Re: [PATCH 1/2] fs: introduce sendfd() syscall

[Al Viro <viro@ZenIV.linux.org.uk>]

On Tue, Dec 02, 2014 at 03:35:18PM +1100, Alex Dubov wrote:
> +	dst_files = get_files_struct(dst_task);
> +	if (!dst_files) {
> +		rc = -EMFILE;
> +		goto out_put_dst_task;
> +	}
> +
> +	if (!lock_task_sighand(dst_task, &flags)) {
> +		rc = -EMFILE;
> +		goto out_put_dst_files;
> +	}
> +
> +	rlim = task_rlimit(dst_task, RLIMIT_NOFILE);
> +
> +	unlock_task_sighand(dst_task, &flags);
> +
> +	rc = __alloc_fd(dst_task->files, 0, rlim, O_CLOEXEC);
> +	if (rc < 0)
> +		goto out_put_dst_files;
> +
> +	s_info.si_int = rc;
> +
> +	get_file(src_file);
> +	__fd_install(dst_files, rc, src_file);
> +	rc = kill_pid_info(sig, &s_info, task_pid(dst_task));
> +
> +	if (rc < 0)
> +		__close_fd(dst_files, s_info.si_int);

Oh, lovely...  And we are guaranteed that it still the same file, because...?

Not to mention anything else, this stuff violates the assumption used in a lot
of places - that the *only* way for a process to modify a descriptor table is
to have a reference to it obtained by something that had it as its current
descriptor table and not dropped since then.  The way you do it might actually
turn out to be OK, but there's no way I'll take that without detailed analysis;
start with refcounting of struct file, for one thing - it does rely on the
assumption above in non-trivial ways.

Binder, shite as it is, satisfies that assumption.  Your "simpler" variant
does not.  Which means that you get to prove that you won't open any races
around fs/file.c.

And that's aside of the points other folks had brought up.