From: Al Viro <viro@zeniv.linux.org.uk>
To: linux-fsdevel@vger.kernel.org
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Christian Brauner <brauner@kernel.org>,
kvm@vger.kernel.org, cgroups@vger.kernel.org,
netdev@vger.kernel.org
Subject: [PATCHSET v3] struct fd and memory safety
Date: Sat, 2 Nov 2024 05:02:19 +0000 [thread overview]
Message-ID: <20241102050219.GA2450028@ZenIV> (raw)
In-Reply-To: <20240730050927.GC5334@ZenIV>
struct fd stuff got rebased (with fairly minor conflicts), branch
lives in the same place -
git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs.git work.fd
Changes since the previous version:
* branch rebased to 6.12-rc2
* the fixes gone into mainline.
* so's the conversion to new layout and accessors.
* bpf side of things (with modifications) is gone into mainline (via bpf tree).
* struct fderr side dropped - overlayfs doesn't need that anymore and while it's
possible that use cases show up, for now there's none.
* coda_parse_fd() part dropped - no longer valid due to mainline changes.
* fs/xattr.c and fs/stat.c changes moved to separate branches (#work.xattr2 and
#work.statx2 resp.)
Individual patches in followups; review and testing would be welcome.
If no objections materialize, I'm going to put that into #for-next on
Monday.
Diffstat:
arch/alpha/kernel/osf_sys.c | 5 +-
arch/arm/kernel/sys_oabi-compat.c | 10 +-
arch/powerpc/kvm/book3s_64_vio.c | 21 +-
arch/powerpc/kvm/powerpc.c | 24 +--
arch/powerpc/platforms/cell/spu_syscalls.c | 68 +++----
arch/x86/kernel/cpu/sgx/main.c | 10 +-
arch/x86/kvm/svm/sev.c | 39 ++--
drivers/gpu/drm/amd/amdgpu/amdgpu_sched.c | 23 +--
drivers/gpu/drm/drm_syncobj.c | 9 +-
drivers/infiniband/core/ucma.c | 19 +-
drivers/infiniband/core/uverbs_cmd.c | 8 +-
drivers/media/mc/mc-request.c | 18 +-
drivers/media/rc/lirc_dev.c | 13 +-
drivers/vfio/group.c | 6 +-
drivers/vfio/virqfd.c | 16 +-
drivers/virt/acrn/irqfd.c | 13 +-
drivers/xen/privcmd.c | 28 +--
fs/btrfs/ioctl.c | 5 +-
fs/eventfd.c | 9 +-
fs/eventpoll.c | 38 ++--
fs/ext4/ioctl.c | 21 +-
fs/f2fs/file.c | 15 +-
fs/fcntl.c | 42 ++--
fs/fhandle.c | 5 +-
fs/fsopen.c | 19 +-
fs/fuse/dev.c | 6 +-
fs/ioctl.c | 23 +--
fs/kernel_read_file.c | 12 +-
fs/locks.c | 15 +-
fs/namei.c | 13 +-
fs/namespace.c | 47 ++---
fs/notify/fanotify/fanotify_user.c | 44 ++---
fs/notify/inotify/inotify_user.c | 38 ++--
fs/ocfs2/cluster/heartbeat.c | 24 +--
fs/open.c | 61 +++---
fs/quota/quota.c | 12 +-
fs/read_write.c | 145 +++++---------
fs/readdir.c | 28 +--
fs/remap_range.c | 11 +-
fs/select.c | 48 ++---
fs/signalfd.c | 9 +-
fs/smb/client/ioctl.c | 11 +-
fs/splice.c | 78 +++-----
fs/statfs.c | 12 +-
fs/sync.c | 29 ++-
fs/timerfd.c | 40 ++--
fs/utimes.c | 11 +-
fs/xfs/xfs_exchrange.c | 18 +-
fs/xfs/xfs_handle.c | 16 +-
fs/xfs/xfs_ioctl.c | 69 ++-----
include/linux/cleanup.h | 2 +-
include/linux/file.h | 7 +-
include/linux/netlink.h | 2 +-
io_uring/sqpoll.c | 29 +--
ipc/mqueue.c | 109 +++--------
kernel/cgroup/cgroup.c | 21 +-
kernel/events/core.c | 63 ++----
kernel/module/main.c | 15 +-
kernel/nsproxy.c | 5 +-
kernel/pid.c | 20 +-
kernel/signal.c | 29 +--
kernel/sys.c | 15 +-
kernel/taskstats.c | 18 +-
kernel/watch_queue.c | 6 +-
mm/fadvise.c | 10 +-
mm/filemap.c | 17 +-
mm/memcontrol-v1.c | 44 ++---
mm/readahead.c | 17 +-
net/core/net_namespace.c | 10 +-
net/netlink/af_netlink.c | 9 +-
net/socket.c | 303 +++++++++++++----------------
security/integrity/ima/ima_main.c | 7 +-
security/landlock/syscalls.c | 45 ++---
security/loadpin/loadpin.c | 8 +-
sound/core/pcm_native.c | 2 +-
virt/kvm/eventfd.c | 15 +-
virt/kvm/vfio.c | 14 +-
77 files changed, 751 insertions(+), 1395 deletions(-)
Shortlog and commit summaries:
01/28) net/socket.c: switch to CLASS(fd)
Get rid of the sockfd_lookup_light() and associated irregularities;
fput_light() gone, old users of sockfd_lookup_light() switched to CLASS(fd) +
sock_from_file().
02/28) regularize emptiness checks in fini_module(2) and vfs_dedupe_file_range()
Getting rid of passing struct fd by reference:
03/28) timerfd: switch to CLASS(fd, ...)
04/28) get rid of perf_fget_light(), convert kernel/events/core.c to CLASS(fd)
do_mq_notify() regularization:
05/28) switch netlink_getsockbyfilp() to taking descriptor
06/28) do_mq_notify(): saner skb freeing on failures
07/28) do_mq_notify(): switch to CLASS(fd, ...)
After that the weirdness with reassignments in do_mq_notify() is gone
(and, IMO, the result is easier to follow).
08/28) simplify xfs_find_handle() a bit
Massage to get rid of reassignment there; simplifies control flow...
Making sure that fdget() and fdput() are done in the same function:
09/28) convert vmsplice() to CLASS(fd, ...)
Deal with fdget_raw() and fdget_pos() users - all trivial to convert.
10/28) fdget_raw() users: switch to CLASS(fd_raw, ...)
11/28) introduce "fd_pos" class, convert fdget_pos() users to it.
Prep for fdget() conversions:
12/28) o2hb_region_dev_store(): avoid goto around fdget()/fdput()
13/28) privcmd_ioeventfd_assign(): don't open-code eventfd_ctx_fdget()
14/28) fdget(), trivial conversions.
Big one: all callers that have fdget() done the first thing in
scope, with all matching fdput() immediately followed by leaving the
scope. All of those are trivial to convert.
15/28) fdget(), more trivial conversions
Same, except that fdget() is preceded by some work. All fdput()
are still immediately followed by leaving the scope. These are also
trivial to convert, and along with the previous commit that takes care
of the majority of fdget() calls.
16/28) convert do_preadv()/do_pwritev()
fdput() is transposable with everything done after it (inc_syscw()
et.al.)
17/28) convert cachestat(2)
fdput() is transposable with copy_to_user() downstream of it.
18/28) switch spufs_calls_{get,put}() to CLASS() use
19/28) convert spu_run(2)
fdput() used to be followed by spufs_calls_put(); we could transpose
those two, but spufs_calls_get()/spufd_calls_put() itself can be converted
to CLASS() use and it's cleaner that way.
20/28) convert media_request_get_by_fd()
fdput() is transposable with debugging printk
21/28) convert cifs_ioctl_copychunk()
fdput() moved past mnt_drop_file_write(); harmless, if somewhat
cringeworthy. Reordering could be avoided either by adding an explicit
scope or by making mnt_drop_file_write() called via __cleanup...
22/28) convert vfs_dedupe_file_range()
fdput() is followed by checking fatal_signal_pending() (and aborting
the loop in such case). fdput() is transposable with that check.
Yes, it'll probably end up with slightly fatter code (call after the
check has returned false + call on the almost never taken out-of-line path
instead of one call before the check), but it's not worth bothering with
explicit extra scope there (or dragging the check into the loop condition,
for that matter).
23/28) convert do_select()
take the logics from fdget() to fdput() into an inlined helper -
with existing wait_key_set() subsumed into that.
24/28) do_pollfd(): convert to CLASS(fd)
lift setting ->revents into the caller, so that failure exits
(including the early one) would be plain returns.
25/28) assorted variants of irqfd setup: convert to CLASS(fd)
fdput() is transposable with kfree(); some reordering
is required in one of those (we do fdget() a bit earlier there).
26/28) memcg_write_event_control(): switch to CLASS(fd)
similar to the previous. As the matter of fact, there
might be a missing common helper or two hiding in both...
27/28) css_set_fork(): switch to CLASS(fd_raw, ...)
could be separated from the series; its use of fget_raw()
could be converted to fdget_raw(), with the result convertible to
CLASS(fd_raw)
28/28) deal with the last remaing boolean uses of fd_file()
most of them had been converted to fd_empty() by now; pick
the few remaining strugglers.
next prev parent reply other threads:[~2024-11-02 5:02 UTC|newest]
Thread overview: 134+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-30 5:09 [PATCHSET][RFC] struct fd and memory safety Al Viro
2024-07-30 5:15 ` [PATCH 01/39] memcg_write_event_control(): fix a user-triggerable oops viro
2024-07-30 5:15 ` [PATCH 02/39] introduce fd_file(), convert all accessors to it viro
2024-08-07 9:55 ` Christian Brauner
2024-07-30 5:15 ` [PATCH 03/39] struct fd: representation change viro
2024-07-30 18:10 ` Josef Bacik
2024-08-07 10:07 ` Christian Brauner
2024-08-07 10:03 ` Christian Brauner
2024-07-30 5:15 ` [PATCH 04/39] add struct fd constructors, get rid of __to_fd() viro
2024-08-07 10:09 ` Christian Brauner
2024-07-30 5:15 ` [PATCH 05/39] regularize emptiness checks in fini_module(2) and vfs_dedupe_file_range() viro
2024-08-07 10:10 ` Christian Brauner
2024-07-30 5:15 ` [PATCH 06/39] net/socket.c: switch to CLASS(fd) viro
2024-08-07 10:13 ` Christian Brauner
2024-07-30 5:15 ` [PATCH 07/39] introduce struct fderr, convert overlayfs uses to that viro
2024-07-30 5:15 ` [PATCH 08/39] experimental: convert fs/overlayfs/file.c to CLASS(...) viro
2024-07-30 19:10 ` Josef Bacik
2024-07-30 21:12 ` Al Viro
2024-07-31 21:11 ` Josef Bacik
2024-08-07 10:23 ` Christian Brauner
2024-07-30 5:15 ` [PATCH 09/39] timerfd: switch to CLASS(fd, ...) viro
2024-08-07 10:24 ` Christian Brauner
2024-07-30 5:15 ` [PATCH 10/39] get rid of perf_fget_light(), convert kernel/events/core.c to CLASS(fd) viro
2024-08-07 10:25 ` Christian Brauner
2024-07-30 5:15 ` [PATCH 11/39] switch netlink_getsockbyfilp() to taking descriptor viro
2024-08-07 10:26 ` Christian Brauner
2024-07-30 5:15 ` [PATCH 12/39] do_mq_notify(): saner skb freeing on failures viro
2024-07-30 5:15 ` [PATCH 13/39] do_mq_notify(): switch to CLASS(fd, ...) viro
2024-08-07 10:27 ` Christian Brauner
2024-07-30 5:16 ` [PATCH 14/39] simplify xfs_find_handle() a bit viro
2024-07-30 5:16 ` [PATCH 15/39] convert vmsplice() to CLASS(fd, ...) viro
2024-08-07 10:27 ` Christian Brauner
2024-07-30 5:16 ` [PATCH 16/39] convert __bpf_prog_get() " viro
2024-08-06 21:08 ` Andrii Nakryiko
2024-08-07 10:28 ` Christian Brauner
2024-07-30 5:16 ` [PATCH 17/39] bpf: resolve_pseudo_ldimm64(): take handling of a single ldimm64 insn into helper viro
2024-08-06 22:32 ` Andrii Nakryiko
2024-08-07 10:29 ` Christian Brauner
2024-08-07 15:30 ` Andrii Nakryiko
2024-08-08 16:51 ` Alexei Starovoitov
2024-08-08 20:35 ` Andrii Nakryiko
2024-08-09 1:23 ` Alexei Starovoitov
2024-08-09 17:23 ` Andrii Nakryiko
2024-08-10 3:29 ` Al Viro
2024-08-12 20:05 ` Andrii Nakryiko
2024-08-13 2:06 ` Al Viro
2024-08-13 3:32 ` Andrii Nakryiko
2024-07-30 5:16 ` [PATCH 18/39] bpf maps: switch to CLASS(fd, ...) viro
2024-08-07 10:34 ` Christian Brauner
2024-07-30 5:16 ` [PATCH 19/39] fdget_raw() users: switch to CLASS(fd_raw, ...) viro
2024-08-07 10:35 ` Christian Brauner
2024-07-30 5:16 ` [PATCH 20/39] introduce "fd_pos" class, convert fdget_pos() users to it viro
2024-08-07 10:36 ` Christian Brauner
2024-07-30 5:16 ` [PATCH 21/39] o2hb_region_dev_store(): avoid goto around fdget()/fdput() viro
2024-07-30 5:16 ` [PATCH 22/39] privcmd_ioeventfd_assign(): don't open-code eventfd_ctx_fdget() viro
2024-07-30 5:16 ` [PATCH 23/39] fdget(), trivial conversions viro
2024-08-07 10:37 ` Christian Brauner
2024-07-30 5:16 ` [PATCH 24/39] fdget(), more " viro
2024-08-07 10:39 ` Christian Brauner
2024-07-30 5:16 ` [PATCH 25/39] convert do_preadv()/do_pwritev() viro
2024-08-07 10:39 ` Christian Brauner
2024-07-30 5:16 ` [PATCH 26/39] convert cachestat(2) viro
2024-08-07 10:39 ` Christian Brauner
2024-07-30 5:16 ` [PATCH 27/39] switch spufs_calls_{get,put}() to CLASS() use viro
2024-07-30 5:16 ` [PATCH 28/39] convert spu_run(2) viro
2024-08-07 10:40 ` Christian Brauner
2024-07-30 5:16 ` [PATCH 29/39] convert media_request_get_by_fd() viro
2024-08-07 10:40 ` Christian Brauner
2024-07-30 5:16 ` [PATCH 30/39] convert coda_parse_fd() viro
2024-08-07 10:41 ` Christian Brauner
2024-07-30 5:16 ` [PATCH 31/39] convert cifs_ioctl_copychunk() viro
2024-08-07 10:41 ` Christian Brauner
2024-07-30 5:16 ` [PATCH 32/39] convert vfs_dedupe_file_range() viro
2024-08-07 10:42 ` Christian Brauner
2024-07-30 5:16 ` [PATCH 33/39] convert do_select() viro
2024-08-07 10:42 ` Christian Brauner
2024-07-30 5:16 ` [PATCH 34/39] do_pollfd(): convert to CLASS(fd) viro
2024-08-07 10:43 ` Christian Brauner
2024-07-30 5:16 ` [PATCH 35/39] convert bpf_token_create() viro
2024-08-06 22:42 ` Andrii Nakryiko
2024-08-10 3:46 ` Al Viro
2024-08-12 20:06 ` Andrii Nakryiko
2024-08-07 10:44 ` Christian Brauner
2024-07-30 5:16 ` [PATCH 36/39] assorted variants of irqfd setup: convert to CLASS(fd) viro
2024-08-07 10:46 ` Christian Brauner
2024-08-10 3:53 ` Al Viro
2024-07-30 5:16 ` [PATCH 37/39] memcg_write_event_control(): switch " viro
2024-08-07 10:47 ` Christian Brauner
2024-07-30 5:16 ` [PATCH 38/39] css_set_fork(): switch to CLASS(fd_raw, ...) viro
2024-08-07 10:47 ` Christian Brauner
2024-07-30 5:16 ` [PATCH 39/39] deal with the last remaing boolean uses of fd_file() viro
2024-08-07 10:48 ` Christian Brauner
2024-07-30 7:13 ` [PATCH 01/39] memcg_write_event_control(): fix a user-triggerable oops Michal Hocko
2024-07-30 7:18 ` Al Viro
2024-07-30 7:37 ` Michal Hocko
2024-07-30 5:17 ` [PATCHSET][RFC] struct fd and memory safety Al Viro
2024-07-30 20:02 ` Josef Bacik
2024-07-31 0:43 ` Al Viro
2024-08-06 17:58 ` Jason Gunthorpe
2024-08-06 18:56 ` Al Viro
2024-08-07 10:51 ` Christian Brauner
2024-11-02 5:02 ` Al Viro [this message]
2024-11-02 5:07 ` [PATCH v3 01/28] net/socket.c: switch to CLASS(fd) Al Viro
2024-11-02 5:08 ` [PATCH v3 02/28] regularize emptiness checks in fini_module(2) and vfs_dedupe_file_range() Al Viro
2024-11-02 5:08 ` [PATCH v3 03/28] timerfd: switch to CLASS(fd) Al Viro
2024-11-02 5:08 ` [PATCH v3 04/28] get rid of perf_fget_light(), convert kernel/events/core.c " Al Viro
2024-11-02 5:08 ` [PATCH v3 05/28] switch netlink_getsockbyfilp() to taking descriptor Al Viro
2024-11-02 5:08 ` [PATCH v3 06/28] do_mq_notify(): saner skb freeing on failures Al Viro
2024-11-02 5:08 ` [PATCH v3 07/28] do_mq_notify(): switch to CLASS(fd) Al Viro
2024-11-02 5:08 ` [PATCH v3 08/28] simplify xfs_find_handle() a bit Al Viro
2024-11-02 5:08 ` [PATCH v3 09/28] convert vmsplice() to CLASS(fd) Al Viro
2024-11-02 5:08 ` [PATCH v3 10/28] fdget_raw() users: switch to CLASS(fd_raw) Al Viro
2024-11-02 5:08 ` [PATCH v3 11/28] introduce "fd_pos" class, convert fdget_pos() users to it Al Viro
2024-11-02 5:08 ` [PATCH v3 12/28] o2hb_region_dev_store(): avoid goto around fdget()/fdput() Al Viro
2024-11-02 5:08 ` [PATCH v3 13/28] privcmd_ioeventfd_assign(): don't open-code eventfd_ctx_fdget() Al Viro
2024-11-02 5:08 ` [PATCH v3 14/28] fdget(), trivial conversions Al Viro
2024-11-11 17:22 ` Francesco Lavra
2024-11-02 5:08 ` [PATCH v3 15/28] fdget(), more " Al Viro
2024-11-02 5:08 ` [PATCH v3 16/28] convert do_preadv()/do_pwritev() Al Viro
2024-11-02 5:08 ` [PATCH v3 17/28] convert cachestat(2) Al Viro
2024-11-02 5:08 ` [PATCH v3 18/28] switch spufs_calls_{get,put}() to CLASS() use Al Viro
2024-11-02 5:08 ` [PATCH v3 19/28] convert spu_run(2) Al Viro
2024-11-02 5:08 ` [PATCH v3 20/28] convert media_request_get_by_fd() Al Viro
2024-11-02 5:08 ` [PATCH v3 21/28] convert cifs_ioctl_copychunk() Al Viro
2024-11-02 5:08 ` [PATCH v3 22/28] convert vfs_dedupe_file_range() Al Viro
2024-11-02 5:08 ` [PATCH v3 23/28] convert do_select() Al Viro
2024-11-02 5:08 ` [PATCH v3 24/28] do_pollfd(): convert to CLASS(fd) Al Viro
2024-11-02 5:08 ` [PATCH v3 25/28] assorted variants of irqfd setup: " Al Viro
2024-11-02 5:08 ` [PATCH v3 26/28] memcg_write_event_control(): switch " Al Viro
2024-11-02 5:08 ` [PATCH v3 27/28] css_set_fork(): switch to CLASS(fd_raw, ...) Al Viro
2024-11-02 5:08 ` [PATCH v3 28/28] deal with the last remaing boolean uses of fd_file() Al Viro
2024-11-02 12:21 ` [PATCH v3 01/28] net/socket.c: switch to CLASS(fd) Simon Horman
2024-11-03 6:31 ` Al Viro
2024-11-06 10:03 ` Simon Horman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241102050219.GA2450028@ZenIV \
--to=viro@zeniv.linux.org.uk \
--cc=brauner@kernel.org \
--cc=cgroups@vger.kernel.org \
--cc=kvm@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).