number to userland), but here it's just plain wrong. What they need is to cut that sucker in two functions - one that returns dmabuf, with wrapper doing dma_buf_fd() on the result (or allocating a descriptor first, then calling the primitives that gets their dmabuf, then doing fd_install()). This caller should use the new primitive without messing with descriptor table. In general, new descriptors are fit only for one thing - returning them to userland. As soon as file reference is in descriptor table it might get closed right under you - file argument of fd_install() is moved, not borrowed. You might find something on lookup by that descritor, but it's not guaranteed to have anything to do with what you'd just put there. That's why we have anon_inode_getfile(), with anon_inode_getfd() being only a convenience helper, for example...