[PATCH 0/3] rust_binder: check current before closing fds

[PATCH 0/3] rust_binder: check current before closing fds

[Alice Ryhl]

Please see the last patch in this series for details.

Signed-off-by: Alice Ryhl <aliceryhl@google.com>
---
Alice Ryhl (3):
      rust: sync: implement == operator for ARef
      rust: task: implement == operator for Task
      rust_binder: check current before closing fds

 drivers/android/binder/allocation.rs |  4 ++++
 rust/kernel/sync/aref.rs             | 23 +++++++++++++++++++++++
 rust/kernel/task.rs                  |  8 ++++++++
 3 files changed, 35 insertions(+)
---
base-commit: 2961f841b025fb234860bac26dfb7fa7cb0fb122
change-id: 20260219-close-fd-check-current-98e3ee59880a

Best regards,
-- 
Alice Ryhl <aliceryhl@google.com>

[PATCH 1/3] rust: sync: implement == operator for ARef

[Alice Ryhl]

Rust Binder wants to perform a comparison between ARef<Task> and &Task,
so define the == operator for ARef<_> when compared with another ARef<_>
or just a reference. The operator is implemented in terms of the same
operator applied to the inner type.

Signed-off-by: Alice Ryhl <aliceryhl@google.com>
---
 rust/kernel/sync/aref.rs | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/rust/kernel/sync/aref.rs b/rust/kernel/sync/aref.rs
index 0616c0353c2b3b4d8b3be6c4b8156995a2f1d504..f56598a847e949b497f4cf2a05a7298a58a0ccef 100644
--- a/rust/kernel/sync/aref.rs
+++ b/rust/kernel/sync/aref.rs
@@ -170,3 +170,26 @@ fn drop(&mut self) {
         unsafe { T::dec_ref(self.ptr) };
     }
 }
+
+impl<T, U> PartialEq<ARef<U>> for ARef<T>
+where
+    T: AlwaysRefCounted + PartialEq<U>,
+    U: AlwaysRefCounted,
+{
+    #[inline]
+    fn eq(&self, other: &ARef<U>) -> bool {
+        T::eq(&**self, &**other)
+    }
+}
+
+impl<T, U> PartialEq<&'_ U> for ARef<T>
+where
+    T: AlwaysRefCounted + PartialEq<U>,
+{
+    #[inline]
+    fn eq(&self, other: &&U) -> bool {
+        T::eq(&**self, other)
+    }
+}
+
+impl<T: AlwaysRefCounted + Eq> Eq for ARef<T> {}

-- 
2.53.0.335.g19a08e0c02-goog

[PATCH 2/3] rust: task: implement == operator for Task

[Alice Ryhl]

It's useful to compare if two tasks are the same task or not. Rust
Binder wants this to check if a certain task is equal to the group
leader of current.

Signed-off-by: Alice Ryhl <aliceryhl@google.com>
---
 rust/kernel/task.rs | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/rust/kernel/task.rs b/rust/kernel/task.rs
index cc907fb531bceea6e8dc1175d9350bd24780a3d5..8834bf25cce5e7b7f48cd649c977eb92fbfb61e9 100644
--- a/rust/kernel/task.rs
+++ b/rust/kernel/task.rs
@@ -362,6 +362,14 @@ unsafe fn dec_ref(obj: ptr::NonNull<Self>) {
     }
 }
 
+impl PartialEq for Task {
+    fn eq(&self, other: &Self) -> bool {
+        ptr::eq(self.as_ptr(), other.as_ptr())
+    }
+}
+
+impl Eq for Task {}
+
 impl Kuid {
     /// Get the current euid.
     #[inline]

-- 
2.53.0.335.g19a08e0c02-goog

[PATCH 3/3] rust_binder: check current before closing fds

[Alice Ryhl]

This list gets populated once the transaction is delivered to the target
process, at which point it's not touched again except in BC_FREE_BUFFER
and process exit, so if the list has been populated then this code
should not run in the context of the wrong userspace process.

However, why tempt fate? The function itself can run in the context of
both the sender and receiver, and if someone can engineer a scenario
where it runs in the sender and this list is non-empty (or future Rust
Binder changes make such a scenario possible), then that'd be a problem
because we'd be closing random unrelated fds in the wrong process.

Suggested-by: Jann Horn <jannh@google.com>
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
---
 drivers/android/binder/allocation.rs | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/android/binder/allocation.rs b/drivers/android/binder/allocation.rs
index 7f65a9c3a0e58e07a7e6d4e7d7b185f73fb1aab8..31a42738a99dd8118c21bb15635f54ddd748787e 100644
--- a/drivers/android/binder/allocation.rs
+++ b/drivers/android/binder/allocation.rs
@@ -260,6 +260,10 @@ fn drop(&mut self) {
                 }
             }
 
+            if self.process.task != kernel::current!().group_leader() {
+                // Called from wrong task, so do not free fds.
+                info.file_list.close_on_free.clear();
+            }
             for &fd in &info.file_list.close_on_free {
                 let closer = match DeferredFdCloser::new(GFP_KERNEL) {
                     Ok(closer) => closer,

-- 
2.53.0.335.g19a08e0c02-goog

Re: [PATCH 1/3] rust: sync: implement == operator for ARef

[Gary Guo]

On 2026-02-19 13:52, Alice Ryhl wrote:
> Rust Binder wants to perform a comparison between ARef<Task> and &Task,
> so define the == operator for ARef<_> when compared with another 
> ARef<_>
> or just a reference. The operator is implemented in terms of the same
> operator applied to the inner type.
> 
> Signed-off-by: Alice Ryhl <aliceryhl@google.com>

I suppose `PartialEq<U>` cannot be implemented due to trait coherence 
issue?

Reviewed-by: Gary Guo <gary@garyguo.net>

> ---
>  rust/kernel/sync/aref.rs | 23 +++++++++++++++++++++++
>  1 file changed, 23 insertions(+)
> 
> diff --git a/rust/kernel/sync/aref.rs b/rust/kernel/sync/aref.rs
> index 
> 0616c0353c2b3b4d8b3be6c4b8156995a2f1d504..f56598a847e949b497f4cf2a05a7298a58a0ccef 
> 100644
> --- a/rust/kernel/sync/aref.rs
> +++ b/rust/kernel/sync/aref.rs
> @@ -170,3 +170,26 @@ fn drop(&mut self) {
>          unsafe { T::dec_ref(self.ptr) };
>      }
>  }
> +
> +impl<T, U> PartialEq<ARef<U>> for ARef<T>
> +where
> +    T: AlwaysRefCounted + PartialEq<U>,
> +    U: AlwaysRefCounted,
> +{
> +    #[inline]
> +    fn eq(&self, other: &ARef<U>) -> bool {
> +        T::eq(&**self, &**other)
> +    }
> +}
> +
> +impl<T, U> PartialEq<&'_ U> for ARef<T>
> +where
> +    T: AlwaysRefCounted + PartialEq<U>,
> +{
> +    #[inline]
> +    fn eq(&self, other: &&U) -> bool {
> +        T::eq(&**self, other)
> +    }
> +}
> +
> +impl<T: AlwaysRefCounted + Eq> Eq for ARef<T> {}

Re: [PATCH 2/3] rust: task: implement == operator for Task

[Gary Guo]

On 2026-02-19 13:52, Alice Ryhl wrote:
> It's useful to compare if two tasks are the same task or not. Rust
> Binder wants this to check if a certain task is equal to the group
> leader of current.
> 
> Signed-off-by: Alice Ryhl <aliceryhl@google.com>
> ---
>  rust/kernel/task.rs | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/rust/kernel/task.rs b/rust/kernel/task.rs
> index 
> cc907fb531bceea6e8dc1175d9350bd24780a3d5..8834bf25cce5e7b7f48cd649c977eb92fbfb61e9 
> 100644
> --- a/rust/kernel/task.rs
> +++ b/rust/kernel/task.rs
> @@ -362,6 +362,14 @@ unsafe fn dec_ref(obj: ptr::NonNull<Self>) {
>      }
>  }
> 
> +impl PartialEq for Task {

Missing `#[inline]`. With this fixed:

Reviewed-by: Gary Guo <gary@garyguo.net>

> +    fn eq(&self, other: &Self) -> bool {
> +        ptr::eq(self.as_ptr(), other.as_ptr())
> +    }
> +}
> +
> +impl Eq for Task {}
> +
>  impl Kuid {
>      /// Get the current euid.
>      #[inline]

Re: [PATCH 1/3] rust: sync: implement == operator for ARef

[Alice Ryhl]

On Thu, Feb 19, 2026 at 02:27:38PM +0000, Gary Guo wrote:
> On 2026-02-19 13:52, Alice Ryhl wrote:
> > Rust Binder wants to perform a comparison between ARef<Task> and &Task,
> > so define the == operator for ARef<_> when compared with another ARef<_>
> > or just a reference. The operator is implemented in terms of the same
> > operator applied to the inner type.
> > 
> > Signed-off-by: Alice Ryhl <aliceryhl@google.com>
> 
> I suppose `PartialEq<U>` cannot be implemented due to trait coherence issue?

That's right:

error[E0119]: conflicting implementations of trait `core::cmp::PartialEq<sync::aref::ARef<_>>` for type `sync::aref::ARef<_>`
   --> /usr/local/google/home/aliceryhl/devel/linux/rust/kernel/sync/aref.rs:185:1
    |
174 | / impl<T, U> PartialEq<ARef<U>> for ARef<T>
175 | | where
176 | |     T: AlwaysRefCounted + PartialEq<U>,
177 | |     U: AlwaysRefCounted,
    | |________________________- first implementation here
...
185 | / impl<T, U> PartialEq<U> for ARef<T>
186 | | where
187 | |     T: AlwaysRefCounted + PartialEq<U>,
    | |_______________________________________^ conflicting implementation for `sync::aref::ARef<_>`

I can mention this in commit msg if I send another version.

> Reviewed-by: Gary Guo <gary@garyguo.net>

Thanks!