License cleanup: add SPDX GPL-2.0 license identifier to files with no license
Many source files in the tree are missing licensing information, which
makes it harder for compliance tools to determine the correct license.
By default all files without license information are under the default
license of the kernel, which is GPL version 2.
Update the files which contain no license information with the 'GPL-2.0'
SPDX license identifier. The SPDX identifier is a legally binding
shorthand, which can be used instead of the full boiler plate text.
This patch is based on work done by Thomas Gleixner and Kate Stewart and
Philippe Ombredanne.
How this work was done:
Patches were generated and checked against linux-4.14-rc6 for a subset of
the use cases:
- file had no licensing information it it.
- file was a */uapi/* one with no licensing information in it,
- file was a */uapi/* one with existing licensing information,
Further patches will be generated in subsequent months to fix up cases
where non-standard license headers were used, and references to license
had to be inferred by heuristics based on keywords.
The analysis to determine which SPDX License Identifier to be applied to
a file was done in a spreadsheet of side by side results from of the
output of two independent scanners (ScanCode & Windriver) producing SPDX
tag:value files created by Philippe Ombredanne. Philippe prepared the
base worksheet, and did an initial spot review of a few 1000 files.
The 4.13 kernel was the starting point of the analysis with 60,537 files
assessed. Kate Stewart did a file by file comparison of the scanner
results in the spreadsheet to determine which SPDX license identifier(s)
to be applied to the file. She confirmed any determination that was not
immediately clear with lawyers working with the Linux Foundation.
Criteria used to select files for SPDX license identifier tagging was:
- Files considered eligible had to be source code files.
- Make and config files were included as candidates if they contained >5
lines of source
- File already had some variant of a license header in it (even if <5
lines).
All documentation files were explicitly excluded.
The following heuristics were used to determine which SPDX license
identifiers to apply.
- when both scanners couldn't find any license traces, file was
considered to have no license information in it, and the top level
COPYING file license applied.
For non */uapi/* files that summary was:
SPDX license identifier # files
---------------------------------------------------|-------
GPL-2.0 11139
and resulted in the first patch in this series.
If that file was a */uapi/* path one, it was "GPL-2.0 WITH
Linux-syscall-note" otherwise it was "GPL-2.0". Results of that was:
SPDX license identifier # files
---------------------------------------------------|-------
GPL-2.0 WITH Linux-syscall-note 930
and resulted in the second patch in this series.
- if a file had some form of licensing information in it, and was one
of the */uapi/* ones, it was denoted with the Linux-syscall-note if
any GPL family license was found in the file or had no licensing in
it (per prior point). Results summary:
SPDX license identifier # files
---------------------------------------------------|------
GPL-2.0 WITH Linux-syscall-note 270
GPL-2.0+ WITH Linux-syscall-note 169
((GPL-2.0 WITH Linux-syscall-note) OR BSD-2-Clause) 21
((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) 17
LGPL-2.1+ WITH Linux-syscall-note 15
GPL-1.0+ WITH Linux-syscall-note 14
((GPL-2.0+ WITH Linux-syscall-note) OR BSD-3-Clause) 5
LGPL-2.0+ WITH Linux-syscall-note 4
LGPL-2.1 WITH Linux-syscall-note 3
((GPL-2.0 WITH Linux-syscall-note) OR MIT) 3
((GPL-2.0 WITH Linux-syscall-note) AND MIT) 1
and that resulted in the third patch in this series.
- when the two scanners agreed on the detected license(s), that became
the concluded license(s).
- when there was disagreement between the two scanners (one detected a
license but the other didn't, or they both detected different
licenses) a manual inspection of the file occurred.
- In most cases a manual inspection of the information in the file
resulted in a clear resolution of the license that should apply (and
which scanner probably needed to revisit its heuristics).
- When it was not immediately clear, the license identifier was
confirmed with lawyers working with the Linux Foundation.
- If there was any question as to the appropriate license identifier,
the file was flagged for further research and to be revisited later
in time.
In total, over 70 hours of logged manual review was done on the
spreadsheet to determine the SPDX license identifiers to apply to the
source files by Kate, Philippe, Thomas and, in some cases, confirmation
by lawyers working with the Linux Foundation.
Kate also obtained a third independent scan of the 4.13 code base from
FOSSology, and compared selected files where the other two scanners
disagreed against that SPDX file, to see if there was new insights. The
Windriver scanner is based on an older version of FOSSology in part, so
they are related.
Thomas did random spot checks in about 500 files from the spreadsheets
for the uapi headers and agreed with SPDX license identifier in the
files he inspected. For the non-uapi files Thomas did random spot checks
in about 15000 files.
In initial set of patches against 4.14-rc6, 3 files were found to have
copy/paste license identifier errors, and have been fixed to reflect the
correct identifier.
Additionally Philippe spent 10 hours this week doing a detailed manual
inspection and review of the 12,461 patched files from the initial patch
version early this week with:
- a full scancode scan run, collecting the matched texts, detected
license ids and scores
- reviewing anything where there was a license detected (about 500+
files) to ensure that the applied SPDX license was correct
- reviewing anything where there was no detection but the patch license
was not GPL-2.0 WITH Linux-syscall-note to ensure that the applied
SPDX license was correct
This produced a worksheet with 20 files needing minor correction. This
worksheet was then exported into 3 different .csv files for the
different types of files to be modified.
These .csv files were then reviewed by Greg. Thomas wrote a script to
parse the csv files and add the proper SPDX tag to the file, in the
format that the file expected. This script was further refined by Greg
based on the output to detect more types of files automatically and to
distinguish between header and source .c files (which need different
comment types.) Finally Greg ran the script using the .csv files to
generate the patches.
Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org>
Reviewed-by: Philippe Ombredanne <pombredanne@nexb.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-11-01 14:07:57 +00:00
|
|
|
// SPDX-License-Identifier: GPL-2.0
|
2005-04-16 22:20:36 +00:00
|
|
|
/*
|
|
|
|
|
* linux/fs/file.c
|
|
|
|
|
*
|
|
|
|
|
* Copyright (C) 1998-1999, Stephen Tweedie and Bill Hawes
|
|
|
|
|
*
|
|
|
|
|
* Manage the dynamic fd arrays in the process files_struct.
|
|
|
|
|
*/
|
|
|
|
|
|
2012-08-21 15:48:11 +00:00
|
|
|
#include <linux/syscalls.h>
|
2011-11-17 04:57:37 +00:00
|
|
|
#include <linux/export.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <linux/fs.h>
|
open: add close_range()
This adds the close_range() syscall. It allows to efficiently close a range
of file descriptors up to all file descriptors of a calling task.
I was contacted by FreeBSD as they wanted to have the same close_range()
syscall as we proposed here. We've coordinated this and in the meantime, Kyle
was fast enough to merge close_range() into FreeBSD already in April:
https://reviews.freebsd.org/D21627
https://svnweb.freebsd.org/base?view=revision&revision=359836
and the current plan is to backport close_range() to FreeBSD 12.2 (cf. [2])
once its merged in Linux too. Python is in the process of switching to
close_range() on FreeBSD and they are waiting on us to merge this to switch on
Linux as well: https://bugs.python.org/issue38061
The syscall came up in a recent discussion around the new mount API and
making new file descriptor types cloexec by default. During this
discussion, Al suggested the close_range() syscall (cf. [1]). Note, a
syscall in this manner has been requested by various people over time.
First, it helps to close all file descriptors of an exec()ing task. This
can be done safely via (quoting Al's example from [1] verbatim):
/* that exec is sensitive */
unshare(CLONE_FILES);
/* we don't want anything past stderr here */
close_range(3, ~0U);
execve(....);
The code snippet above is one way of working around the problem that file
descriptors are not cloexec by default. This is aggravated by the fact that
we can't just switch them over without massively regressing userspace. For
a whole class of programs having an in-kernel method of closing all file
descriptors is very helpful (e.g. demons, service managers, programming
language standard libraries, container managers etc.).
(Please note, unshare(CLONE_FILES) should only be needed if the calling
task is multi-threaded and shares the file descriptor table with another
thread in which case two threads could race with one thread allocating file
descriptors and the other one closing them via close_range(). For the
general case close_range() before the execve() is sufficient.)
Second, it allows userspace to avoid implementing closing all file
descriptors by parsing through /proc/<pid>/fd/* and calling close() on each
file descriptor. From looking at various large(ish) userspace code bases
this or similar patterns are very common in:
- service managers (cf. [4])
- libcs (cf. [6])
- container runtimes (cf. [5])
- programming language runtimes/standard libraries
- Python (cf. [2])
- Rust (cf. [7], [8])
As Dmitry pointed out there's even a long-standing glibc bug about missing
kernel support for this task (cf. [3]).
In addition, the syscall will also work for tasks that do not have procfs
mounted and on kernels that do not have procfs support compiled in. In such
situations the only way to make sure that all file descriptors are closed
is to call close() on each file descriptor up to UINT_MAX or RLIMIT_NOFILE,
OPEN_MAX trickery (cf. comment [8] on Rust).
The performance is striking. For good measure, comparing the following
simple close_all_fds() userspace implementation that is essentially just
glibc's version in [6]:
static int close_all_fds(void)
{
int dir_fd;
DIR *dir;
struct dirent *direntp;
dir = opendir("/proc/self/fd");
if (!dir)
return -1;
dir_fd = dirfd(dir);
while ((direntp = readdir(dir))) {
int fd;
if (strcmp(direntp->d_name, ".") == 0)
continue;
if (strcmp(direntp->d_name, "..") == 0)
continue;
fd = atoi(direntp->d_name);
if (fd == dir_fd || fd == 0 || fd == 1 || fd == 2)
continue;
close(fd);
}
closedir(dir);
return 0;
}
to close_range() yields:
1. closing 4 open files:
- close_all_fds(): ~280 us
- close_range(): ~24 us
2. closing 1000 open files:
- close_all_fds(): ~5000 us
- close_range(): ~800 us
close_range() is designed to allow for some flexibility. Specifically, it
does not simply always close all open file descriptors of a task. Instead,
callers can specify an upper bound.
This is e.g. useful for scenarios where specific file descriptors are
created with well-known numbers that are supposed to be excluded from
getting closed.
For extra paranoia close_range() comes with a flags argument. This can e.g.
be used to implement extension. Once can imagine userspace wanting to stop
at the first error instead of ignoring errors under certain circumstances.
There might be other valid ideas in the future. In any case, a flag
argument doesn't hurt and keeps us on the safe side.
From an implementation side this is kept rather dumb. It saw some input
from David and Jann but all nonsense is obviously my own!
- Errors to close file descriptors are currently ignored. (Could be changed
by setting a flag in the future if needed.)
- __close_range() is a rather simplistic wrapper around __close_fd().
My reasoning behind this is based on the nature of how __close_fd() needs
to release an fd. But maybe I misunderstood specifics:
We take the files_lock and rcu-dereference the fdtable of the calling
task, we find the entry in the fdtable, get the file and need to release
files_lock before calling filp_close().
In the meantime the fdtable might have been altered so we can't just
retake the spinlock and keep the old rcu-reference of the fdtable
around. Instead we need to grab a fresh reference to the fdtable.
If my reasoning is correct then there's really no point in fancyfying
__close_range(): We just need to rcu-dereference the fdtable of the
calling task once to cap the max_fd value correctly and then go on
calling __close_fd() in a loop.
/* References */
[1]: https://lore.kernel.org/lkml/20190516165021.GD17978@ZenIV.linux.org.uk/
[2]: https://github.com/python/cpython/blob/9e4f2f3a6b8ee995c365e86d976937c141d867f8/Modules/_posixsubprocess.c#L220
[3]: https://sourceware.org/bugzilla/show_bug.cgi?id=10353#c7
[4]: https://github.com/systemd/systemd/blob/5238e9575906297608ff802a27e2ff9effa3b338/src/basic/fd-util.c#L217
[5]: https://github.com/lxc/lxc/blob/ddf4b77e11a4d08f09b7b9cd13e593f8c047edc5/src/lxc/start.c#L236
[6]: https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/grantpt.c;h=2030e07fa6e652aac32c775b8c6e005844c3c4eb;hb=HEAD#l17
Note that this is an internal implementation that is not exported.
Currently, libc seems to not provide an exported version of this
because of missing kernel support to do this.
Note, in a recent patch series Florian made grantpt() a nop thereby
removing the code referenced here.
[7]: https://github.com/rust-lang/rust/issues/12148
[8]: https://github.com/rust-lang/rust/blob/5f47c0613ed4eb46fca3633c1297364c09e5e451/src/libstd/sys/unix/process2.rs#L303-L308
Rust's solution is slightly different but is equally unperformant.
Rust calls getdtablesize() which is a glibc library function that
simply returns the current RLIMIT_NOFILE or OPEN_MAX values. Rust then
goes on to call close() on each fd. That's obviously overkill for most
tasks. Rarely, tasks - especially non-demons - hit RLIMIT_NOFILE or
OPEN_MAX.
Let's be nice and assume an unprivileged user with RLIMIT_NOFILE set
to 1024. Even in this case, there's a very high chance that in the
common case Rust is calling the close() syscall 1021 times pointlessly
if the task just has 0, 1, and 2 open.
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Kyle Evans <self@kyle-evans.net>
Cc: Jann Horn <jannh@google.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Dmitry V. Levin <ldv@altlinux.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Florian Weimer <fweimer@redhat.com>
Cc: linux-api@vger.kernel.org
2019-05-24 09:30:34 +00:00
|
|
|
#include <linux/kernel.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <linux/mm.h>
|
2017-02-08 17:51:30 +00:00
|
|
|
#include <linux/sched/signal.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <linux/slab.h>
|
|
|
|
|
#include <linux/file.h>
|
2008-04-24 11:44:08 +00:00
|
|
|
#include <linux/fdtable.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <linux/bitops.h>
|
2005-09-09 20:04:13 +00:00
|
|
|
#include <linux/spinlock.h>
|
|
|
|
|
#include <linux/rcupdate.h>
|
2020-06-03 19:48:55 +00:00
|
|
|
#include <linux/close_range.h>
|
2020-06-10 15:20:05 +00:00
|
|
|
#include <net/sock.h>
|
2005-09-09 20:04:13 +00:00
|
|
|
|
2021-01-19 22:41:52 +00:00
|
|
|
#include "internal.h"
|
|
|
|
|
|
2016-09-01 21:38:52 +00:00
|
|
|
unsigned int sysctl_nr_open __read_mostly = 1024*1024;
|
|
|
|
|
unsigned int sysctl_nr_open_min = BITS_PER_LONG;
|
2015-10-29 11:01:41 +00:00
|
|
|
/* our min() is unusable in constant expressions ;-/ */
|
|
|
|
|
#define __const_min(x, y) ((x) < (y) ? (x) : (y))
|
2016-09-01 21:38:52 +00:00
|
|
|
unsigned int sysctl_nr_open_max =
|
|
|
|
|
__const_min(INT_MAX, ~(size_t)0/sizeof(void *)) & -BITS_PER_LONG;
|
2008-02-06 09:37:16 +00:00
|
|
|
|
2010-08-11 01:01:35 +00:00
|
|
|
static void __free_fdtable(struct fdtable *fdt)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2014-04-23 14:18:46 +00:00
|
|
|
kvfree(fdt->fd);
|
|
|
|
|
kvfree(fdt->open_fds);
|
2010-08-11 01:01:35 +00:00
|
|
|
kfree(fdt);
|
2005-09-09 20:04:13 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2012-08-15 23:56:12 +00:00
|
|
|
static void free_fdtable_rcu(struct rcu_head *rcu)
|
2005-09-09 20:04:13 +00:00
|
|
|
{
|
2013-04-29 01:42:33 +00:00
|
|
|
__free_fdtable(container_of(rcu, struct fdtable, rcu));
|
2005-09-09 20:04:13 +00:00
|
|
|
}
|
|
|
|
|
|
2015-10-30 23:53:57 +00:00
|
|
|
#define BITBIT_NR(nr) BITS_TO_LONGS(BITS_TO_LONGS(nr))
|
|
|
|
|
#define BITBIT_SIZE(nr) (BITBIT_NR(nr) * sizeof(long))
|
|
|
|
|
|
2005-09-09 20:04:13 +00:00
|
|
|
/*
|
2015-11-06 06:32:04 +00:00
|
|
|
* Copy 'count' fd bits from the old table to the new table and clear the extra
|
|
|
|
|
* space if any. This does not copy the file pointers. Called with the files
|
|
|
|
|
* spinlock held for write.
|
|
|
|
|
*/
|
|
|
|
|
static void copy_fd_bitmaps(struct fdtable *nfdt, struct fdtable *ofdt,
|
|
|
|
|
unsigned int count)
|
|
|
|
|
{
|
|
|
|
|
unsigned int cpy, set;
|
|
|
|
|
|
|
|
|
|
cpy = count / BITS_PER_BYTE;
|
|
|
|
|
set = (nfdt->max_fds - count) / BITS_PER_BYTE;
|
|
|
|
|
memcpy(nfdt->open_fds, ofdt->open_fds, cpy);
|
|
|
|
|
memset((char *)nfdt->open_fds + cpy, 0, set);
|
|
|
|
|
memcpy(nfdt->close_on_exec, ofdt->close_on_exec, cpy);
|
|
|
|
|
memset((char *)nfdt->close_on_exec + cpy, 0, set);
|
|
|
|
|
|
|
|
|
|
cpy = BITBIT_SIZE(count);
|
|
|
|
|
set = BITBIT_SIZE(nfdt->max_fds) - cpy;
|
|
|
|
|
memcpy(nfdt->full_fds_bits, ofdt->full_fds_bits, cpy);
|
|
|
|
|
memset((char *)nfdt->full_fds_bits + cpy, 0, set);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Copy all file descriptors from the old table to the new, expanded table and
|
|
|
|
|
* clear the extra space. Called with the files spinlock held for write.
|
2005-09-09 20:04:13 +00:00
|
|
|
*/
|
[PATCH] fdtable: Implement new pagesize-based fdtable allocator
This patch provides an improved fdtable allocation scheme, useful for
expanding fdtable file descriptor entries. The main focus is on the fdarray,
as its memory usage grows 128 times faster than that of an fdset.
The allocation algorithm sizes the fdarray in such a way that its memory usage
increases in easy page-sized chunks. The overall algorithm expands the allowed
size in powers of two, in order to amortize the cost of invoking vmalloc() for
larger allocation sizes. Namely, the following sizes for the fdarray are
considered, and the smallest that accommodates the requested fd count is
chosen:
pagesize / 4
pagesize / 2
pagesize <- memory allocator switch point
pagesize * 2
pagesize * 4
...etc...
Unlike the current implementation, this allocation scheme does not require a
loop to compute the optimal fdarray size, and can be done in efficient
straightline code.
Furthermore, since the fdarray overflows the pagesize boundary long before any
of the fdsets do, it makes sense to optimize run-time by allocating both
fdsets in a single swoop. Even together, they will still be, by far, smaller
than the fdarray. The fdtable->open_fds is now used as the anchor for the
fdset memory allocation.
Signed-off-by: Vadim Lobanov <vlobanov@speakeasy.net>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Dipankar Sarma <dipankar@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-12-10 10:21:22 +00:00
|
|
|
static void copy_fdtable(struct fdtable *nfdt, struct fdtable *ofdt)
|
2005-09-09 20:04:13 +00:00
|
|
|
{
|
2020-05-19 21:48:52 +00:00
|
|
|
size_t cpy, set;
|
2005-09-09 20:04:13 +00:00
|
|
|
|
[PATCH] fdtable: Implement new pagesize-based fdtable allocator
This patch provides an improved fdtable allocation scheme, useful for
expanding fdtable file descriptor entries. The main focus is on the fdarray,
as its memory usage grows 128 times faster than that of an fdset.
The allocation algorithm sizes the fdarray in such a way that its memory usage
increases in easy page-sized chunks. The overall algorithm expands the allowed
size in powers of two, in order to amortize the cost of invoking vmalloc() for
larger allocation sizes. Namely, the following sizes for the fdarray are
considered, and the smallest that accommodates the requested fd count is
chosen:
pagesize / 4
pagesize / 2
pagesize <- memory allocator switch point
pagesize * 2
pagesize * 4
...etc...
Unlike the current implementation, this allocation scheme does not require a
loop to compute the optimal fdarray size, and can be done in efficient
straightline code.
Furthermore, since the fdarray overflows the pagesize boundary long before any
of the fdsets do, it makes sense to optimize run-time by allocating both
fdsets in a single swoop. Even together, they will still be, by far, smaller
than the fdarray. The fdtable->open_fds is now used as the anchor for the
fdset memory allocation.
Signed-off-by: Vadim Lobanov <vlobanov@speakeasy.net>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Dipankar Sarma <dipankar@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-12-10 10:21:22 +00:00
|
|
|
BUG_ON(nfdt->max_fds < ofdt->max_fds);
|
|
|
|
|
|
|
|
|
|
cpy = ofdt->max_fds * sizeof(struct file *);
|
|
|
|
|
set = (nfdt->max_fds - ofdt->max_fds) * sizeof(struct file *);
|
|
|
|
|
memcpy(nfdt->fd, ofdt->fd, cpy);
|
2015-11-06 06:32:04 +00:00
|
|
|
memset((char *)nfdt->fd + cpy, 0, set);
|
[PATCH] fdtable: Implement new pagesize-based fdtable allocator
This patch provides an improved fdtable allocation scheme, useful for
expanding fdtable file descriptor entries. The main focus is on the fdarray,
as its memory usage grows 128 times faster than that of an fdset.
The allocation algorithm sizes the fdarray in such a way that its memory usage
increases in easy page-sized chunks. The overall algorithm expands the allowed
size in powers of two, in order to amortize the cost of invoking vmalloc() for
larger allocation sizes. Namely, the following sizes for the fdarray are
considered, and the smallest that accommodates the requested fd count is
chosen:
pagesize / 4
pagesize / 2
pagesize <- memory allocator switch point
pagesize * 2
pagesize * 4
...etc...
Unlike the current implementation, this allocation scheme does not require a
loop to compute the optimal fdarray size, and can be done in efficient
straightline code.
Furthermore, since the fdarray overflows the pagesize boundary long before any
of the fdsets do, it makes sense to optimize run-time by allocating both
fdsets in a single swoop. Even together, they will still be, by far, smaller
than the fdarray. The fdtable->open_fds is now used as the anchor for the
fdset memory allocation.
Signed-off-by: Vadim Lobanov <vlobanov@speakeasy.net>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Dipankar Sarma <dipankar@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-12-10 10:21:22 +00:00
|
|
|
|
2015-11-06 06:32:04 +00:00
|
|
|
copy_fd_bitmaps(nfdt, ofdt, ofdt->max_fds);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
fs: fd tables have to be multiples of BITS_PER_LONG
This has always been the rule: fdtables have several bitmaps in them,
and as a result they have to be sized properly for bitmaps. We walk
those bitmaps in chunks of 'unsigned long' in serveral cases, but even
when we don't, we use the regular kernel bitops that are defined to work
on arrays of 'unsigned long', not on some byte array.
Now, the distinction between arrays of bytes and 'unsigned long'
normally only really ends up being noticeable on big-endian systems, but
Fedor Pchelkin and Alexey Khoroshilov reported that copy_fd_bitmaps()
could be called with an argument that wasn't even a multiple of
BITS_PER_BYTE. And then it fails to do the proper copy even on
little-endian machines.
The bug wasn't in copy_fd_bitmap(), but in sane_fdtable_size(), which
didn't actually sanitize the fdtable size sufficiently, and never made
sure it had the proper BITS_PER_LONG alignment.
That's partly because the alignment historically came not from having to
explicitly align things, but simply from previous fdtable sizes, and
from count_open_files(), which counts the file descriptors by walking
them one 'unsigned long' word at a time and thus naturally ends up doing
sizing in the proper 'chunks of unsigned long'.
But with the introduction of close_range(), we now have an external
source of "this is how many files we want to have", and so
sane_fdtable_size() needs to do a better job.
This also adds that explicit alignment to alloc_fdtable(), although
there it is mainly just for documentation at a source code level. The
arithmetic we do there to pick a reasonable fdtable size already aligns
the result sufficiently.
In fact,clang notices that the added ALIGN() in that function doesn't
actually do anything, and does not generate any extra code for it.
It turns out that gcc ends up confusing itself by combining a previous
constant-sized shift operation with the variable-sized shift operations
in roundup_pow_of_two(). And probably due to that doesn't notice that
the ALIGN() is a no-op. But that's a (tiny) gcc misfeature that doesn't
matter. Having the explicit alignment makes sense, and would actually
matter on a 128-bit architecture if we ever go there.
This also adds big comments above both functions about how fdtable sizes
have to have that BITS_PER_LONG alignment.
Fixes: 60997c3d45d9 ("close_range: add CLOSE_RANGE_UNSHARE")
Reported-by: Fedor Pchelkin <aissur0002@gmail.com>
Reported-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Link: https://lore.kernel.org/all/20220326114009.1690-1-aissur0002@gmail.com/
Tested-and-acked-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2022-03-29 22:06:39 +00:00
|
|
|
/*
|
|
|
|
|
* Note how the fdtable bitmap allocations very much have to be a multiple of
|
|
|
|
|
* BITS_PER_LONG. This is not only because we walk those things in chunks of
|
|
|
|
|
* 'unsigned long' in some places, but simply because that is how the Linux
|
|
|
|
|
* kernel bitmaps are defined to work: they are not "bits in an array of bytes",
|
|
|
|
|
* they are very much "bits in an array of unsigned long".
|
|
|
|
|
*
|
|
|
|
|
* The ALIGN(nr, BITS_PER_LONG) here is for clarity: since we just multiplied
|
|
|
|
|
* by that "1024/sizeof(ptr)" before, we already know there are sufficient
|
|
|
|
|
* clear low bits. Clang seems to realize that, gcc ends up being confused.
|
|
|
|
|
*
|
|
|
|
|
* On a 128-bit machine, the ALIGN() would actually matter. In the meantime,
|
|
|
|
|
* let's consider it documentation (and maybe a test-case for gcc to improve
|
|
|
|
|
* its code generation ;)
|
|
|
|
|
*/
|
[PATCH] fdtable: Implement new pagesize-based fdtable allocator
This patch provides an improved fdtable allocation scheme, useful for
expanding fdtable file descriptor entries. The main focus is on the fdarray,
as its memory usage grows 128 times faster than that of an fdset.
The allocation algorithm sizes the fdarray in such a way that its memory usage
increases in easy page-sized chunks. The overall algorithm expands the allowed
size in powers of two, in order to amortize the cost of invoking vmalloc() for
larger allocation sizes. Namely, the following sizes for the fdarray are
considered, and the smallest that accommodates the requested fd count is
chosen:
pagesize / 4
pagesize / 2
pagesize <- memory allocator switch point
pagesize * 2
pagesize * 4
...etc...
Unlike the current implementation, this allocation scheme does not require a
loop to compute the optimal fdarray size, and can be done in efficient
straightline code.
Furthermore, since the fdarray overflows the pagesize boundary long before any
of the fdsets do, it makes sense to optimize run-time by allocating both
fdsets in a single swoop. Even together, they will still be, by far, smaller
than the fdarray. The fdtable->open_fds is now used as the anchor for the
fdset memory allocation.
Signed-off-by: Vadim Lobanov <vlobanov@speakeasy.net>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Dipankar Sarma <dipankar@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-12-10 10:21:22 +00:00
|
|
|
static struct fdtable * alloc_fdtable(unsigned int nr)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
[PATCH] fdtable: Implement new pagesize-based fdtable allocator
This patch provides an improved fdtable allocation scheme, useful for
expanding fdtable file descriptor entries. The main focus is on the fdarray,
as its memory usage grows 128 times faster than that of an fdset.
The allocation algorithm sizes the fdarray in such a way that its memory usage
increases in easy page-sized chunks. The overall algorithm expands the allowed
size in powers of two, in order to amortize the cost of invoking vmalloc() for
larger allocation sizes. Namely, the following sizes for the fdarray are
considered, and the smallest that accommodates the requested fd count is
chosen:
pagesize / 4
pagesize / 2
pagesize <- memory allocator switch point
pagesize * 2
pagesize * 4
...etc...
Unlike the current implementation, this allocation scheme does not require a
loop to compute the optimal fdarray size, and can be done in efficient
straightline code.
Furthermore, since the fdarray overflows the pagesize boundary long before any
of the fdsets do, it makes sense to optimize run-time by allocating both
fdsets in a single swoop. Even together, they will still be, by far, smaller
than the fdarray. The fdtable->open_fds is now used as the anchor for the
fdset memory allocation.
Signed-off-by: Vadim Lobanov <vlobanov@speakeasy.net>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Dipankar Sarma <dipankar@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-12-10 10:21:22 +00:00
|
|
|
struct fdtable *fdt;
|
2012-02-16 17:49:54 +00:00
|
|
|
void *data;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2005-09-09 20:04:13 +00:00
|
|
|
/*
|
[PATCH] fdtable: Implement new pagesize-based fdtable allocator
This patch provides an improved fdtable allocation scheme, useful for
expanding fdtable file descriptor entries. The main focus is on the fdarray,
as its memory usage grows 128 times faster than that of an fdset.
The allocation algorithm sizes the fdarray in such a way that its memory usage
increases in easy page-sized chunks. The overall algorithm expands the allowed
size in powers of two, in order to amortize the cost of invoking vmalloc() for
larger allocation sizes. Namely, the following sizes for the fdarray are
considered, and the smallest that accommodates the requested fd count is
chosen:
pagesize / 4
pagesize / 2
pagesize <- memory allocator switch point
pagesize * 2
pagesize * 4
...etc...
Unlike the current implementation, this allocation scheme does not require a
loop to compute the optimal fdarray size, and can be done in efficient
straightline code.
Furthermore, since the fdarray overflows the pagesize boundary long before any
of the fdsets do, it makes sense to optimize run-time by allocating both
fdsets in a single swoop. Even together, they will still be, by far, smaller
than the fdarray. The fdtable->open_fds is now used as the anchor for the
fdset memory allocation.
Signed-off-by: Vadim Lobanov <vlobanov@speakeasy.net>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Dipankar Sarma <dipankar@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-12-10 10:21:22 +00:00
|
|
|
* Figure out how many fds we actually want to support in this fdtable.
|
|
|
|
|
* Allocation steps are keyed to the size of the fdarray, since it
|
|
|
|
|
* grows far faster than any of the other dynamic data. We try to fit
|
|
|
|
|
* the fdarray into comfortable page-tuned chunks: starting at 1024B
|
|
|
|
|
* and growing in powers of two from there on.
|
2005-09-09 20:04:13 +00:00
|
|
|
*/
|
[PATCH] fdtable: Implement new pagesize-based fdtable allocator
This patch provides an improved fdtable allocation scheme, useful for
expanding fdtable file descriptor entries. The main focus is on the fdarray,
as its memory usage grows 128 times faster than that of an fdset.
The allocation algorithm sizes the fdarray in such a way that its memory usage
increases in easy page-sized chunks. The overall algorithm expands the allowed
size in powers of two, in order to amortize the cost of invoking vmalloc() for
larger allocation sizes. Namely, the following sizes for the fdarray are
considered, and the smallest that accommodates the requested fd count is
chosen:
pagesize / 4
pagesize / 2
pagesize <- memory allocator switch point
pagesize * 2
pagesize * 4
...etc...
Unlike the current implementation, this allocation scheme does not require a
loop to compute the optimal fdarray size, and can be done in efficient
straightline code.
Furthermore, since the fdarray overflows the pagesize boundary long before any
of the fdsets do, it makes sense to optimize run-time by allocating both
fdsets in a single swoop. Even together, they will still be, by far, smaller
than the fdarray. The fdtable->open_fds is now used as the anchor for the
fdset memory allocation.
Signed-off-by: Vadim Lobanov <vlobanov@speakeasy.net>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Dipankar Sarma <dipankar@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-12-10 10:21:22 +00:00
|
|
|
nr /= (1024 / sizeof(struct file *));
|
|
|
|
|
nr = roundup_pow_of_two(nr + 1);
|
|
|
|
|
nr *= (1024 / sizeof(struct file *));
|
fs: fd tables have to be multiples of BITS_PER_LONG
This has always been the rule: fdtables have several bitmaps in them,
and as a result they have to be sized properly for bitmaps. We walk
those bitmaps in chunks of 'unsigned long' in serveral cases, but even
when we don't, we use the regular kernel bitops that are defined to work
on arrays of 'unsigned long', not on some byte array.
Now, the distinction between arrays of bytes and 'unsigned long'
normally only really ends up being noticeable on big-endian systems, but
Fedor Pchelkin and Alexey Khoroshilov reported that copy_fd_bitmaps()
could be called with an argument that wasn't even a multiple of
BITS_PER_BYTE. And then it fails to do the proper copy even on
little-endian machines.
The bug wasn't in copy_fd_bitmap(), but in sane_fdtable_size(), which
didn't actually sanitize the fdtable size sufficiently, and never made
sure it had the proper BITS_PER_LONG alignment.
That's partly because the alignment historically came not from having to
explicitly align things, but simply from previous fdtable sizes, and
from count_open_files(), which counts the file descriptors by walking
them one 'unsigned long' word at a time and thus naturally ends up doing
sizing in the proper 'chunks of unsigned long'.
But with the introduction of close_range(), we now have an external
source of "this is how many files we want to have", and so
sane_fdtable_size() needs to do a better job.
This also adds that explicit alignment to alloc_fdtable(), although
there it is mainly just for documentation at a source code level. The
arithmetic we do there to pick a reasonable fdtable size already aligns
the result sufficiently.
In fact,clang notices that the added ALIGN() in that function doesn't
actually do anything, and does not generate any extra code for it.
It turns out that gcc ends up confusing itself by combining a previous
constant-sized shift operation with the variable-sized shift operations
in roundup_pow_of_two(). And probably due to that doesn't notice that
the ALIGN() is a no-op. But that's a (tiny) gcc misfeature that doesn't
matter. Having the explicit alignment makes sense, and would actually
matter on a 128-bit architecture if we ever go there.
This also adds big comments above both functions about how fdtable sizes
have to have that BITS_PER_LONG alignment.
Fixes: 60997c3d45d9 ("close_range: add CLOSE_RANGE_UNSHARE")
Reported-by: Fedor Pchelkin <aissur0002@gmail.com>
Reported-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Link: https://lore.kernel.org/all/20220326114009.1690-1-aissur0002@gmail.com/
Tested-and-acked-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2022-03-29 22:06:39 +00:00
|
|
|
nr = ALIGN(nr, BITS_PER_LONG);
|
2008-04-28 00:04:15 +00:00
|
|
|
/*
|
|
|
|
|
* Note that this can drive nr *below* what we had passed if sysctl_nr_open
|
|
|
|
|
* had been set lower between the check in expand_files() and here. Deal
|
|
|
|
|
* with that in caller, it's cheaper that way.
|
|
|
|
|
*
|
|
|
|
|
* We make sure that nr remains a multiple of BITS_PER_LONG - otherwise
|
|
|
|
|
* bitmaps handling below becomes unpleasant, to put it mildly...
|
|
|
|
|
*/
|
|
|
|
|
if (unlikely(nr > sysctl_nr_open))
|
|
|
|
|
nr = ((sysctl_nr_open - 1) | (BITS_PER_LONG - 1)) + 1;
|
2006-12-10 10:21:12 +00:00
|
|
|
|
2016-01-14 23:18:21 +00:00
|
|
|
fdt = kmalloc(sizeof(struct fdtable), GFP_KERNEL_ACCOUNT);
|
[PATCH] fdtable: Implement new pagesize-based fdtable allocator
This patch provides an improved fdtable allocation scheme, useful for
expanding fdtable file descriptor entries. The main focus is on the fdarray,
as its memory usage grows 128 times faster than that of an fdset.
The allocation algorithm sizes the fdarray in such a way that its memory usage
increases in easy page-sized chunks. The overall algorithm expands the allowed
size in powers of two, in order to amortize the cost of invoking vmalloc() for
larger allocation sizes. Namely, the following sizes for the fdarray are
considered, and the smallest that accommodates the requested fd count is
chosen:
pagesize / 4
pagesize / 2
pagesize <- memory allocator switch point
pagesize * 2
pagesize * 4
...etc...
Unlike the current implementation, this allocation scheme does not require a
loop to compute the optimal fdarray size, and can be done in efficient
straightline code.
Furthermore, since the fdarray overflows the pagesize boundary long before any
of the fdsets do, it makes sense to optimize run-time by allocating both
fdsets in a single swoop. Even together, they will still be, by far, smaller
than the fdarray. The fdtable->open_fds is now used as the anchor for the
fdset memory allocation.
Signed-off-by: Vadim Lobanov <vlobanov@speakeasy.net>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Dipankar Sarma <dipankar@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-12-10 10:21:22 +00:00
|
|
|
if (!fdt)
|
2006-12-10 10:21:12 +00:00
|
|
|
goto out;
|
[PATCH] fdtable: Implement new pagesize-based fdtable allocator
This patch provides an improved fdtable allocation scheme, useful for
expanding fdtable file descriptor entries. The main focus is on the fdarray,
as its memory usage grows 128 times faster than that of an fdset.
The allocation algorithm sizes the fdarray in such a way that its memory usage
increases in easy page-sized chunks. The overall algorithm expands the allowed
size in powers of two, in order to amortize the cost of invoking vmalloc() for
larger allocation sizes. Namely, the following sizes for the fdarray are
considered, and the smallest that accommodates the requested fd count is
chosen:
pagesize / 4
pagesize / 2
pagesize <- memory allocator switch point
pagesize * 2
pagesize * 4
...etc...
Unlike the current implementation, this allocation scheme does not require a
loop to compute the optimal fdarray size, and can be done in efficient
straightline code.
Furthermore, since the fdarray overflows the pagesize boundary long before any
of the fdsets do, it makes sense to optimize run-time by allocating both
fdsets in a single swoop. Even together, they will still be, by far, smaller
than the fdarray. The fdtable->open_fds is now used as the anchor for the
fdset memory allocation.
Signed-off-by: Vadim Lobanov <vlobanov@speakeasy.net>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Dipankar Sarma <dipankar@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-12-10 10:21:22 +00:00
|
|
|
fdt->max_fds = nr;
|
2017-07-06 22:36:19 +00:00
|
|
|
data = kvmalloc_array(nr, sizeof(struct file *), GFP_KERNEL_ACCOUNT);
|
[PATCH] fdtable: Implement new pagesize-based fdtable allocator
This patch provides an improved fdtable allocation scheme, useful for
expanding fdtable file descriptor entries. The main focus is on the fdarray,
as its memory usage grows 128 times faster than that of an fdset.
The allocation algorithm sizes the fdarray in such a way that its memory usage
increases in easy page-sized chunks. The overall algorithm expands the allowed
size in powers of two, in order to amortize the cost of invoking vmalloc() for
larger allocation sizes. Namely, the following sizes for the fdarray are
considered, and the smallest that accommodates the requested fd count is
chosen:
pagesize / 4
pagesize / 2
pagesize <- memory allocator switch point
pagesize * 2
pagesize * 4
...etc...
Unlike the current implementation, this allocation scheme does not require a
loop to compute the optimal fdarray size, and can be done in efficient
straightline code.
Furthermore, since the fdarray overflows the pagesize boundary long before any
of the fdsets do, it makes sense to optimize run-time by allocating both
fdsets in a single swoop. Even together, they will still be, by far, smaller
than the fdarray. The fdtable->open_fds is now used as the anchor for the
fdset memory allocation.
Signed-off-by: Vadim Lobanov <vlobanov@speakeasy.net>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Dipankar Sarma <dipankar@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-12-10 10:21:22 +00:00
|
|
|
if (!data)
|
|
|
|
|
goto out_fdt;
|
2012-02-16 17:49:54 +00:00
|
|
|
fdt->fd = data;
|
|
|
|
|
|
2017-07-06 22:36:19 +00:00
|
|
|
data = kvmalloc(max_t(size_t,
|
|
|
|
|
2 * nr / BITS_PER_BYTE + BITBIT_SIZE(nr), L1_CACHE_BYTES),
|
|
|
|
|
GFP_KERNEL_ACCOUNT);
|
[PATCH] fdtable: Implement new pagesize-based fdtable allocator
This patch provides an improved fdtable allocation scheme, useful for
expanding fdtable file descriptor entries. The main focus is on the fdarray,
as its memory usage grows 128 times faster than that of an fdset.
The allocation algorithm sizes the fdarray in such a way that its memory usage
increases in easy page-sized chunks. The overall algorithm expands the allowed
size in powers of two, in order to amortize the cost of invoking vmalloc() for
larger allocation sizes. Namely, the following sizes for the fdarray are
considered, and the smallest that accommodates the requested fd count is
chosen:
pagesize / 4
pagesize / 2
pagesize <- memory allocator switch point
pagesize * 2
pagesize * 4
...etc...
Unlike the current implementation, this allocation scheme does not require a
loop to compute the optimal fdarray size, and can be done in efficient
straightline code.
Furthermore, since the fdarray overflows the pagesize boundary long before any
of the fdsets do, it makes sense to optimize run-time by allocating both
fdsets in a single swoop. Even together, they will still be, by far, smaller
than the fdarray. The fdtable->open_fds is now used as the anchor for the
fdset memory allocation.
Signed-off-by: Vadim Lobanov <vlobanov@speakeasy.net>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Dipankar Sarma <dipankar@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-12-10 10:21:22 +00:00
|
|
|
if (!data)
|
|
|
|
|
goto out_arr;
|
2012-02-16 17:49:54 +00:00
|
|
|
fdt->open_fds = data;
|
[PATCH] fdtable: Implement new pagesize-based fdtable allocator
This patch provides an improved fdtable allocation scheme, useful for
expanding fdtable file descriptor entries. The main focus is on the fdarray,
as its memory usage grows 128 times faster than that of an fdset.
The allocation algorithm sizes the fdarray in such a way that its memory usage
increases in easy page-sized chunks. The overall algorithm expands the allowed
size in powers of two, in order to amortize the cost of invoking vmalloc() for
larger allocation sizes. Namely, the following sizes for the fdarray are
considered, and the smallest that accommodates the requested fd count is
chosen:
pagesize / 4
pagesize / 2
pagesize <- memory allocator switch point
pagesize * 2
pagesize * 4
...etc...
Unlike the current implementation, this allocation scheme does not require a
loop to compute the optimal fdarray size, and can be done in efficient
straightline code.
Furthermore, since the fdarray overflows the pagesize boundary long before any
of the fdsets do, it makes sense to optimize run-time by allocating both
fdsets in a single swoop. Even together, they will still be, by far, smaller
than the fdarray. The fdtable->open_fds is now used as the anchor for the
fdset memory allocation.
Signed-off-by: Vadim Lobanov <vlobanov@speakeasy.net>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Dipankar Sarma <dipankar@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-12-10 10:21:22 +00:00
|
|
|
data += nr / BITS_PER_BYTE;
|
2012-02-16 17:49:54 +00:00
|
|
|
fdt->close_on_exec = data;
|
2015-10-30 23:53:57 +00:00
|
|
|
data += nr / BITS_PER_BYTE;
|
|
|
|
|
fdt->full_fds_bits = data;
|
[PATCH] fdtable: Implement new pagesize-based fdtable allocator
This patch provides an improved fdtable allocation scheme, useful for
expanding fdtable file descriptor entries. The main focus is on the fdarray,
as its memory usage grows 128 times faster than that of an fdset.
The allocation algorithm sizes the fdarray in such a way that its memory usage
increases in easy page-sized chunks. The overall algorithm expands the allowed
size in powers of two, in order to amortize the cost of invoking vmalloc() for
larger allocation sizes. Namely, the following sizes for the fdarray are
considered, and the smallest that accommodates the requested fd count is
chosen:
pagesize / 4
pagesize / 2
pagesize <- memory allocator switch point
pagesize * 2
pagesize * 4
...etc...
Unlike the current implementation, this allocation scheme does not require a
loop to compute the optimal fdarray size, and can be done in efficient
straightline code.
Furthermore, since the fdarray overflows the pagesize boundary long before any
of the fdsets do, it makes sense to optimize run-time by allocating both
fdsets in a single swoop. Even together, they will still be, by far, smaller
than the fdarray. The fdtable->open_fds is now used as the anchor for the
fdset memory allocation.
Signed-off-by: Vadim Lobanov <vlobanov@speakeasy.net>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Dipankar Sarma <dipankar@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-12-10 10:21:22 +00:00
|
|
|
|
2005-09-09 20:04:13 +00:00
|
|
|
return fdt;
|
[PATCH] fdtable: Implement new pagesize-based fdtable allocator
This patch provides an improved fdtable allocation scheme, useful for
expanding fdtable file descriptor entries. The main focus is on the fdarray,
as its memory usage grows 128 times faster than that of an fdset.
The allocation algorithm sizes the fdarray in such a way that its memory usage
increases in easy page-sized chunks. The overall algorithm expands the allowed
size in powers of two, in order to amortize the cost of invoking vmalloc() for
larger allocation sizes. Namely, the following sizes for the fdarray are
considered, and the smallest that accommodates the requested fd count is
chosen:
pagesize / 4
pagesize / 2
pagesize <- memory allocator switch point
pagesize * 2
pagesize * 4
...etc...
Unlike the current implementation, this allocation scheme does not require a
loop to compute the optimal fdarray size, and can be done in efficient
straightline code.
Furthermore, since the fdarray overflows the pagesize boundary long before any
of the fdsets do, it makes sense to optimize run-time by allocating both
fdsets in a single swoop. Even together, they will still be, by far, smaller
than the fdarray. The fdtable->open_fds is now used as the anchor for the
fdset memory allocation.
Signed-off-by: Vadim Lobanov <vlobanov@speakeasy.net>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Dipankar Sarma <dipankar@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-12-10 10:21:22 +00:00
|
|
|
|
|
|
|
|
out_arr:
|
2014-04-23 14:18:46 +00:00
|
|
|
kvfree(fdt->fd);
|
[PATCH] fdtable: Implement new pagesize-based fdtable allocator
This patch provides an improved fdtable allocation scheme, useful for
expanding fdtable file descriptor entries. The main focus is on the fdarray,
as its memory usage grows 128 times faster than that of an fdset.
The allocation algorithm sizes the fdarray in such a way that its memory usage
increases in easy page-sized chunks. The overall algorithm expands the allowed
size in powers of two, in order to amortize the cost of invoking vmalloc() for
larger allocation sizes. Namely, the following sizes for the fdarray are
considered, and the smallest that accommodates the requested fd count is
chosen:
pagesize / 4
pagesize / 2
pagesize <- memory allocator switch point
pagesize * 2
pagesize * 4
...etc...
Unlike the current implementation, this allocation scheme does not require a
loop to compute the optimal fdarray size, and can be done in efficient
straightline code.
Furthermore, since the fdarray overflows the pagesize boundary long before any
of the fdsets do, it makes sense to optimize run-time by allocating both
fdsets in a single swoop. Even together, they will still be, by far, smaller
than the fdarray. The fdtable->open_fds is now used as the anchor for the
fdset memory allocation.
Signed-off-by: Vadim Lobanov <vlobanov@speakeasy.net>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Dipankar Sarma <dipankar@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-12-10 10:21:22 +00:00
|
|
|
out_fdt:
|
2005-09-09 20:04:13 +00:00
|
|
|
kfree(fdt);
|
[PATCH] fdtable: Implement new pagesize-based fdtable allocator
This patch provides an improved fdtable allocation scheme, useful for
expanding fdtable file descriptor entries. The main focus is on the fdarray,
as its memory usage grows 128 times faster than that of an fdset.
The allocation algorithm sizes the fdarray in such a way that its memory usage
increases in easy page-sized chunks. The overall algorithm expands the allowed
size in powers of two, in order to amortize the cost of invoking vmalloc() for
larger allocation sizes. Namely, the following sizes for the fdarray are
considered, and the smallest that accommodates the requested fd count is
chosen:
pagesize / 4
pagesize / 2
pagesize <- memory allocator switch point
pagesize * 2
pagesize * 4
...etc...
Unlike the current implementation, this allocation scheme does not require a
loop to compute the optimal fdarray size, and can be done in efficient
straightline code.
Furthermore, since the fdarray overflows the pagesize boundary long before any
of the fdsets do, it makes sense to optimize run-time by allocating both
fdsets in a single swoop. Even together, they will still be, by far, smaller
than the fdarray. The fdtable->open_fds is now used as the anchor for the
fdset memory allocation.
Signed-off-by: Vadim Lobanov <vlobanov@speakeasy.net>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Dipankar Sarma <dipankar@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-12-10 10:21:22 +00:00
|
|
|
out:
|
2005-09-09 20:04:13 +00:00
|
|
|
return NULL;
|
|
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2005-09-09 20:04:13 +00:00
|
|
|
/*
|
2006-09-29 09:01:43 +00:00
|
|
|
* Expand the file descriptor table.
|
|
|
|
|
* This function will allocate a new fdtable and both fd array and fdset, of
|
|
|
|
|
* the given size.
|
|
|
|
|
* Return <0 error code on error; 1 on successful completion.
|
|
|
|
|
* The files->file_lock should be held on entry, and will be held on exit.
|
2005-09-09 20:04:13 +00:00
|
|
|
*/
|
2016-09-01 21:38:52 +00:00
|
|
|
static int expand_fdtable(struct files_struct *files, unsigned int nr)
|
2005-09-09 20:04:13 +00:00
|
|
|
__releases(files->file_lock)
|
|
|
|
|
__acquires(files->file_lock)
|
|
|
|
|
{
|
2006-09-29 09:01:43 +00:00
|
|
|
struct fdtable *new_fdt, *cur_fdt;
|
2005-09-09 20:04:13 +00:00
|
|
|
|
|
|
|
|
spin_unlock(&files->file_lock);
|
2006-09-29 09:01:43 +00:00
|
|
|
new_fdt = alloc_fdtable(nr);
|
2015-06-30 13:54:08 +00:00
|
|
|
|
2020-11-20 23:14:35 +00:00
|
|
|
/* make sure all fd_install() have seen resize_in_progress
|
2015-06-30 13:54:08 +00:00
|
|
|
* or have finished their rcu_read_lock_sched() section.
|
|
|
|
|
*/
|
|
|
|
|
if (atomic_read(&files->count) > 1)
|
2018-11-06 01:31:31 +00:00
|
|
|
synchronize_rcu();
|
2015-06-30 13:54:08 +00:00
|
|
|
|
2005-09-09 20:04:13 +00:00
|
|
|
spin_lock(&files->file_lock);
|
2006-09-29 09:01:43 +00:00
|
|
|
if (!new_fdt)
|
|
|
|
|
return -ENOMEM;
|
2008-04-28 00:04:15 +00:00
|
|
|
/*
|
|
|
|
|
* extremely unlikely race - sysctl_nr_open decreased between the check in
|
|
|
|
|
* caller and alloc_fdtable(). Cheaper to catch it here...
|
|
|
|
|
*/
|
|
|
|
|
if (unlikely(new_fdt->max_fds <= nr)) {
|
2010-08-11 01:01:35 +00:00
|
|
|
__free_fdtable(new_fdt);
|
2008-04-28 00:04:15 +00:00
|
|
|
return -EMFILE;
|
|
|
|
|
}
|
2006-09-29 09:01:43 +00:00
|
|
|
cur_fdt = files_fdtable(files);
|
2015-06-30 13:54:08 +00:00
|
|
|
BUG_ON(nr < cur_fdt->max_fds);
|
|
|
|
|
copy_fdtable(new_fdt, cur_fdt);
|
|
|
|
|
rcu_assign_pointer(files->fdt, new_fdt);
|
|
|
|
|
if (cur_fdt != &files->fdtab)
|
|
|
|
|
call_rcu(&cur_fdt->rcu, free_fdtable_rcu);
|
2020-11-20 23:14:35 +00:00
|
|
|
/* coupled with smp_rmb() in fd_install() */
|
2015-06-30 13:54:08 +00:00
|
|
|
smp_wmb();
|
2006-09-29 09:01:43 +00:00
|
|
|
return 1;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Expand files.
|
2006-09-29 09:01:43 +00:00
|
|
|
* This function will expand the file structures, if the requested size exceeds
|
|
|
|
|
* the current capacity and there is room for expansion.
|
|
|
|
|
* Return <0 error code on error; 0 when nothing done; 1 when files were
|
|
|
|
|
* expanded and execution may have blocked.
|
|
|
|
|
* The files->file_lock should be held on entry, and will be held on exit.
|
2005-04-16 22:20:36 +00:00
|
|
|
*/
|
2016-09-01 21:38:52 +00:00
|
|
|
static int expand_files(struct files_struct *files, unsigned int nr)
|
2015-06-30 13:54:08 +00:00
|
|
|
__releases(files->file_lock)
|
|
|
|
|
__acquires(files->file_lock)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2005-09-09 20:04:10 +00:00
|
|
|
struct fdtable *fdt;
|
2015-06-30 13:54:08 +00:00
|
|
|
int expanded = 0;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2015-06-30 13:54:08 +00:00
|
|
|
repeat:
|
2005-09-09 20:04:10 +00:00
|
|
|
fdt = files_fdtable(files);
|
2008-07-26 20:01:20 +00:00
|
|
|
|
2006-09-29 09:01:43 +00:00
|
|
|
/* Do we need to expand? */
|
2006-12-10 10:21:12 +00:00
|
|
|
if (nr < fdt->max_fds)
|
2015-06-30 13:54:08 +00:00
|
|
|
return expanded;
|
2008-07-26 20:01:20 +00:00
|
|
|
|
2006-09-29 09:01:43 +00:00
|
|
|
/* Can we expand? */
|
2008-02-06 09:37:16 +00:00
|
|
|
if (nr >= sysctl_nr_open)
|
2006-09-29 09:01:43 +00:00
|
|
|
return -EMFILE;
|
|
|
|
|
|
2015-06-30 13:54:08 +00:00
|
|
|
if (unlikely(files->resize_in_progress)) {
|
|
|
|
|
spin_unlock(&files->file_lock);
|
|
|
|
|
expanded = 1;
|
|
|
|
|
wait_event(files->resize_wait, !files->resize_in_progress);
|
|
|
|
|
spin_lock(&files->file_lock);
|
|
|
|
|
goto repeat;
|
|
|
|
|
}
|
|
|
|
|
|
2006-09-29 09:01:43 +00:00
|
|
|
/* All good, so we try */
|
2015-06-30 13:54:08 +00:00
|
|
|
files->resize_in_progress = true;
|
|
|
|
|
expanded = expand_fdtable(files, nr);
|
|
|
|
|
files->resize_in_progress = false;
|
|
|
|
|
|
|
|
|
|
wake_up_all(&files->resize_wait);
|
|
|
|
|
return expanded;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2005-09-09 20:04:13 +00:00
|
|
|
|
2016-09-01 21:38:52 +00:00
|
|
|
static inline void __set_close_on_exec(unsigned int fd, struct fdtable *fdt)
|
2012-08-22 00:09:42 +00:00
|
|
|
{
|
|
|
|
|
__set_bit(fd, fdt->close_on_exec);
|
|
|
|
|
}
|
|
|
|
|
|
2016-09-01 21:38:52 +00:00
|
|
|
static inline void __clear_close_on_exec(unsigned int fd, struct fdtable *fdt)
|
2012-08-22 00:09:42 +00:00
|
|
|
{
|
2015-10-31 23:06:40 +00:00
|
|
|
if (test_bit(fd, fdt->close_on_exec))
|
|
|
|
|
__clear_bit(fd, fdt->close_on_exec);
|
2012-08-22 00:09:42 +00:00
|
|
|
}
|
|
|
|
|
|
2015-10-30 23:53:57 +00:00
|
|
|
static inline void __set_open_fd(unsigned int fd, struct fdtable *fdt)
|
2012-08-22 00:09:42 +00:00
|
|
|
{
|
|
|
|
|
__set_bit(fd, fdt->open_fds);
|
2015-10-30 23:53:57 +00:00
|
|
|
fd /= BITS_PER_LONG;
|
|
|
|
|
if (!~fdt->open_fds[fd])
|
|
|
|
|
__set_bit(fd, fdt->full_fds_bits);
|
2012-08-22 00:09:42 +00:00
|
|
|
}
|
|
|
|
|
|
2015-10-30 23:53:57 +00:00
|
|
|
static inline void __clear_open_fd(unsigned int fd, struct fdtable *fdt)
|
2012-08-22 00:09:42 +00:00
|
|
|
{
|
|
|
|
|
__clear_bit(fd, fdt->open_fds);
|
2015-10-30 23:53:57 +00:00
|
|
|
__clear_bit(fd / BITS_PER_LONG, fdt->full_fds_bits);
|
2012-08-22 00:09:42 +00:00
|
|
|
}
|
|
|
|
|
|
2016-09-01 21:38:52 +00:00
|
|
|
static unsigned int count_open_files(struct fdtable *fdt)
|
2008-05-08 23:42:56 +00:00
|
|
|
{
|
2016-09-01 21:38:52 +00:00
|
|
|
unsigned int size = fdt->max_fds;
|
|
|
|
|
unsigned int i;
|
2008-05-08 23:42:56 +00:00
|
|
|
|
|
|
|
|
/* Find the last open fd */
|
2012-02-16 17:49:54 +00:00
|
|
|
for (i = size / BITS_PER_LONG; i > 0; ) {
|
|
|
|
|
if (fdt->open_fds[--i])
|
2008-05-08 23:42:56 +00:00
|
|
|
break;
|
|
|
|
|
}
|
2012-02-16 17:49:54 +00:00
|
|
|
i = (i + 1) * BITS_PER_LONG;
|
2008-05-08 23:42:56 +00:00
|
|
|
return i;
|
|
|
|
|
}
|
|
|
|
|
|
fs: fd tables have to be multiples of BITS_PER_LONG
This has always been the rule: fdtables have several bitmaps in them,
and as a result they have to be sized properly for bitmaps. We walk
those bitmaps in chunks of 'unsigned long' in serveral cases, but even
when we don't, we use the regular kernel bitops that are defined to work
on arrays of 'unsigned long', not on some byte array.
Now, the distinction between arrays of bytes and 'unsigned long'
normally only really ends up being noticeable on big-endian systems, but
Fedor Pchelkin and Alexey Khoroshilov reported that copy_fd_bitmaps()
could be called with an argument that wasn't even a multiple of
BITS_PER_BYTE. And then it fails to do the proper copy even on
little-endian machines.
The bug wasn't in copy_fd_bitmap(), but in sane_fdtable_size(), which
didn't actually sanitize the fdtable size sufficiently, and never made
sure it had the proper BITS_PER_LONG alignment.
That's partly because the alignment historically came not from having to
explicitly align things, but simply from previous fdtable sizes, and
from count_open_files(), which counts the file descriptors by walking
them one 'unsigned long' word at a time and thus naturally ends up doing
sizing in the proper 'chunks of unsigned long'.
But with the introduction of close_range(), we now have an external
source of "this is how many files we want to have", and so
sane_fdtable_size() needs to do a better job.
This also adds that explicit alignment to alloc_fdtable(), although
there it is mainly just for documentation at a source code level. The
arithmetic we do there to pick a reasonable fdtable size already aligns
the result sufficiently.
In fact,clang notices that the added ALIGN() in that function doesn't
actually do anything, and does not generate any extra code for it.
It turns out that gcc ends up confusing itself by combining a previous
constant-sized shift operation with the variable-sized shift operations
in roundup_pow_of_two(). And probably due to that doesn't notice that
the ALIGN() is a no-op. But that's a (tiny) gcc misfeature that doesn't
matter. Having the explicit alignment makes sense, and would actually
matter on a 128-bit architecture if we ever go there.
This also adds big comments above both functions about how fdtable sizes
have to have that BITS_PER_LONG alignment.
Fixes: 60997c3d45d9 ("close_range: add CLOSE_RANGE_UNSHARE")
Reported-by: Fedor Pchelkin <aissur0002@gmail.com>
Reported-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Link: https://lore.kernel.org/all/20220326114009.1690-1-aissur0002@gmail.com/
Tested-and-acked-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2022-03-29 22:06:39 +00:00
|
|
|
/*
|
|
|
|
|
* Note that a sane fdtable size always has to be a multiple of
|
|
|
|
|
* BITS_PER_LONG, since we have bitmaps that are sized by this.
|
|
|
|
|
*
|
|
|
|
|
* 'max_fds' will normally already be properly aligned, but it
|
|
|
|
|
* turns out that in the close_range() -> __close_range() ->
|
|
|
|
|
* unshare_fd() -> dup_fd() -> sane_fdtable_size() we can end
|
|
|
|
|
* up having a 'max_fds' value that isn't already aligned.
|
|
|
|
|
*
|
|
|
|
|
* Rather than make close_range() have to worry about this,
|
|
|
|
|
* just make that BITS_PER_LONG alignment be part of a sane
|
|
|
|
|
* fdtable size. Becuase that's really what it is.
|
|
|
|
|
*/
|
2020-06-03 19:48:55 +00:00
|
|
|
static unsigned int sane_fdtable_size(struct fdtable *fdt, unsigned int max_fds)
|
|
|
|
|
{
|
|
|
|
|
unsigned int count;
|
|
|
|
|
|
|
|
|
|
count = count_open_files(fdt);
|
|
|
|
|
if (max_fds < NR_OPEN_DEFAULT)
|
|
|
|
|
max_fds = NR_OPEN_DEFAULT;
|
2022-03-30 06:29:18 +00:00
|
|
|
return ALIGN(min(count, max_fds), BITS_PER_LONG);
|
2020-06-03 19:48:55 +00:00
|
|
|
}
|
|
|
|
|
|
2008-05-08 23:42:56 +00:00
|
|
|
/*
|
|
|
|
|
* Allocate a new files structure and copy contents from the
|
|
|
|
|
* passed in files structure.
|
|
|
|
|
* errorp will be valid only when the returned files_struct is NULL.
|
|
|
|
|
*/
|
2020-06-03 19:48:55 +00:00
|
|
|
struct files_struct *dup_fd(struct files_struct *oldf, unsigned int max_fds, int *errorp)
|
2008-05-08 23:42:56 +00:00
|
|
|
{
|
|
|
|
|
struct files_struct *newf;
|
|
|
|
|
struct file **old_fds, **new_fds;
|
2016-09-01 21:38:52 +00:00
|
|
|
unsigned int open_files, i;
|
2008-05-08 23:42:56 +00:00
|
|
|
struct fdtable *old_fdt, *new_fdt;
|
|
|
|
|
|
|
|
|
|
*errorp = -ENOMEM;
|
2008-05-09 01:11:17 +00:00
|
|
|
newf = kmem_cache_alloc(files_cachep, GFP_KERNEL);
|
2008-05-08 23:42:56 +00:00
|
|
|
if (!newf)
|
|
|
|
|
goto out;
|
|
|
|
|
|
2008-05-09 01:11:17 +00:00
|
|
|
atomic_set(&newf->count, 1);
|
|
|
|
|
|
|
|
|
|
spin_lock_init(&newf->file_lock);
|
2015-06-30 13:54:08 +00:00
|
|
|
newf->resize_in_progress = false;
|
|
|
|
|
init_waitqueue_head(&newf->resize_wait);
|
2008-05-09 01:11:17 +00:00
|
|
|
newf->next_fd = 0;
|
|
|
|
|
new_fdt = &newf->fdtab;
|
|
|
|
|
new_fdt->max_fds = NR_OPEN_DEFAULT;
|
2012-02-16 17:49:54 +00:00
|
|
|
new_fdt->close_on_exec = newf->close_on_exec_init;
|
|
|
|
|
new_fdt->open_fds = newf->open_fds_init;
|
2015-10-30 23:53:57 +00:00
|
|
|
new_fdt->full_fds_bits = newf->full_fds_bits_init;
|
2008-05-09 01:11:17 +00:00
|
|
|
new_fdt->fd = &newf->fd_array[0];
|
|
|
|
|
|
2008-05-08 23:42:56 +00:00
|
|
|
spin_lock(&oldf->file_lock);
|
|
|
|
|
old_fdt = files_fdtable(oldf);
|
2020-06-03 19:48:55 +00:00
|
|
|
open_files = sane_fdtable_size(old_fdt, max_fds);
|
2008-05-08 23:42:56 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Check whether we need to allocate a larger fd array and fd set.
|
|
|
|
|
*/
|
2008-05-09 01:19:42 +00:00
|
|
|
while (unlikely(open_files > new_fdt->max_fds)) {
|
2008-05-08 23:42:56 +00:00
|
|
|
spin_unlock(&oldf->file_lock);
|
2008-05-09 01:02:45 +00:00
|
|
|
|
2010-08-11 01:01:35 +00:00
|
|
|
if (new_fdt != &newf->fdtab)
|
|
|
|
|
__free_fdtable(new_fdt);
|
2008-05-09 01:19:42 +00:00
|
|
|
|
2008-05-09 01:02:45 +00:00
|
|
|
new_fdt = alloc_fdtable(open_files - 1);
|
|
|
|
|
if (!new_fdt) {
|
|
|
|
|
*errorp = -ENOMEM;
|
|
|
|
|
goto out_release;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* beyond sysctl_nr_open; nothing to do */
|
|
|
|
|
if (unlikely(new_fdt->max_fds < open_files)) {
|
2010-08-11 01:01:35 +00:00
|
|
|
__free_fdtable(new_fdt);
|
2008-05-09 01:02:45 +00:00
|
|
|
*errorp = -EMFILE;
|
2008-05-08 23:42:56 +00:00
|
|
|
goto out_release;
|
2008-05-09 01:02:45 +00:00
|
|
|
}
|
|
|
|
|
|
2008-05-08 23:42:56 +00:00
|
|
|
/*
|
|
|
|
|
* Reacquire the oldf lock and a pointer to its fd table
|
|
|
|
|
* who knows it may have a new bigger fd table. We need
|
|
|
|
|
* the latest pointer.
|
|
|
|
|
*/
|
|
|
|
|
spin_lock(&oldf->file_lock);
|
|
|
|
|
old_fdt = files_fdtable(oldf);
|
2020-06-03 19:48:55 +00:00
|
|
|
open_files = sane_fdtable_size(old_fdt, max_fds);
|
2008-05-08 23:42:56 +00:00
|
|
|
}
|
|
|
|
|
|
2015-11-06 06:32:04 +00:00
|
|
|
copy_fd_bitmaps(new_fdt, old_fdt, open_files);
|
|
|
|
|
|
2008-05-08 23:42:56 +00:00
|
|
|
old_fds = old_fdt->fd;
|
|
|
|
|
new_fds = new_fdt->fd;
|
|
|
|
|
|
|
|
|
|
for (i = open_files; i != 0; i--) {
|
|
|
|
|
struct file *f = *old_fds++;
|
|
|
|
|
if (f) {
|
|
|
|
|
get_file(f);
|
|
|
|
|
} else {
|
|
|
|
|
/*
|
|
|
|
|
* The fd may be claimed in the fd bitmap but not yet
|
|
|
|
|
* instantiated in the files array if a sibling thread
|
|
|
|
|
* is partway through open(). So make sure that this
|
|
|
|
|
* fd is available to the new process.
|
|
|
|
|
*/
|
2012-02-16 17:49:42 +00:00
|
|
|
__clear_open_fd(open_files - i, new_fdt);
|
2008-05-08 23:42:56 +00:00
|
|
|
}
|
|
|
|
|
rcu_assign_pointer(*new_fds++, f);
|
|
|
|
|
}
|
|
|
|
|
spin_unlock(&oldf->file_lock);
|
|
|
|
|
|
2015-11-06 06:32:04 +00:00
|
|
|
/* clear the remainder */
|
|
|
|
|
memset(new_fds, 0, (new_fdt->max_fds - open_files) * sizeof(struct file *));
|
2008-05-08 23:42:56 +00:00
|
|
|
|
2008-05-09 01:11:17 +00:00
|
|
|
rcu_assign_pointer(newf->fdt, new_fdt);
|
|
|
|
|
|
2008-05-08 23:42:56 +00:00
|
|
|
return newf;
|
|
|
|
|
|
|
|
|
|
out_release:
|
|
|
|
|
kmem_cache_free(files_cachep, newf);
|
|
|
|
|
out:
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2014-01-11 18:19:53 +00:00
|
|
|
static struct fdtable *close_files(struct files_struct * files)
|
2012-08-15 23:56:12 +00:00
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* It is safe to dereference the fd table without RCU or
|
|
|
|
|
* ->file_lock because this is the last reference to the
|
2014-01-11 18:19:53 +00:00
|
|
|
* files structure.
|
2012-08-15 23:56:12 +00:00
|
|
|
*/
|
2014-01-11 18:19:53 +00:00
|
|
|
struct fdtable *fdt = rcu_dereference_raw(files->fdt);
|
2016-09-01 21:38:52 +00:00
|
|
|
unsigned int i, j = 0;
|
2014-01-11 18:19:53 +00:00
|
|
|
|
2012-08-15 23:56:12 +00:00
|
|
|
for (;;) {
|
|
|
|
|
unsigned long set;
|
|
|
|
|
i = j * BITS_PER_LONG;
|
|
|
|
|
if (i >= fdt->max_fds)
|
|
|
|
|
break;
|
|
|
|
|
set = fdt->open_fds[j++];
|
|
|
|
|
while (set) {
|
|
|
|
|
if (set & 1) {
|
|
|
|
|
struct file * file = xchg(&fdt->fd[i], NULL);
|
|
|
|
|
if (file) {
|
|
|
|
|
filp_close(file, files);
|
2017-10-24 15:39:34 +00:00
|
|
|
cond_resched();
|
2012-08-15 23:56:12 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
i++;
|
|
|
|
|
set >>= 1;
|
|
|
|
|
}
|
|
|
|
|
}
|
2014-01-11 18:19:53 +00:00
|
|
|
|
|
|
|
|
return fdt;
|
2012-08-15 23:56:12 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void put_files_struct(struct files_struct *files)
|
|
|
|
|
{
|
|
|
|
|
if (atomic_dec_and_test(&files->count)) {
|
2014-01-11 18:19:53 +00:00
|
|
|
struct fdtable *fdt = close_files(files);
|
|
|
|
|
|
2012-08-16 00:00:58 +00:00
|
|
|
/* free the arrays if they are not embedded */
|
|
|
|
|
if (fdt != &files->fdtab)
|
|
|
|
|
__free_fdtable(fdt);
|
|
|
|
|
kmem_cache_free(files_cachep, files);
|
2012-08-15 23:56:12 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void exit_files(struct task_struct *tsk)
|
|
|
|
|
{
|
|
|
|
|
struct files_struct * files = tsk->files;
|
|
|
|
|
|
|
|
|
|
if (files) {
|
|
|
|
|
task_lock(tsk);
|
|
|
|
|
tsk->files = NULL;
|
|
|
|
|
task_unlock(tsk);
|
|
|
|
|
put_files_struct(files);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2008-05-08 22:19:16 +00:00
|
|
|
struct files_struct init_files = {
|
|
|
|
|
.count = ATOMIC_INIT(1),
|
|
|
|
|
.fdt = &init_files.fdtab,
|
|
|
|
|
.fdtab = {
|
|
|
|
|
.max_fds = NR_OPEN_DEFAULT,
|
|
|
|
|
.fd = &init_files.fd_array[0],
|
2012-02-16 17:49:54 +00:00
|
|
|
.close_on_exec = init_files.close_on_exec_init,
|
|
|
|
|
.open_fds = init_files.open_fds_init,
|
2015-10-30 23:53:57 +00:00
|
|
|
.full_fds_bits = init_files.full_fds_bits_init,
|
2008-05-08 22:19:16 +00:00
|
|
|
},
|
2011-07-17 19:25:03 +00:00
|
|
|
.file_lock = __SPIN_LOCK_UNLOCKED(init_files.file_lock),
|
2019-03-05 23:41:56 +00:00
|
|
|
.resize_wait = __WAIT_QUEUE_HEAD_INITIALIZER(init_files.resize_wait),
|
2008-05-08 22:19:16 +00:00
|
|
|
};
|
2008-07-30 08:13:04 +00:00
|
|
|
|
2016-09-01 21:38:52 +00:00
|
|
|
static unsigned int find_next_fd(struct fdtable *fdt, unsigned int start)
|
2015-10-30 23:53:57 +00:00
|
|
|
{
|
2016-09-01 21:38:52 +00:00
|
|
|
unsigned int maxfd = fdt->max_fds;
|
|
|
|
|
unsigned int maxbit = maxfd / BITS_PER_LONG;
|
|
|
|
|
unsigned int bitbit = start / BITS_PER_LONG;
|
2015-10-30 23:53:57 +00:00
|
|
|
|
|
|
|
|
bitbit = find_next_zero_bit(fdt->full_fds_bits, maxbit, bitbit) * BITS_PER_LONG;
|
|
|
|
|
if (bitbit > maxfd)
|
|
|
|
|
return maxfd;
|
|
|
|
|
if (bitbit > start)
|
|
|
|
|
start = bitbit;
|
|
|
|
|
return find_next_zero_bit(fdt->open_fds, maxfd, start);
|
|
|
|
|
}
|
|
|
|
|
|
2008-07-30 08:13:04 +00:00
|
|
|
/*
|
|
|
|
|
* allocate a file descriptor, mark it busy.
|
|
|
|
|
*/
|
2020-11-20 23:14:37 +00:00
|
|
|
static int alloc_fd(unsigned start, unsigned end, unsigned flags)
|
2008-07-30 08:13:04 +00:00
|
|
|
{
|
2020-11-20 23:14:37 +00:00
|
|
|
struct files_struct *files = current->files;
|
2008-07-30 08:13:04 +00:00
|
|
|
unsigned int fd;
|
|
|
|
|
int error;
|
|
|
|
|
struct fdtable *fdt;
|
|
|
|
|
|
|
|
|
|
spin_lock(&files->file_lock);
|
|
|
|
|
repeat:
|
|
|
|
|
fdt = files_fdtable(files);
|
|
|
|
|
fd = start;
|
|
|
|
|
if (fd < files->next_fd)
|
|
|
|
|
fd = files->next_fd;
|
|
|
|
|
|
|
|
|
|
if (fd < fdt->max_fds)
|
2015-10-30 23:53:57 +00:00
|
|
|
fd = find_next_fd(fdt, fd);
|
2008-07-30 08:13:04 +00:00
|
|
|
|
2012-08-12 20:17:59 +00:00
|
|
|
/*
|
|
|
|
|
* N.B. For clone tasks sharing a files structure, this test
|
|
|
|
|
* will limit the total number of files that can be opened.
|
|
|
|
|
*/
|
|
|
|
|
error = -EMFILE;
|
|
|
|
|
if (fd >= end)
|
|
|
|
|
goto out;
|
|
|
|
|
|
2008-07-30 08:13:04 +00:00
|
|
|
error = expand_files(files, fd);
|
|
|
|
|
if (error < 0)
|
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If we needed to expand the fs array we
|
|
|
|
|
* might have blocked - try again.
|
|
|
|
|
*/
|
|
|
|
|
if (error)
|
|
|
|
|
goto repeat;
|
|
|
|
|
|
|
|
|
|
if (start <= files->next_fd)
|
|
|
|
|
files->next_fd = fd + 1;
|
|
|
|
|
|
2012-02-16 17:49:42 +00:00
|
|
|
__set_open_fd(fd, fdt);
|
2008-07-30 08:13:04 +00:00
|
|
|
if (flags & O_CLOEXEC)
|
2012-02-16 17:49:42 +00:00
|
|
|
__set_close_on_exec(fd, fdt);
|
2008-07-30 08:13:04 +00:00
|
|
|
else
|
2012-02-16 17:49:42 +00:00
|
|
|
__clear_close_on_exec(fd, fdt);
|
2008-07-30 08:13:04 +00:00
|
|
|
error = fd;
|
|
|
|
|
#if 1
|
|
|
|
|
/* Sanity check */
|
2014-02-12 20:51:09 +00:00
|
|
|
if (rcu_access_pointer(fdt->fd[fd]) != NULL) {
|
2008-07-30 08:13:04 +00:00
|
|
|
printk(KERN_WARNING "alloc_fd: slot %d not NULL!\n", fd);
|
|
|
|
|
rcu_assign_pointer(fdt->fd[fd], NULL);
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
out:
|
|
|
|
|
spin_unlock(&files->file_lock);
|
|
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2020-03-20 01:23:18 +00:00
|
|
|
int __get_unused_fd_flags(unsigned flags, unsigned long nofile)
|
|
|
|
|
{
|
2020-11-20 23:14:37 +00:00
|
|
|
return alloc_fd(0, nofile, flags);
|
2020-03-20 01:23:18 +00:00
|
|
|
}
|
|
|
|
|
|
2012-08-12 21:18:05 +00:00
|
|
|
int get_unused_fd_flags(unsigned flags)
|
2008-07-30 08:13:04 +00:00
|
|
|
{
|
2020-03-20 01:23:18 +00:00
|
|
|
return __get_unused_fd_flags(flags, rlimit(RLIMIT_NOFILE));
|
2008-07-30 08:13:04 +00:00
|
|
|
}
|
2012-08-12 21:18:05 +00:00
|
|
|
EXPORT_SYMBOL(get_unused_fd_flags);
|
2012-08-16 01:03:26 +00:00
|
|
|
|
|
|
|
|
static void __put_unused_fd(struct files_struct *files, unsigned int fd)
|
|
|
|
|
{
|
|
|
|
|
struct fdtable *fdt = files_fdtable(files);
|
|
|
|
|
__clear_open_fd(fd, fdt);
|
|
|
|
|
if (fd < files->next_fd)
|
|
|
|
|
files->next_fd = fd;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void put_unused_fd(unsigned int fd)
|
|
|
|
|
{
|
|
|
|
|
struct files_struct *files = current->files;
|
|
|
|
|
spin_lock(&files->file_lock);
|
|
|
|
|
__put_unused_fd(files, fd);
|
|
|
|
|
spin_unlock(&files->file_lock);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
EXPORT_SYMBOL(put_unused_fd);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Install a file pointer in the fd array.
|
|
|
|
|
*
|
|
|
|
|
* The VFS is full of places where we drop the files lock between
|
|
|
|
|
* setting the open_fds bitmap and installing the file in the file
|
|
|
|
|
* array. At any such point, we are vulnerable to a dup2() race
|
|
|
|
|
* installing a file in the array before us. We need to detect this and
|
|
|
|
|
* fput() the struct file we are about to overwrite in this case.
|
|
|
|
|
*
|
|
|
|
|
* It should never happen - if we allow dup2() do it, _really_ bad things
|
|
|
|
|
* will follow.
|
2012-08-16 01:06:33 +00:00
|
|
|
*
|
2020-11-20 23:14:35 +00:00
|
|
|
* This consumes the "file" refcount, so callers should treat it
|
|
|
|
|
* as if they had called fput(file).
|
2012-08-16 01:03:26 +00:00
|
|
|
*/
|
|
|
|
|
|
2020-11-20 23:14:35 +00:00
|
|
|
void fd_install(unsigned int fd, struct file *file)
|
2012-08-16 01:03:26 +00:00
|
|
|
{
|
2020-11-20 23:14:35 +00:00
|
|
|
struct files_struct *files = current->files;
|
2012-08-16 01:03:26 +00:00
|
|
|
struct fdtable *fdt;
|
2015-06-30 13:54:08 +00:00
|
|
|
|
|
|
|
|
rcu_read_lock_sched();
|
|
|
|
|
|
2017-10-03 10:58:15 +00:00
|
|
|
if (unlikely(files->resize_in_progress)) {
|
2015-06-30 13:54:08 +00:00
|
|
|
rcu_read_unlock_sched();
|
2017-10-03 10:58:15 +00:00
|
|
|
spin_lock(&files->file_lock);
|
|
|
|
|
fdt = files_fdtable(files);
|
|
|
|
|
BUG_ON(fdt->fd[fd] != NULL);
|
|
|
|
|
rcu_assign_pointer(fdt->fd[fd], file);
|
|
|
|
|
spin_unlock(&files->file_lock);
|
|
|
|
|
return;
|
2015-06-30 13:54:08 +00:00
|
|
|
}
|
|
|
|
|
/* coupled with smp_wmb() in expand_fdtable() */
|
|
|
|
|
smp_rmb();
|
|
|
|
|
fdt = rcu_dereference_sched(files->fdt);
|
2012-08-16 01:03:26 +00:00
|
|
|
BUG_ON(fdt->fd[fd] != NULL);
|
|
|
|
|
rcu_assign_pointer(fdt->fd[fd], file);
|
2015-06-30 13:54:08 +00:00
|
|
|
rcu_read_unlock_sched();
|
2012-08-16 01:03:26 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
EXPORT_SYMBOL(fd_install);
|
2012-08-16 01:12:10 +00:00
|
|
|
|
2021-04-02 08:32:21 +00:00
|
|
|
/**
|
|
|
|
|
* pick_file - return file associatd with fd
|
|
|
|
|
* @files: file struct to retrieve file from
|
|
|
|
|
* @fd: file descriptor to retrieve file for
|
|
|
|
|
*
|
|
|
|
|
* If this functions returns an EINVAL error pointer the fd was beyond the
|
|
|
|
|
* current maximum number of file descriptors for that fdtable.
|
|
|
|
|
*
|
|
|
|
|
* Returns: The file associated with @fd, on error returns an error pointer.
|
|
|
|
|
*/
|
open: add close_range()
This adds the close_range() syscall. It allows to efficiently close a range
of file descriptors up to all file descriptors of a calling task.
I was contacted by FreeBSD as they wanted to have the same close_range()
syscall as we proposed here. We've coordinated this and in the meantime, Kyle
was fast enough to merge close_range() into FreeBSD already in April:
https://reviews.freebsd.org/D21627
https://svnweb.freebsd.org/base?view=revision&revision=359836
and the current plan is to backport close_range() to FreeBSD 12.2 (cf. [2])
once its merged in Linux too. Python is in the process of switching to
close_range() on FreeBSD and they are waiting on us to merge this to switch on
Linux as well: https://bugs.python.org/issue38061
The syscall came up in a recent discussion around the new mount API and
making new file descriptor types cloexec by default. During this
discussion, Al suggested the close_range() syscall (cf. [1]). Note, a
syscall in this manner has been requested by various people over time.
First, it helps to close all file descriptors of an exec()ing task. This
can be done safely via (quoting Al's example from [1] verbatim):
/* that exec is sensitive */
unshare(CLONE_FILES);
/* we don't want anything past stderr here */
close_range(3, ~0U);
execve(....);
The code snippet above is one way of working around the problem that file
descriptors are not cloexec by default. This is aggravated by the fact that
we can't just switch them over without massively regressing userspace. For
a whole class of programs having an in-kernel method of closing all file
descriptors is very helpful (e.g. demons, service managers, programming
language standard libraries, container managers etc.).
(Please note, unshare(CLONE_FILES) should only be needed if the calling
task is multi-threaded and shares the file descriptor table with another
thread in which case two threads could race with one thread allocating file
descriptors and the other one closing them via close_range(). For the
general case close_range() before the execve() is sufficient.)
Second, it allows userspace to avoid implementing closing all file
descriptors by parsing through /proc/<pid>/fd/* and calling close() on each
file descriptor. From looking at various large(ish) userspace code bases
this or similar patterns are very common in:
- service managers (cf. [4])
- libcs (cf. [6])
- container runtimes (cf. [5])
- programming language runtimes/standard libraries
- Python (cf. [2])
- Rust (cf. [7], [8])
As Dmitry pointed out there's even a long-standing glibc bug about missing
kernel support for this task (cf. [3]).
In addition, the syscall will also work for tasks that do not have procfs
mounted and on kernels that do not have procfs support compiled in. In such
situations the only way to make sure that all file descriptors are closed
is to call close() on each file descriptor up to UINT_MAX or RLIMIT_NOFILE,
OPEN_MAX trickery (cf. comment [8] on Rust).
The performance is striking. For good measure, comparing the following
simple close_all_fds() userspace implementation that is essentially just
glibc's version in [6]:
static int close_all_fds(void)
{
int dir_fd;
DIR *dir;
struct dirent *direntp;
dir = opendir("/proc/self/fd");
if (!dir)
return -1;
dir_fd = dirfd(dir);
while ((direntp = readdir(dir))) {
int fd;
if (strcmp(direntp->d_name, ".") == 0)
continue;
if (strcmp(direntp->d_name, "..") == 0)
continue;
fd = atoi(direntp->d_name);
if (fd == dir_fd || fd == 0 || fd == 1 || fd == 2)
continue;
close(fd);
}
closedir(dir);
return 0;
}
to close_range() yields:
1. closing 4 open files:
- close_all_fds(): ~280 us
- close_range(): ~24 us
2. closing 1000 open files:
- close_all_fds(): ~5000 us
- close_range(): ~800 us
close_range() is designed to allow for some flexibility. Specifically, it
does not simply always close all open file descriptors of a task. Instead,
callers can specify an upper bound.
This is e.g. useful for scenarios where specific file descriptors are
created with well-known numbers that are supposed to be excluded from
getting closed.
For extra paranoia close_range() comes with a flags argument. This can e.g.
be used to implement extension. Once can imagine userspace wanting to stop
at the first error instead of ignoring errors under certain circumstances.
There might be other valid ideas in the future. In any case, a flag
argument doesn't hurt and keeps us on the safe side.
From an implementation side this is kept rather dumb. It saw some input
from David and Jann but all nonsense is obviously my own!
- Errors to close file descriptors are currently ignored. (Could be changed
by setting a flag in the future if needed.)
- __close_range() is a rather simplistic wrapper around __close_fd().
My reasoning behind this is based on the nature of how __close_fd() needs
to release an fd. But maybe I misunderstood specifics:
We take the files_lock and rcu-dereference the fdtable of the calling
task, we find the entry in the fdtable, get the file and need to release
files_lock before calling filp_close().
In the meantime the fdtable might have been altered so we can't just
retake the spinlock and keep the old rcu-reference of the fdtable
around. Instead we need to grab a fresh reference to the fdtable.
If my reasoning is correct then there's really no point in fancyfying
__close_range(): We just need to rcu-dereference the fdtable of the
calling task once to cap the max_fd value correctly and then go on
calling __close_fd() in a loop.
/* References */
[1]: https://lore.kernel.org/lkml/20190516165021.GD17978@ZenIV.linux.org.uk/
[2]: https://github.com/python/cpython/blob/9e4f2f3a6b8ee995c365e86d976937c141d867f8/Modules/_posixsubprocess.c#L220
[3]: https://sourceware.org/bugzilla/show_bug.cgi?id=10353#c7
[4]: https://github.com/systemd/systemd/blob/5238e9575906297608ff802a27e2ff9effa3b338/src/basic/fd-util.c#L217
[5]: https://github.com/lxc/lxc/blob/ddf4b77e11a4d08f09b7b9cd13e593f8c047edc5/src/lxc/start.c#L236
[6]: https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/grantpt.c;h=2030e07fa6e652aac32c775b8c6e005844c3c4eb;hb=HEAD#l17
Note that this is an internal implementation that is not exported.
Currently, libc seems to not provide an exported version of this
because of missing kernel support to do this.
Note, in a recent patch series Florian made grantpt() a nop thereby
removing the code referenced here.
[7]: https://github.com/rust-lang/rust/issues/12148
[8]: https://github.com/rust-lang/rust/blob/5f47c0613ed4eb46fca3633c1297364c09e5e451/src/libstd/sys/unix/process2.rs#L303-L308
Rust's solution is slightly different but is equally unperformant.
Rust calls getdtablesize() which is a glibc library function that
simply returns the current RLIMIT_NOFILE or OPEN_MAX values. Rust then
goes on to call close() on each fd. That's obviously overkill for most
tasks. Rarely, tasks - especially non-demons - hit RLIMIT_NOFILE or
OPEN_MAX.
Let's be nice and assume an unprivileged user with RLIMIT_NOFILE set
to 1024. Even in this case, there's a very high chance that in the
common case Rust is calling the close() syscall 1021 times pointlessly
if the task just has 0, 1, and 2 open.
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Kyle Evans <self@kyle-evans.net>
Cc: Jann Horn <jannh@google.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Dmitry V. Levin <ldv@altlinux.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Florian Weimer <fweimer@redhat.com>
Cc: linux-api@vger.kernel.org
2019-05-24 09:30:34 +00:00
|
|
|
static struct file *pick_file(struct files_struct *files, unsigned fd)
|
2012-08-19 16:04:24 +00:00
|
|
|
{
|
2021-04-02 08:32:21 +00:00
|
|
|
struct file *file;
|
2012-08-19 16:04:24 +00:00
|
|
|
struct fdtable *fdt;
|
|
|
|
|
|
|
|
|
|
spin_lock(&files->file_lock);
|
|
|
|
|
fdt = files_fdtable(files);
|
2021-04-02 08:32:21 +00:00
|
|
|
if (fd >= fdt->max_fds) {
|
|
|
|
|
file = ERR_PTR(-EINVAL);
|
2012-08-19 16:04:24 +00:00
|
|
|
goto out_unlock;
|
2021-04-02 08:32:21 +00:00
|
|
|
}
|
2012-08-19 16:04:24 +00:00
|
|
|
file = fdt->fd[fd];
|
2021-04-02 08:32:21 +00:00
|
|
|
if (!file) {
|
|
|
|
|
file = ERR_PTR(-EBADF);
|
2012-08-19 16:04:24 +00:00
|
|
|
goto out_unlock;
|
2021-04-02 08:32:21 +00:00
|
|
|
}
|
2012-08-19 16:04:24 +00:00
|
|
|
rcu_assign_pointer(fdt->fd[fd], NULL);
|
|
|
|
|
__put_unused_fd(files, fd);
|
|
|
|
|
|
|
|
|
|
out_unlock:
|
|
|
|
|
spin_unlock(&files->file_lock);
|
open: add close_range()
This adds the close_range() syscall. It allows to efficiently close a range
of file descriptors up to all file descriptors of a calling task.
I was contacted by FreeBSD as they wanted to have the same close_range()
syscall as we proposed here. We've coordinated this and in the meantime, Kyle
was fast enough to merge close_range() into FreeBSD already in April:
https://reviews.freebsd.org/D21627
https://svnweb.freebsd.org/base?view=revision&revision=359836
and the current plan is to backport close_range() to FreeBSD 12.2 (cf. [2])
once its merged in Linux too. Python is in the process of switching to
close_range() on FreeBSD and they are waiting on us to merge this to switch on
Linux as well: https://bugs.python.org/issue38061
The syscall came up in a recent discussion around the new mount API and
making new file descriptor types cloexec by default. During this
discussion, Al suggested the close_range() syscall (cf. [1]). Note, a
syscall in this manner has been requested by various people over time.
First, it helps to close all file descriptors of an exec()ing task. This
can be done safely via (quoting Al's example from [1] verbatim):
/* that exec is sensitive */
unshare(CLONE_FILES);
/* we don't want anything past stderr here */
close_range(3, ~0U);
execve(....);
The code snippet above is one way of working around the problem that file
descriptors are not cloexec by default. This is aggravated by the fact that
we can't just switch them over without massively regressing userspace. For
a whole class of programs having an in-kernel method of closing all file
descriptors is very helpful (e.g. demons, service managers, programming
language standard libraries, container managers etc.).
(Please note, unshare(CLONE_FILES) should only be needed if the calling
task is multi-threaded and shares the file descriptor table with another
thread in which case two threads could race with one thread allocating file
descriptors and the other one closing them via close_range(). For the
general case close_range() before the execve() is sufficient.)
Second, it allows userspace to avoid implementing closing all file
descriptors by parsing through /proc/<pid>/fd/* and calling close() on each
file descriptor. From looking at various large(ish) userspace code bases
this or similar patterns are very common in:
- service managers (cf. [4])
- libcs (cf. [6])
- container runtimes (cf. [5])
- programming language runtimes/standard libraries
- Python (cf. [2])
- Rust (cf. [7], [8])
As Dmitry pointed out there's even a long-standing glibc bug about missing
kernel support for this task (cf. [3]).
In addition, the syscall will also work for tasks that do not have procfs
mounted and on kernels that do not have procfs support compiled in. In such
situations the only way to make sure that all file descriptors are closed
is to call close() on each file descriptor up to UINT_MAX or RLIMIT_NOFILE,
OPEN_MAX trickery (cf. comment [8] on Rust).
The performance is striking. For good measure, comparing the following
simple close_all_fds() userspace implementation that is essentially just
glibc's version in [6]:
static int close_all_fds(void)
{
int dir_fd;
DIR *dir;
struct dirent *direntp;
dir = opendir("/proc/self/fd");
if (!dir)
return -1;
dir_fd = dirfd(dir);
while ((direntp = readdir(dir))) {
int fd;
if (strcmp(direntp->d_name, ".") == 0)
continue;
if (strcmp(direntp->d_name, "..") == 0)
continue;
fd = atoi(direntp->d_name);
if (fd == dir_fd || fd == 0 || fd == 1 || fd == 2)
continue;
close(fd);
}
closedir(dir);
return 0;
}
to close_range() yields:
1. closing 4 open files:
- close_all_fds(): ~280 us
- close_range(): ~24 us
2. closing 1000 open files:
- close_all_fds(): ~5000 us
- close_range(): ~800 us
close_range() is designed to allow for some flexibility. Specifically, it
does not simply always close all open file descriptors of a task. Instead,
callers can specify an upper bound.
This is e.g. useful for scenarios where specific file descriptors are
created with well-known numbers that are supposed to be excluded from
getting closed.
For extra paranoia close_range() comes with a flags argument. This can e.g.
be used to implement extension. Once can imagine userspace wanting to stop
at the first error instead of ignoring errors under certain circumstances.
There might be other valid ideas in the future. In any case, a flag
argument doesn't hurt and keeps us on the safe side.
From an implementation side this is kept rather dumb. It saw some input
from David and Jann but all nonsense is obviously my own!
- Errors to close file descriptors are currently ignored. (Could be changed
by setting a flag in the future if needed.)
- __close_range() is a rather simplistic wrapper around __close_fd().
My reasoning behind this is based on the nature of how __close_fd() needs
to release an fd. But maybe I misunderstood specifics:
We take the files_lock and rcu-dereference the fdtable of the calling
task, we find the entry in the fdtable, get the file and need to release
files_lock before calling filp_close().
In the meantime the fdtable might have been altered so we can't just
retake the spinlock and keep the old rcu-reference of the fdtable
around. Instead we need to grab a fresh reference to the fdtable.
If my reasoning is correct then there's really no point in fancyfying
__close_range(): We just need to rcu-dereference the fdtable of the
calling task once to cap the max_fd value correctly and then go on
calling __close_fd() in a loop.
/* References */
[1]: https://lore.kernel.org/lkml/20190516165021.GD17978@ZenIV.linux.org.uk/
[2]: https://github.com/python/cpython/blob/9e4f2f3a6b8ee995c365e86d976937c141d867f8/Modules/_posixsubprocess.c#L220
[3]: https://sourceware.org/bugzilla/show_bug.cgi?id=10353#c7
[4]: https://github.com/systemd/systemd/blob/5238e9575906297608ff802a27e2ff9effa3b338/src/basic/fd-util.c#L217
[5]: https://github.com/lxc/lxc/blob/ddf4b77e11a4d08f09b7b9cd13e593f8c047edc5/src/lxc/start.c#L236
[6]: https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/grantpt.c;h=2030e07fa6e652aac32c775b8c6e005844c3c4eb;hb=HEAD#l17
Note that this is an internal implementation that is not exported.
Currently, libc seems to not provide an exported version of this
because of missing kernel support to do this.
Note, in a recent patch series Florian made grantpt() a nop thereby
removing the code referenced here.
[7]: https://github.com/rust-lang/rust/issues/12148
[8]: https://github.com/rust-lang/rust/blob/5f47c0613ed4eb46fca3633c1297364c09e5e451/src/libstd/sys/unix/process2.rs#L303-L308
Rust's solution is slightly different but is equally unperformant.
Rust calls getdtablesize() which is a glibc library function that
simply returns the current RLIMIT_NOFILE or OPEN_MAX values. Rust then
goes on to call close() on each fd. That's obviously overkill for most
tasks. Rarely, tasks - especially non-demons - hit RLIMIT_NOFILE or
OPEN_MAX.
Let's be nice and assume an unprivileged user with RLIMIT_NOFILE set
to 1024. Even in this case, there's a very high chance that in the
common case Rust is calling the close() syscall 1021 times pointlessly
if the task just has 0, 1, and 2 open.
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Kyle Evans <self@kyle-evans.net>
Cc: Jann Horn <jannh@google.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Dmitry V. Levin <ldv@altlinux.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Florian Weimer <fweimer@redhat.com>
Cc: linux-api@vger.kernel.org
2019-05-24 09:30:34 +00:00
|
|
|
return file;
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-20 23:14:38 +00:00
|
|
|
int close_fd(unsigned fd)
|
open: add close_range()
This adds the close_range() syscall. It allows to efficiently close a range
of file descriptors up to all file descriptors of a calling task.
I was contacted by FreeBSD as they wanted to have the same close_range()
syscall as we proposed here. We've coordinated this and in the meantime, Kyle
was fast enough to merge close_range() into FreeBSD already in April:
https://reviews.freebsd.org/D21627
https://svnweb.freebsd.org/base?view=revision&revision=359836
and the current plan is to backport close_range() to FreeBSD 12.2 (cf. [2])
once its merged in Linux too. Python is in the process of switching to
close_range() on FreeBSD and they are waiting on us to merge this to switch on
Linux as well: https://bugs.python.org/issue38061
The syscall came up in a recent discussion around the new mount API and
making new file descriptor types cloexec by default. During this
discussion, Al suggested the close_range() syscall (cf. [1]). Note, a
syscall in this manner has been requested by various people over time.
First, it helps to close all file descriptors of an exec()ing task. This
can be done safely via (quoting Al's example from [1] verbatim):
/* that exec is sensitive */
unshare(CLONE_FILES);
/* we don't want anything past stderr here */
close_range(3, ~0U);
execve(....);
The code snippet above is one way of working around the problem that file
descriptors are not cloexec by default. This is aggravated by the fact that
we can't just switch them over without massively regressing userspace. For
a whole class of programs having an in-kernel method of closing all file
descriptors is very helpful (e.g. demons, service managers, programming
language standard libraries, container managers etc.).
(Please note, unshare(CLONE_FILES) should only be needed if the calling
task is multi-threaded and shares the file descriptor table with another
thread in which case two threads could race with one thread allocating file
descriptors and the other one closing them via close_range(). For the
general case close_range() before the execve() is sufficient.)
Second, it allows userspace to avoid implementing closing all file
descriptors by parsing through /proc/<pid>/fd/* and calling close() on each
file descriptor. From looking at various large(ish) userspace code bases
this or similar patterns are very common in:
- service managers (cf. [4])
- libcs (cf. [6])
- container runtimes (cf. [5])
- programming language runtimes/standard libraries
- Python (cf. [2])
- Rust (cf. [7], [8])
As Dmitry pointed out there's even a long-standing glibc bug about missing
kernel support for this task (cf. [3]).
In addition, the syscall will also work for tasks that do not have procfs
mounted and on kernels that do not have procfs support compiled in. In such
situations the only way to make sure that all file descriptors are closed
is to call close() on each file descriptor up to UINT_MAX or RLIMIT_NOFILE,
OPEN_MAX trickery (cf. comment [8] on Rust).
The performance is striking. For good measure, comparing the following
simple close_all_fds() userspace implementation that is essentially just
glibc's version in [6]:
static int close_all_fds(void)
{
int dir_fd;
DIR *dir;
struct dirent *direntp;
dir = opendir("/proc/self/fd");
if (!dir)
return -1;
dir_fd = dirfd(dir);
while ((direntp = readdir(dir))) {
int fd;
if (strcmp(direntp->d_name, ".") == 0)
continue;
if (strcmp(direntp->d_name, "..") == 0)
continue;
fd = atoi(direntp->d_name);
if (fd == dir_fd || fd == 0 || fd == 1 || fd == 2)
continue;
close(fd);
}
closedir(dir);
return 0;
}
to close_range() yields:
1. closing 4 open files:
- close_all_fds(): ~280 us
- close_range(): ~24 us
2. closing 1000 open files:
- close_all_fds(): ~5000 us
- close_range(): ~800 us
close_range() is designed to allow for some flexibility. Specifically, it
does not simply always close all open file descriptors of a task. Instead,
callers can specify an upper bound.
This is e.g. useful for scenarios where specific file descriptors are
created with well-known numbers that are supposed to be excluded from
getting closed.
For extra paranoia close_range() comes with a flags argument. This can e.g.
be used to implement extension. Once can imagine userspace wanting to stop
at the first error instead of ignoring errors under certain circumstances.
There might be other valid ideas in the future. In any case, a flag
argument doesn't hurt and keeps us on the safe side.
From an implementation side this is kept rather dumb. It saw some input
from David and Jann but all nonsense is obviously my own!
- Errors to close file descriptors are currently ignored. (Could be changed
by setting a flag in the future if needed.)
- __close_range() is a rather simplistic wrapper around __close_fd().
My reasoning behind this is based on the nature of how __close_fd() needs
to release an fd. But maybe I misunderstood specifics:
We take the files_lock and rcu-dereference the fdtable of the calling
task, we find the entry in the fdtable, get the file and need to release
files_lock before calling filp_close().
In the meantime the fdtable might have been altered so we can't just
retake the spinlock and keep the old rcu-reference of the fdtable
around. Instead we need to grab a fresh reference to the fdtable.
If my reasoning is correct then there's really no point in fancyfying
__close_range(): We just need to rcu-dereference the fdtable of the
calling task once to cap the max_fd value correctly and then go on
calling __close_fd() in a loop.
/* References */
[1]: https://lore.kernel.org/lkml/20190516165021.GD17978@ZenIV.linux.org.uk/
[2]: https://github.com/python/cpython/blob/9e4f2f3a6b8ee995c365e86d976937c141d867f8/Modules/_posixsubprocess.c#L220
[3]: https://sourceware.org/bugzilla/show_bug.cgi?id=10353#c7
[4]: https://github.com/systemd/systemd/blob/5238e9575906297608ff802a27e2ff9effa3b338/src/basic/fd-util.c#L217
[5]: https://github.com/lxc/lxc/blob/ddf4b77e11a4d08f09b7b9cd13e593f8c047edc5/src/lxc/start.c#L236
[6]: https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/grantpt.c;h=2030e07fa6e652aac32c775b8c6e005844c3c4eb;hb=HEAD#l17
Note that this is an internal implementation that is not exported.
Currently, libc seems to not provide an exported version of this
because of missing kernel support to do this.
Note, in a recent patch series Florian made grantpt() a nop thereby
removing the code referenced here.
[7]: https://github.com/rust-lang/rust/issues/12148
[8]: https://github.com/rust-lang/rust/blob/5f47c0613ed4eb46fca3633c1297364c09e5e451/src/libstd/sys/unix/process2.rs#L303-L308
Rust's solution is slightly different but is equally unperformant.
Rust calls getdtablesize() which is a glibc library function that
simply returns the current RLIMIT_NOFILE or OPEN_MAX values. Rust then
goes on to call close() on each fd. That's obviously overkill for most
tasks. Rarely, tasks - especially non-demons - hit RLIMIT_NOFILE or
OPEN_MAX.
Let's be nice and assume an unprivileged user with RLIMIT_NOFILE set
to 1024. Even in this case, there's a very high chance that in the
common case Rust is calling the close() syscall 1021 times pointlessly
if the task just has 0, 1, and 2 open.
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Kyle Evans <self@kyle-evans.net>
Cc: Jann Horn <jannh@google.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Dmitry V. Levin <ldv@altlinux.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Florian Weimer <fweimer@redhat.com>
Cc: linux-api@vger.kernel.org
2019-05-24 09:30:34 +00:00
|
|
|
{
|
2020-11-20 23:14:38 +00:00
|
|
|
struct files_struct *files = current->files;
|
open: add close_range()
This adds the close_range() syscall. It allows to efficiently close a range
of file descriptors up to all file descriptors of a calling task.
I was contacted by FreeBSD as they wanted to have the same close_range()
syscall as we proposed here. We've coordinated this and in the meantime, Kyle
was fast enough to merge close_range() into FreeBSD already in April:
https://reviews.freebsd.org/D21627
https://svnweb.freebsd.org/base?view=revision&revision=359836
and the current plan is to backport close_range() to FreeBSD 12.2 (cf. [2])
once its merged in Linux too. Python is in the process of switching to
close_range() on FreeBSD and they are waiting on us to merge this to switch on
Linux as well: https://bugs.python.org/issue38061
The syscall came up in a recent discussion around the new mount API and
making new file descriptor types cloexec by default. During this
discussion, Al suggested the close_range() syscall (cf. [1]). Note, a
syscall in this manner has been requested by various people over time.
First, it helps to close all file descriptors of an exec()ing task. This
can be done safely via (quoting Al's example from [1] verbatim):
/* that exec is sensitive */
unshare(CLONE_FILES);
/* we don't want anything past stderr here */
close_range(3, ~0U);
execve(....);
The code snippet above is one way of working around the problem that file
descriptors are not cloexec by default. This is aggravated by the fact that
we can't just switch them over without massively regressing userspace. For
a whole class of programs having an in-kernel method of closing all file
descriptors is very helpful (e.g. demons, service managers, programming
language standard libraries, container managers etc.).
(Please note, unshare(CLONE_FILES) should only be needed if the calling
task is multi-threaded and shares the file descriptor table with another
thread in which case two threads could race with one thread allocating file
descriptors and the other one closing them via close_range(). For the
general case close_range() before the execve() is sufficient.)
Second, it allows userspace to avoid implementing closing all file
descriptors by parsing through /proc/<pid>/fd/* and calling close() on each
file descriptor. From looking at various large(ish) userspace code bases
this or similar patterns are very common in:
- service managers (cf. [4])
- libcs (cf. [6])
- container runtimes (cf. [5])
- programming language runtimes/standard libraries
- Python (cf. [2])
- Rust (cf. [7], [8])
As Dmitry pointed out there's even a long-standing glibc bug about missing
kernel support for this task (cf. [3]).
In addition, the syscall will also work for tasks that do not have procfs
mounted and on kernels that do not have procfs support compiled in. In such
situations the only way to make sure that all file descriptors are closed
is to call close() on each file descriptor up to UINT_MAX or RLIMIT_NOFILE,
OPEN_MAX trickery (cf. comment [8] on Rust).
The performance is striking. For good measure, comparing the following
simple close_all_fds() userspace implementation that is essentially just
glibc's version in [6]:
static int close_all_fds(void)
{
int dir_fd;
DIR *dir;
struct dirent *direntp;
dir = opendir("/proc/self/fd");
if (!dir)
return -1;
dir_fd = dirfd(dir);
while ((direntp = readdir(dir))) {
int fd;
if (strcmp(direntp->d_name, ".") == 0)
continue;
if (strcmp(direntp->d_name, "..") == 0)
continue;
fd = atoi(direntp->d_name);
if (fd == dir_fd || fd == 0 || fd == 1 || fd == 2)
continue;
close(fd);
}
closedir(dir);
return 0;
}
to close_range() yields:
1. closing 4 open files:
- close_all_fds(): ~280 us
- close_range(): ~24 us
2. closing 1000 open files:
- close_all_fds(): ~5000 us
- close_range(): ~800 us
close_range() is designed to allow for some flexibility. Specifically, it
does not simply always close all open file descriptors of a task. Instead,
callers can specify an upper bound.
This is e.g. useful for scenarios where specific file descriptors are
created with well-known numbers that are supposed to be excluded from
getting closed.
For extra paranoia close_range() comes with a flags argument. This can e.g.
be used to implement extension. Once can imagine userspace wanting to stop
at the first error instead of ignoring errors under certain circumstances.
There might be other valid ideas in the future. In any case, a flag
argument doesn't hurt and keeps us on the safe side.
From an implementation side this is kept rather dumb. It saw some input
from David and Jann but all nonsense is obviously my own!
- Errors to close file descriptors are currently ignored. (Could be changed
by setting a flag in the future if needed.)
- __close_range() is a rather simplistic wrapper around __close_fd().
My reasoning behind this is based on the nature of how __close_fd() needs
to release an fd. But maybe I misunderstood specifics:
We take the files_lock and rcu-dereference the fdtable of the calling
task, we find the entry in the fdtable, get the file and need to release
files_lock before calling filp_close().
In the meantime the fdtable might have been altered so we can't just
retake the spinlock and keep the old rcu-reference of the fdtable
around. Instead we need to grab a fresh reference to the fdtable.
If my reasoning is correct then there's really no point in fancyfying
__close_range(): We just need to rcu-dereference the fdtable of the
calling task once to cap the max_fd value correctly and then go on
calling __close_fd() in a loop.
/* References */
[1]: https://lore.kernel.org/lkml/20190516165021.GD17978@ZenIV.linux.org.uk/
[2]: https://github.com/python/cpython/blob/9e4f2f3a6b8ee995c365e86d976937c141d867f8/Modules/_posixsubprocess.c#L220
[3]: https://sourceware.org/bugzilla/show_bug.cgi?id=10353#c7
[4]: https://github.com/systemd/systemd/blob/5238e9575906297608ff802a27e2ff9effa3b338/src/basic/fd-util.c#L217
[5]: https://github.com/lxc/lxc/blob/ddf4b77e11a4d08f09b7b9cd13e593f8c047edc5/src/lxc/start.c#L236
[6]: https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/grantpt.c;h=2030e07fa6e652aac32c775b8c6e005844c3c4eb;hb=HEAD#l17
Note that this is an internal implementation that is not exported.
Currently, libc seems to not provide an exported version of this
because of missing kernel support to do this.
Note, in a recent patch series Florian made grantpt() a nop thereby
removing the code referenced here.
[7]: https://github.com/rust-lang/rust/issues/12148
[8]: https://github.com/rust-lang/rust/blob/5f47c0613ed4eb46fca3633c1297364c09e5e451/src/libstd/sys/unix/process2.rs#L303-L308
Rust's solution is slightly different but is equally unperformant.
Rust calls getdtablesize() which is a glibc library function that
simply returns the current RLIMIT_NOFILE or OPEN_MAX values. Rust then
goes on to call close() on each fd. That's obviously overkill for most
tasks. Rarely, tasks - especially non-demons - hit RLIMIT_NOFILE or
OPEN_MAX.
Let's be nice and assume an unprivileged user with RLIMIT_NOFILE set
to 1024. Even in this case, there's a very high chance that in the
common case Rust is calling the close() syscall 1021 times pointlessly
if the task just has 0, 1, and 2 open.
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Kyle Evans <self@kyle-evans.net>
Cc: Jann Horn <jannh@google.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Dmitry V. Levin <ldv@altlinux.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Florian Weimer <fweimer@redhat.com>
Cc: linux-api@vger.kernel.org
2019-05-24 09:30:34 +00:00
|
|
|
struct file *file;
|
|
|
|
|
|
|
|
|
|
file = pick_file(files, fd);
|
2021-04-02 08:32:21 +00:00
|
|
|
if (IS_ERR(file))
|
open: add close_range()
This adds the close_range() syscall. It allows to efficiently close a range
of file descriptors up to all file descriptors of a calling task.
I was contacted by FreeBSD as they wanted to have the same close_range()
syscall as we proposed here. We've coordinated this and in the meantime, Kyle
was fast enough to merge close_range() into FreeBSD already in April:
https://reviews.freebsd.org/D21627
https://svnweb.freebsd.org/base?view=revision&revision=359836
and the current plan is to backport close_range() to FreeBSD 12.2 (cf. [2])
once its merged in Linux too. Python is in the process of switching to
close_range() on FreeBSD and they are waiting on us to merge this to switch on
Linux as well: https://bugs.python.org/issue38061
The syscall came up in a recent discussion around the new mount API and
making new file descriptor types cloexec by default. During this
discussion, Al suggested the close_range() syscall (cf. [1]). Note, a
syscall in this manner has been requested by various people over time.
First, it helps to close all file descriptors of an exec()ing task. This
can be done safely via (quoting Al's example from [1] verbatim):
/* that exec is sensitive */
unshare(CLONE_FILES);
/* we don't want anything past stderr here */
close_range(3, ~0U);
execve(....);
The code snippet above is one way of working around the problem that file
descriptors are not cloexec by default. This is aggravated by the fact that
we can't just switch them over without massively regressing userspace. For
a whole class of programs having an in-kernel method of closing all file
descriptors is very helpful (e.g. demons, service managers, programming
language standard libraries, container managers etc.).
(Please note, unshare(CLONE_FILES) should only be needed if the calling
task is multi-threaded and shares the file descriptor table with another
thread in which case two threads could race with one thread allocating file
descriptors and the other one closing them via close_range(). For the
general case close_range() before the execve() is sufficient.)
Second, it allows userspace to avoid implementing closing all file
descriptors by parsing through /proc/<pid>/fd/* and calling close() on each
file descriptor. From looking at various large(ish) userspace code bases
this or similar patterns are very common in:
- service managers (cf. [4])
- libcs (cf. [6])
- container runtimes (cf. [5])
- programming language runtimes/standard libraries
- Python (cf. [2])
- Rust (cf. [7], [8])
As Dmitry pointed out there's even a long-standing glibc bug about missing
kernel support for this task (cf. [3]).
In addition, the syscall will also work for tasks that do not have procfs
mounted and on kernels that do not have procfs support compiled in. In such
situations the only way to make sure that all file descriptors are closed
is to call close() on each file descriptor up to UINT_MAX or RLIMIT_NOFILE,
OPEN_MAX trickery (cf. comment [8] on Rust).
The performance is striking. For good measure, comparing the following
simple close_all_fds() userspace implementation that is essentially just
glibc's version in [6]:
static int close_all_fds(void)
{
int dir_fd;
DIR *dir;
struct dirent *direntp;
dir = opendir("/proc/self/fd");
if (!dir)
return -1;
dir_fd = dirfd(dir);
while ((direntp = readdir(dir))) {
int fd;
if (strcmp(direntp->d_name, ".") == 0)
continue;
if (strcmp(direntp->d_name, "..") == 0)
continue;
fd = atoi(direntp->d_name);
if (fd == dir_fd || fd == 0 || fd == 1 || fd == 2)
continue;
close(fd);
}
closedir(dir);
return 0;
}
to close_range() yields:
1. closing 4 open files:
- close_all_fds(): ~280 us
- close_range(): ~24 us
2. closing 1000 open files:
- close_all_fds(): ~5000 us
- close_range(): ~800 us
close_range() is designed to allow for some flexibility. Specifically, it
does not simply always close all open file descriptors of a task. Instead,
callers can specify an upper bound.
This is e.g. useful for scenarios where specific file descriptors are
created with well-known numbers that are supposed to be excluded from
getting closed.
For extra paranoia close_range() comes with a flags argument. This can e.g.
be used to implement extension. Once can imagine userspace wanting to stop
at the first error instead of ignoring errors under certain circumstances.
There might be other valid ideas in the future. In any case, a flag
argument doesn't hurt and keeps us on the safe side.
From an implementation side this is kept rather dumb. It saw some input
from David and Jann but all nonsense is obviously my own!
- Errors to close file descriptors are currently ignored. (Could be changed
by setting a flag in the future if needed.)
- __close_range() is a rather simplistic wrapper around __close_fd().
My reasoning behind this is based on the nature of how __close_fd() needs
to release an fd. But maybe I misunderstood specifics:
We take the files_lock and rcu-dereference the fdtable of the calling
task, we find the entry in the fdtable, get the file and need to release
files_lock before calling filp_close().
In the meantime the fdtable might have been altered so we can't just
retake the spinlock and keep the old rcu-reference of the fdtable
around. Instead we need to grab a fresh reference to the fdtable.
If my reasoning is correct then there's really no point in fancyfying
__close_range(): We just need to rcu-dereference the fdtable of the
calling task once to cap the max_fd value correctly and then go on
calling __close_fd() in a loop.
/* References */
[1]: https://lore.kernel.org/lkml/20190516165021.GD17978@ZenIV.linux.org.uk/
[2]: https://github.com/python/cpython/blob/9e4f2f3a6b8ee995c365e86d976937c141d867f8/Modules/_posixsubprocess.c#L220
[3]: https://sourceware.org/bugzilla/show_bug.cgi?id=10353#c7
[4]: https://github.com/systemd/systemd/blob/5238e9575906297608ff802a27e2ff9effa3b338/src/basic/fd-util.c#L217
[5]: https://github.com/lxc/lxc/blob/ddf4b77e11a4d08f09b7b9cd13e593f8c047edc5/src/lxc/start.c#L236
[6]: https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/grantpt.c;h=2030e07fa6e652aac32c775b8c6e005844c3c4eb;hb=HEAD#l17
Note that this is an internal implementation that is not exported.
Currently, libc seems to not provide an exported version of this
because of missing kernel support to do this.
Note, in a recent patch series Florian made grantpt() a nop thereby
removing the code referenced here.
[7]: https://github.com/rust-lang/rust/issues/12148
[8]: https://github.com/rust-lang/rust/blob/5f47c0613ed4eb46fca3633c1297364c09e5e451/src/libstd/sys/unix/process2.rs#L303-L308
Rust's solution is slightly different but is equally unperformant.
Rust calls getdtablesize() which is a glibc library function that
simply returns the current RLIMIT_NOFILE or OPEN_MAX values. Rust then
goes on to call close() on each fd. That's obviously overkill for most
tasks. Rarely, tasks - especially non-demons - hit RLIMIT_NOFILE or
OPEN_MAX.
Let's be nice and assume an unprivileged user with RLIMIT_NOFILE set
to 1024. Even in this case, there's a very high chance that in the
common case Rust is calling the close() syscall 1021 times pointlessly
if the task just has 0, 1, and 2 open.
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Kyle Evans <self@kyle-evans.net>
Cc: Jann Horn <jannh@google.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Dmitry V. Levin <ldv@altlinux.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Florian Weimer <fweimer@redhat.com>
Cc: linux-api@vger.kernel.org
2019-05-24 09:30:34 +00:00
|
|
|
return -EBADF;
|
|
|
|
|
|
|
|
|
|
return filp_close(file, files);
|
2012-08-19 16:04:24 +00:00
|
|
|
}
|
2020-11-20 23:14:38 +00:00
|
|
|
EXPORT_SYMBOL(close_fd); /* for ksys_close() */
|
2012-08-19 16:04:24 +00:00
|
|
|
|
2021-04-02 08:29:36 +00:00
|
|
|
/**
|
|
|
|
|
* last_fd - return last valid index into fd table
|
|
|
|
|
* @cur_fds: files struct
|
|
|
|
|
*
|
|
|
|
|
* Context: Either rcu read lock or files_lock must be held.
|
|
|
|
|
*
|
|
|
|
|
* Returns: Last valid index into fdtable.
|
|
|
|
|
*/
|
|
|
|
|
static inline unsigned last_fd(struct fdtable *fdt)
|
|
|
|
|
{
|
|
|
|
|
return fdt->max_fds - 1;
|
|
|
|
|
}
|
|
|
|
|
|
fs, close_range: add flag CLOSE_RANGE_CLOEXEC
When the flag CLOSE_RANGE_CLOEXEC is set, close_range doesn't
immediately close the files but it sets the close-on-exec bit.
It is useful for e.g. container runtimes that usually install a
seccomp profile "as late as possible" before execv'ing the container
process itself. The container runtime could either do:
1 2
- install_seccomp_profile(); - close_range(MIN_FD, MAX_INT, 0);
- close_range(MIN_FD, MAX_INT, 0); - install_seccomp_profile();
- execve(...); - execve(...);
Both alternative have some disadvantages.
In the first variant the seccomp_profile cannot block the close_range
syscall, as well as opendir/read/close/... for the fallback on older
kernels.
In the second variant, close_range() can be used only on the fds
that are not going to be needed by the runtime anymore, and it must be
potentially called multiple times to account for the different ranges
that must be closed.
Using close_range(..., ..., CLOSE_RANGE_CLOEXEC) solves these issues.
The runtime is able to use the existing open fds, the seccomp profile
can block close_range() and the syscalls used for its fallback.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Link: https://lore.kernel.org/r/20201118104746.873084-2-gscrivan@redhat.com
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2020-11-18 10:47:45 +00:00
|
|
|
static inline void __range_cloexec(struct files_struct *cur_fds,
|
|
|
|
|
unsigned int fd, unsigned int max_fd)
|
|
|
|
|
{
|
|
|
|
|
struct fdtable *fdt;
|
|
|
|
|
|
2021-04-02 08:29:36 +00:00
|
|
|
/* make sure we're using the correct maximum value */
|
fs, close_range: add flag CLOSE_RANGE_CLOEXEC
When the flag CLOSE_RANGE_CLOEXEC is set, close_range doesn't
immediately close the files but it sets the close-on-exec bit.
It is useful for e.g. container runtimes that usually install a
seccomp profile "as late as possible" before execv'ing the container
process itself. The container runtime could either do:
1 2
- install_seccomp_profile(); - close_range(MIN_FD, MAX_INT, 0);
- close_range(MIN_FD, MAX_INT, 0); - install_seccomp_profile();
- execve(...); - execve(...);
Both alternative have some disadvantages.
In the first variant the seccomp_profile cannot block the close_range
syscall, as well as opendir/read/close/... for the fallback on older
kernels.
In the second variant, close_range() can be used only on the fds
that are not going to be needed by the runtime anymore, and it must be
potentially called multiple times to account for the different ranges
that must be closed.
Using close_range(..., ..., CLOSE_RANGE_CLOEXEC) solves these issues.
The runtime is able to use the existing open fds, the seccomp profile
can block close_range() and the syscalls used for its fallback.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Link: https://lore.kernel.org/r/20201118104746.873084-2-gscrivan@redhat.com
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2020-11-18 10:47:45 +00:00
|
|
|
spin_lock(&cur_fds->file_lock);
|
|
|
|
|
fdt = files_fdtable(cur_fds);
|
2021-04-02 08:29:36 +00:00
|
|
|
max_fd = min(last_fd(fdt), max_fd);
|
|
|
|
|
if (fd <= max_fd)
|
|
|
|
|
bitmap_set(fdt->close_on_exec, fd, max_fd - fd + 1);
|
fs, close_range: add flag CLOSE_RANGE_CLOEXEC
When the flag CLOSE_RANGE_CLOEXEC is set, close_range doesn't
immediately close the files but it sets the close-on-exec bit.
It is useful for e.g. container runtimes that usually install a
seccomp profile "as late as possible" before execv'ing the container
process itself. The container runtime could either do:
1 2
- install_seccomp_profile(); - close_range(MIN_FD, MAX_INT, 0);
- close_range(MIN_FD, MAX_INT, 0); - install_seccomp_profile();
- execve(...); - execve(...);
Both alternative have some disadvantages.
In the first variant the seccomp_profile cannot block the close_range
syscall, as well as opendir/read/close/... for the fallback on older
kernels.
In the second variant, close_range() can be used only on the fds
that are not going to be needed by the runtime anymore, and it must be
potentially called multiple times to account for the different ranges
that must be closed.
Using close_range(..., ..., CLOSE_RANGE_CLOEXEC) solves these issues.
The runtime is able to use the existing open fds, the seccomp profile
can block close_range() and the syscalls used for its fallback.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Link: https://lore.kernel.org/r/20201118104746.873084-2-gscrivan@redhat.com
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2020-11-18 10:47:45 +00:00
|
|
|
spin_unlock(&cur_fds->file_lock);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline void __range_close(struct files_struct *cur_fds, unsigned int fd,
|
|
|
|
|
unsigned int max_fd)
|
|
|
|
|
{
|
|
|
|
|
while (fd <= max_fd) {
|
|
|
|
|
struct file *file;
|
|
|
|
|
|
|
|
|
|
file = pick_file(cur_fds, fd++);
|
2021-04-02 08:32:21 +00:00
|
|
|
if (!IS_ERR(file)) {
|
|
|
|
|
/* found a valid file to close */
|
|
|
|
|
filp_close(file, cur_fds);
|
|
|
|
|
cond_resched();
|
fs, close_range: add flag CLOSE_RANGE_CLOEXEC
When the flag CLOSE_RANGE_CLOEXEC is set, close_range doesn't
immediately close the files but it sets the close-on-exec bit.
It is useful for e.g. container runtimes that usually install a
seccomp profile "as late as possible" before execv'ing the container
process itself. The container runtime could either do:
1 2
- install_seccomp_profile(); - close_range(MIN_FD, MAX_INT, 0);
- close_range(MIN_FD, MAX_INT, 0); - install_seccomp_profile();
- execve(...); - execve(...);
Both alternative have some disadvantages.
In the first variant the seccomp_profile cannot block the close_range
syscall, as well as opendir/read/close/... for the fallback on older
kernels.
In the second variant, close_range() can be used only on the fds
that are not going to be needed by the runtime anymore, and it must be
potentially called multiple times to account for the different ranges
that must be closed.
Using close_range(..., ..., CLOSE_RANGE_CLOEXEC) solves these issues.
The runtime is able to use the existing open fds, the seccomp profile
can block close_range() and the syscalls used for its fallback.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Link: https://lore.kernel.org/r/20201118104746.873084-2-gscrivan@redhat.com
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2020-11-18 10:47:45 +00:00
|
|
|
continue;
|
2021-04-02 08:32:21 +00:00
|
|
|
}
|
fs, close_range: add flag CLOSE_RANGE_CLOEXEC
When the flag CLOSE_RANGE_CLOEXEC is set, close_range doesn't
immediately close the files but it sets the close-on-exec bit.
It is useful for e.g. container runtimes that usually install a
seccomp profile "as late as possible" before execv'ing the container
process itself. The container runtime could either do:
1 2
- install_seccomp_profile(); - close_range(MIN_FD, MAX_INT, 0);
- close_range(MIN_FD, MAX_INT, 0); - install_seccomp_profile();
- execve(...); - execve(...);
Both alternative have some disadvantages.
In the first variant the seccomp_profile cannot block the close_range
syscall, as well as opendir/read/close/... for the fallback on older
kernels.
In the second variant, close_range() can be used only on the fds
that are not going to be needed by the runtime anymore, and it must be
potentially called multiple times to account for the different ranges
that must be closed.
Using close_range(..., ..., CLOSE_RANGE_CLOEXEC) solves these issues.
The runtime is able to use the existing open fds, the seccomp profile
can block close_range() and the syscalls used for its fallback.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Link: https://lore.kernel.org/r/20201118104746.873084-2-gscrivan@redhat.com
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2020-11-18 10:47:45 +00:00
|
|
|
|
2021-04-02 08:32:21 +00:00
|
|
|
/* beyond the last fd in that table */
|
|
|
|
|
if (PTR_ERR(file) == -EINVAL)
|
|
|
|
|
return;
|
fs, close_range: add flag CLOSE_RANGE_CLOEXEC
When the flag CLOSE_RANGE_CLOEXEC is set, close_range doesn't
immediately close the files but it sets the close-on-exec bit.
It is useful for e.g. container runtimes that usually install a
seccomp profile "as late as possible" before execv'ing the container
process itself. The container runtime could either do:
1 2
- install_seccomp_profile(); - close_range(MIN_FD, MAX_INT, 0);
- close_range(MIN_FD, MAX_INT, 0); - install_seccomp_profile();
- execve(...); - execve(...);
Both alternative have some disadvantages.
In the first variant the seccomp_profile cannot block the close_range
syscall, as well as opendir/read/close/... for the fallback on older
kernels.
In the second variant, close_range() can be used only on the fds
that are not going to be needed by the runtime anymore, and it must be
potentially called multiple times to account for the different ranges
that must be closed.
Using close_range(..., ..., CLOSE_RANGE_CLOEXEC) solves these issues.
The runtime is able to use the existing open fds, the seccomp profile
can block close_range() and the syscalls used for its fallback.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Link: https://lore.kernel.org/r/20201118104746.873084-2-gscrivan@redhat.com
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2020-11-18 10:47:45 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
open: add close_range()
This adds the close_range() syscall. It allows to efficiently close a range
of file descriptors up to all file descriptors of a calling task.
I was contacted by FreeBSD as they wanted to have the same close_range()
syscall as we proposed here. We've coordinated this and in the meantime, Kyle
was fast enough to merge close_range() into FreeBSD already in April:
https://reviews.freebsd.org/D21627
https://svnweb.freebsd.org/base?view=revision&revision=359836
and the current plan is to backport close_range() to FreeBSD 12.2 (cf. [2])
once its merged in Linux too. Python is in the process of switching to
close_range() on FreeBSD and they are waiting on us to merge this to switch on
Linux as well: https://bugs.python.org/issue38061
The syscall came up in a recent discussion around the new mount API and
making new file descriptor types cloexec by default. During this
discussion, Al suggested the close_range() syscall (cf. [1]). Note, a
syscall in this manner has been requested by various people over time.
First, it helps to close all file descriptors of an exec()ing task. This
can be done safely via (quoting Al's example from [1] verbatim):
/* that exec is sensitive */
unshare(CLONE_FILES);
/* we don't want anything past stderr here */
close_range(3, ~0U);
execve(....);
The code snippet above is one way of working around the problem that file
descriptors are not cloexec by default. This is aggravated by the fact that
we can't just switch them over without massively regressing userspace. For
a whole class of programs having an in-kernel method of closing all file
descriptors is very helpful (e.g. demons, service managers, programming
language standard libraries, container managers etc.).
(Please note, unshare(CLONE_FILES) should only be needed if the calling
task is multi-threaded and shares the file descriptor table with another
thread in which case two threads could race with one thread allocating file
descriptors and the other one closing them via close_range(). For the
general case close_range() before the execve() is sufficient.)
Second, it allows userspace to avoid implementing closing all file
descriptors by parsing through /proc/<pid>/fd/* and calling close() on each
file descriptor. From looking at various large(ish) userspace code bases
this or similar patterns are very common in:
- service managers (cf. [4])
- libcs (cf. [6])
- container runtimes (cf. [5])
- programming language runtimes/standard libraries
- Python (cf. [2])
- Rust (cf. [7], [8])
As Dmitry pointed out there's even a long-standing glibc bug about missing
kernel support for this task (cf. [3]).
In addition, the syscall will also work for tasks that do not have procfs
mounted and on kernels that do not have procfs support compiled in. In such
situations the only way to make sure that all file descriptors are closed
is to call close() on each file descriptor up to UINT_MAX or RLIMIT_NOFILE,
OPEN_MAX trickery (cf. comment [8] on Rust).
The performance is striking. For good measure, comparing the following
simple close_all_fds() userspace implementation that is essentially just
glibc's version in [6]:
static int close_all_fds(void)
{
int dir_fd;
DIR *dir;
struct dirent *direntp;
dir = opendir("/proc/self/fd");
if (!dir)
return -1;
dir_fd = dirfd(dir);
while ((direntp = readdir(dir))) {
int fd;
if (strcmp(direntp->d_name, ".") == 0)
continue;
if (strcmp(direntp->d_name, "..") == 0)
continue;
fd = atoi(direntp->d_name);
if (fd == dir_fd || fd == 0 || fd == 1 || fd == 2)
continue;
close(fd);
}
closedir(dir);
return 0;
}
to close_range() yields:
1. closing 4 open files:
- close_all_fds(): ~280 us
- close_range(): ~24 us
2. closing 1000 open files:
- close_all_fds(): ~5000 us
- close_range(): ~800 us
close_range() is designed to allow for some flexibility. Specifically, it
does not simply always close all open file descriptors of a task. Instead,
callers can specify an upper bound.
This is e.g. useful for scenarios where specific file descriptors are
created with well-known numbers that are supposed to be excluded from
getting closed.
For extra paranoia close_range() comes with a flags argument. This can e.g.
be used to implement extension. Once can imagine userspace wanting to stop
at the first error instead of ignoring errors under certain circumstances.
There might be other valid ideas in the future. In any case, a flag
argument doesn't hurt and keeps us on the safe side.
From an implementation side this is kept rather dumb. It saw some input
from David and Jann but all nonsense is obviously my own!
- Errors to close file descriptors are currently ignored. (Could be changed
by setting a flag in the future if needed.)
- __close_range() is a rather simplistic wrapper around __close_fd().
My reasoning behind this is based on the nature of how __close_fd() needs
to release an fd. But maybe I misunderstood specifics:
We take the files_lock and rcu-dereference the fdtable of the calling
task, we find the entry in the fdtable, get the file and need to release
files_lock before calling filp_close().
In the meantime the fdtable might have been altered so we can't just
retake the spinlock and keep the old rcu-reference of the fdtable
around. Instead we need to grab a fresh reference to the fdtable.
If my reasoning is correct then there's really no point in fancyfying
__close_range(): We just need to rcu-dereference the fdtable of the
calling task once to cap the max_fd value correctly and then go on
calling __close_fd() in a loop.
/* References */
[1]: https://lore.kernel.org/lkml/20190516165021.GD17978@ZenIV.linux.org.uk/
[2]: https://github.com/python/cpython/blob/9e4f2f3a6b8ee995c365e86d976937c141d867f8/Modules/_posixsubprocess.c#L220
[3]: https://sourceware.org/bugzilla/show_bug.cgi?id=10353#c7
[4]: https://github.com/systemd/systemd/blob/5238e9575906297608ff802a27e2ff9effa3b338/src/basic/fd-util.c#L217
[5]: https://github.com/lxc/lxc/blob/ddf4b77e11a4d08f09b7b9cd13e593f8c047edc5/src/lxc/start.c#L236
[6]: https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/grantpt.c;h=2030e07fa6e652aac32c775b8c6e005844c3c4eb;hb=HEAD#l17
Note that this is an internal implementation that is not exported.
Currently, libc seems to not provide an exported version of this
because of missing kernel support to do this.
Note, in a recent patch series Florian made grantpt() a nop thereby
removing the code referenced here.
[7]: https://github.com/rust-lang/rust/issues/12148
[8]: https://github.com/rust-lang/rust/blob/5f47c0613ed4eb46fca3633c1297364c09e5e451/src/libstd/sys/unix/process2.rs#L303-L308
Rust's solution is slightly different but is equally unperformant.
Rust calls getdtablesize() which is a glibc library function that
simply returns the current RLIMIT_NOFILE or OPEN_MAX values. Rust then
goes on to call close() on each fd. That's obviously overkill for most
tasks. Rarely, tasks - especially non-demons - hit RLIMIT_NOFILE or
OPEN_MAX.
Let's be nice and assume an unprivileged user with RLIMIT_NOFILE set
to 1024. Even in this case, there's a very high chance that in the
common case Rust is calling the close() syscall 1021 times pointlessly
if the task just has 0, 1, and 2 open.
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Kyle Evans <self@kyle-evans.net>
Cc: Jann Horn <jannh@google.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Dmitry V. Levin <ldv@altlinux.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Florian Weimer <fweimer@redhat.com>
Cc: linux-api@vger.kernel.org
2019-05-24 09:30:34 +00:00
|
|
|
/**
|
|
|
|
|
* __close_range() - Close all file descriptors in a given range.
|
|
|
|
|
*
|
|
|
|
|
* @fd: starting file descriptor to close
|
|
|
|
|
* @max_fd: last file descriptor to close
|
|
|
|
|
*
|
|
|
|
|
* This closes a range of file descriptors. All file descriptors
|
|
|
|
|
* from @fd up to and including @max_fd are closed.
|
|
|
|
|
*/
|
2020-06-03 19:48:55 +00:00
|
|
|
int __close_range(unsigned fd, unsigned max_fd, unsigned int flags)
|
open: add close_range()
This adds the close_range() syscall. It allows to efficiently close a range
of file descriptors up to all file descriptors of a calling task.
I was contacted by FreeBSD as they wanted to have the same close_range()
syscall as we proposed here. We've coordinated this and in the meantime, Kyle
was fast enough to merge close_range() into FreeBSD already in April:
https://reviews.freebsd.org/D21627
https://svnweb.freebsd.org/base?view=revision&revision=359836
and the current plan is to backport close_range() to FreeBSD 12.2 (cf. [2])
once its merged in Linux too. Python is in the process of switching to
close_range() on FreeBSD and they are waiting on us to merge this to switch on
Linux as well: https://bugs.python.org/issue38061
The syscall came up in a recent discussion around the new mount API and
making new file descriptor types cloexec by default. During this
discussion, Al suggested the close_range() syscall (cf. [1]). Note, a
syscall in this manner has been requested by various people over time.
First, it helps to close all file descriptors of an exec()ing task. This
can be done safely via (quoting Al's example from [1] verbatim):
/* that exec is sensitive */
unshare(CLONE_FILES);
/* we don't want anything past stderr here */
close_range(3, ~0U);
execve(....);
The code snippet above is one way of working around the problem that file
descriptors are not cloexec by default. This is aggravated by the fact that
we can't just switch them over without massively regressing userspace. For
a whole class of programs having an in-kernel method of closing all file
descriptors is very helpful (e.g. demons, service managers, programming
language standard libraries, container managers etc.).
(Please note, unshare(CLONE_FILES) should only be needed if the calling
task is multi-threaded and shares the file descriptor table with another
thread in which case two threads could race with one thread allocating file
descriptors and the other one closing them via close_range(). For the
general case close_range() before the execve() is sufficient.)
Second, it allows userspace to avoid implementing closing all file
descriptors by parsing through /proc/<pid>/fd/* and calling close() on each
file descriptor. From looking at various large(ish) userspace code bases
this or similar patterns are very common in:
- service managers (cf. [4])
- libcs (cf. [6])
- container runtimes (cf. [5])
- programming language runtimes/standard libraries
- Python (cf. [2])
- Rust (cf. [7], [8])
As Dmitry pointed out there's even a long-standing glibc bug about missing
kernel support for this task (cf. [3]).
In addition, the syscall will also work for tasks that do not have procfs
mounted and on kernels that do not have procfs support compiled in. In such
situations the only way to make sure that all file descriptors are closed
is to call close() on each file descriptor up to UINT_MAX or RLIMIT_NOFILE,
OPEN_MAX trickery (cf. comment [8] on Rust).
The performance is striking. For good measure, comparing the following
simple close_all_fds() userspace implementation that is essentially just
glibc's version in [6]:
static int close_all_fds(void)
{
int dir_fd;
DIR *dir;
struct dirent *direntp;
dir = opendir("/proc/self/fd");
if (!dir)
return -1;
dir_fd = dirfd(dir);
while ((direntp = readdir(dir))) {
int fd;
if (strcmp(direntp->d_name, ".") == 0)
continue;
if (strcmp(direntp->d_name, "..") == 0)
continue;
fd = atoi(direntp->d_name);
if (fd == dir_fd || fd == 0 || fd == 1 || fd == 2)
continue;
close(fd);
}
closedir(dir);
return 0;
}
to close_range() yields:
1. closing 4 open files:
- close_all_fds(): ~280 us
- close_range(): ~24 us
2. closing 1000 open files:
- close_all_fds(): ~5000 us
- close_range(): ~800 us
close_range() is designed to allow for some flexibility. Specifically, it
does not simply always close all open file descriptors of a task. Instead,
callers can specify an upper bound.
This is e.g. useful for scenarios where specific file descriptors are
created with well-known numbers that are supposed to be excluded from
getting closed.
For extra paranoia close_range() comes with a flags argument. This can e.g.
be used to implement extension. Once can imagine userspace wanting to stop
at the first error instead of ignoring errors under certain circumstances.
There might be other valid ideas in the future. In any case, a flag
argument doesn't hurt and keeps us on the safe side.
From an implementation side this is kept rather dumb. It saw some input
from David and Jann but all nonsense is obviously my own!
- Errors to close file descriptors are currently ignored. (Could be changed
by setting a flag in the future if needed.)
- __close_range() is a rather simplistic wrapper around __close_fd().
My reasoning behind this is based on the nature of how __close_fd() needs
to release an fd. But maybe I misunderstood specifics:
We take the files_lock and rcu-dereference the fdtable of the calling
task, we find the entry in the fdtable, get the file and need to release
files_lock before calling filp_close().
In the meantime the fdtable might have been altered so we can't just
retake the spinlock and keep the old rcu-reference of the fdtable
around. Instead we need to grab a fresh reference to the fdtable.
If my reasoning is correct then there's really no point in fancyfying
__close_range(): We just need to rcu-dereference the fdtable of the
calling task once to cap the max_fd value correctly and then go on
calling __close_fd() in a loop.
/* References */
[1]: https://lore.kernel.org/lkml/20190516165021.GD17978@ZenIV.linux.org.uk/
[2]: https://github.com/python/cpython/blob/9e4f2f3a6b8ee995c365e86d976937c141d867f8/Modules/_posixsubprocess.c#L220
[3]: https://sourceware.org/bugzilla/show_bug.cgi?id=10353#c7
[4]: https://github.com/systemd/systemd/blob/5238e9575906297608ff802a27e2ff9effa3b338/src/basic/fd-util.c#L217
[5]: https://github.com/lxc/lxc/blob/ddf4b77e11a4d08f09b7b9cd13e593f8c047edc5/src/lxc/start.c#L236
[6]: https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/grantpt.c;h=2030e07fa6e652aac32c775b8c6e005844c3c4eb;hb=HEAD#l17
Note that this is an internal implementation that is not exported.
Currently, libc seems to not provide an exported version of this
because of missing kernel support to do this.
Note, in a recent patch series Florian made grantpt() a nop thereby
removing the code referenced here.
[7]: https://github.com/rust-lang/rust/issues/12148
[8]: https://github.com/rust-lang/rust/blob/5f47c0613ed4eb46fca3633c1297364c09e5e451/src/libstd/sys/unix/process2.rs#L303-L308
Rust's solution is slightly different but is equally unperformant.
Rust calls getdtablesize() which is a glibc library function that
simply returns the current RLIMIT_NOFILE or OPEN_MAX values. Rust then
goes on to call close() on each fd. That's obviously overkill for most
tasks. Rarely, tasks - especially non-demons - hit RLIMIT_NOFILE or
OPEN_MAX.
Let's be nice and assume an unprivileged user with RLIMIT_NOFILE set
to 1024. Even in this case, there's a very high chance that in the
common case Rust is calling the close() syscall 1021 times pointlessly
if the task just has 0, 1, and 2 open.
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Kyle Evans <self@kyle-evans.net>
Cc: Jann Horn <jannh@google.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Dmitry V. Levin <ldv@altlinux.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Florian Weimer <fweimer@redhat.com>
Cc: linux-api@vger.kernel.org
2019-05-24 09:30:34 +00:00
|
|
|
{
|
2020-06-03 19:48:55 +00:00
|
|
|
struct task_struct *me = current;
|
|
|
|
|
struct files_struct *cur_fds = me->files, *fds = NULL;
|
|
|
|
|
|
fs, close_range: add flag CLOSE_RANGE_CLOEXEC
When the flag CLOSE_RANGE_CLOEXEC is set, close_range doesn't
immediately close the files but it sets the close-on-exec bit.
It is useful for e.g. container runtimes that usually install a
seccomp profile "as late as possible" before execv'ing the container
process itself. The container runtime could either do:
1 2
- install_seccomp_profile(); - close_range(MIN_FD, MAX_INT, 0);
- close_range(MIN_FD, MAX_INT, 0); - install_seccomp_profile();
- execve(...); - execve(...);
Both alternative have some disadvantages.
In the first variant the seccomp_profile cannot block the close_range
syscall, as well as opendir/read/close/... for the fallback on older
kernels.
In the second variant, close_range() can be used only on the fds
that are not going to be needed by the runtime anymore, and it must be
potentially called multiple times to account for the different ranges
that must be closed.
Using close_range(..., ..., CLOSE_RANGE_CLOEXEC) solves these issues.
The runtime is able to use the existing open fds, the seccomp profile
can block close_range() and the syscalls used for its fallback.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Link: https://lore.kernel.org/r/20201118104746.873084-2-gscrivan@redhat.com
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2020-11-18 10:47:45 +00:00
|
|
|
if (flags & ~(CLOSE_RANGE_UNSHARE | CLOSE_RANGE_CLOEXEC))
|
2020-06-03 19:48:55 +00:00
|
|
|
return -EINVAL;
|
open: add close_range()
This adds the close_range() syscall. It allows to efficiently close a range
of file descriptors up to all file descriptors of a calling task.
I was contacted by FreeBSD as they wanted to have the same close_range()
syscall as we proposed here. We've coordinated this and in the meantime, Kyle
was fast enough to merge close_range() into FreeBSD already in April:
https://reviews.freebsd.org/D21627
https://svnweb.freebsd.org/base?view=revision&revision=359836
and the current plan is to backport close_range() to FreeBSD 12.2 (cf. [2])
once its merged in Linux too. Python is in the process of switching to
close_range() on FreeBSD and they are waiting on us to merge this to switch on
Linux as well: https://bugs.python.org/issue38061
The syscall came up in a recent discussion around the new mount API and
making new file descriptor types cloexec by default. During this
discussion, Al suggested the close_range() syscall (cf. [1]). Note, a
syscall in this manner has been requested by various people over time.
First, it helps to close all file descriptors of an exec()ing task. This
can be done safely via (quoting Al's example from [1] verbatim):
/* that exec is sensitive */
unshare(CLONE_FILES);
/* we don't want anything past stderr here */
close_range(3, ~0U);
execve(....);
The code snippet above is one way of working around the problem that file
descriptors are not cloexec by default. This is aggravated by the fact that
we can't just switch them over without massively regressing userspace. For
a whole class of programs having an in-kernel method of closing all file
descriptors is very helpful (e.g. demons, service managers, programming
language standard libraries, container managers etc.).
(Please note, unshare(CLONE_FILES) should only be needed if the calling
task is multi-threaded and shares the file descriptor table with another
thread in which case two threads could race with one thread allocating file
descriptors and the other one closing them via close_range(). For the
general case close_range() before the execve() is sufficient.)
Second, it allows userspace to avoid implementing closing all file
descriptors by parsing through /proc/<pid>/fd/* and calling close() on each
file descriptor. From looking at various large(ish) userspace code bases
this or similar patterns are very common in:
- service managers (cf. [4])
- libcs (cf. [6])
- container runtimes (cf. [5])
- programming language runtimes/standard libraries
- Python (cf. [2])
- Rust (cf. [7], [8])
As Dmitry pointed out there's even a long-standing glibc bug about missing
kernel support for this task (cf. [3]).
In addition, the syscall will also work for tasks that do not have procfs
mounted and on kernels that do not have procfs support compiled in. In such
situations the only way to make sure that all file descriptors are closed
is to call close() on each file descriptor up to UINT_MAX or RLIMIT_NOFILE,
OPEN_MAX trickery (cf. comment [8] on Rust).
The performance is striking. For good measure, comparing the following
simple close_all_fds() userspace implementation that is essentially just
glibc's version in [6]:
static int close_all_fds(void)
{
int dir_fd;
DIR *dir;
struct dirent *direntp;
dir = opendir("/proc/self/fd");
if (!dir)
return -1;
dir_fd = dirfd(dir);
while ((direntp = readdir(dir))) {
int fd;
if (strcmp(direntp->d_name, ".") == 0)
continue;
if (strcmp(direntp->d_name, "..") == 0)
continue;
fd = atoi(direntp->d_name);
if (fd == dir_fd || fd == 0 || fd == 1 || fd == 2)
continue;
close(fd);
}
closedir(dir);
return 0;
}
to close_range() yields:
1. closing 4 open files:
- close_all_fds(): ~280 us
- close_range(): ~24 us
2. closing 1000 open files:
- close_all_fds(): ~5000 us
- close_range(): ~800 us
close_range() is designed to allow for some flexibility. Specifically, it
does not simply always close all open file descriptors of a task. Instead,
callers can specify an upper bound.
This is e.g. useful for scenarios where specific file descriptors are
created with well-known numbers that are supposed to be excluded from
getting closed.
For extra paranoia close_range() comes with a flags argument. This can e.g.
be used to implement extension. Once can imagine userspace wanting to stop
at the first error instead of ignoring errors under certain circumstances.
There might be other valid ideas in the future. In any case, a flag
argument doesn't hurt and keeps us on the safe side.
From an implementation side this is kept rather dumb. It saw some input
from David and Jann but all nonsense is obviously my own!
- Errors to close file descriptors are currently ignored. (Could be changed
by setting a flag in the future if needed.)
- __close_range() is a rather simplistic wrapper around __close_fd().
My reasoning behind this is based on the nature of how __close_fd() needs
to release an fd. But maybe I misunderstood specifics:
We take the files_lock and rcu-dereference the fdtable of the calling
task, we find the entry in the fdtable, get the file and need to release
files_lock before calling filp_close().
In the meantime the fdtable might have been altered so we can't just
retake the spinlock and keep the old rcu-reference of the fdtable
around. Instead we need to grab a fresh reference to the fdtable.
If my reasoning is correct then there's really no point in fancyfying
__close_range(): We just need to rcu-dereference the fdtable of the
calling task once to cap the max_fd value correctly and then go on
calling __close_fd() in a loop.
/* References */
[1]: https://lore.kernel.org/lkml/20190516165021.GD17978@ZenIV.linux.org.uk/
[2]: https://github.com/python/cpython/blob/9e4f2f3a6b8ee995c365e86d976937c141d867f8/Modules/_posixsubprocess.c#L220
[3]: https://sourceware.org/bugzilla/show_bug.cgi?id=10353#c7
[4]: https://github.com/systemd/systemd/blob/5238e9575906297608ff802a27e2ff9effa3b338/src/basic/fd-util.c#L217
[5]: https://github.com/lxc/lxc/blob/ddf4b77e11a4d08f09b7b9cd13e593f8c047edc5/src/lxc/start.c#L236
[6]: https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/grantpt.c;h=2030e07fa6e652aac32c775b8c6e005844c3c4eb;hb=HEAD#l17
Note that this is an internal implementation that is not exported.
Currently, libc seems to not provide an exported version of this
because of missing kernel support to do this.
Note, in a recent patch series Florian made grantpt() a nop thereby
removing the code referenced here.
[7]: https://github.com/rust-lang/rust/issues/12148
[8]: https://github.com/rust-lang/rust/blob/5f47c0613ed4eb46fca3633c1297364c09e5e451/src/libstd/sys/unix/process2.rs#L303-L308
Rust's solution is slightly different but is equally unperformant.
Rust calls getdtablesize() which is a glibc library function that
simply returns the current RLIMIT_NOFILE or OPEN_MAX values. Rust then
goes on to call close() on each fd. That's obviously overkill for most
tasks. Rarely, tasks - especially non-demons - hit RLIMIT_NOFILE or
OPEN_MAX.
Let's be nice and assume an unprivileged user with RLIMIT_NOFILE set
to 1024. Even in this case, there's a very high chance that in the
common case Rust is calling the close() syscall 1021 times pointlessly
if the task just has 0, 1, and 2 open.
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Kyle Evans <self@kyle-evans.net>
Cc: Jann Horn <jannh@google.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Dmitry V. Levin <ldv@altlinux.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Florian Weimer <fweimer@redhat.com>
Cc: linux-api@vger.kernel.org
2019-05-24 09:30:34 +00:00
|
|
|
|
|
|
|
|
if (fd > max_fd)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
2020-06-03 19:48:55 +00:00
|
|
|
if (flags & CLOSE_RANGE_UNSHARE) {
|
|
|
|
|
int ret;
|
|
|
|
|
unsigned int max_unshare_fds = NR_OPEN_MAX;
|
|
|
|
|
|
|
|
|
|
/*
|
2021-04-02 08:38:09 +00:00
|
|
|
* If the caller requested all fds to be made cloexec we always
|
|
|
|
|
* copy all of the file descriptors since they still want to
|
|
|
|
|
* use them.
|
2020-06-03 19:48:55 +00:00
|
|
|
*/
|
2021-04-02 08:38:09 +00:00
|
|
|
if (!(flags & CLOSE_RANGE_CLOEXEC)) {
|
|
|
|
|
/*
|
|
|
|
|
* If the requested range is greater than the current
|
|
|
|
|
* maximum, we're closing everything so only copy all
|
|
|
|
|
* file descriptors beneath the lowest file descriptor.
|
|
|
|
|
*/
|
|
|
|
|
rcu_read_lock();
|
|
|
|
|
if (max_fd >= last_fd(files_fdtable(cur_fds)))
|
|
|
|
|
max_unshare_fds = fd;
|
|
|
|
|
rcu_read_unlock();
|
|
|
|
|
}
|
2020-06-03 19:48:55 +00:00
|
|
|
|
|
|
|
|
ret = unshare_fd(CLONE_FILES, max_unshare_fds, &fds);
|
|
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We used to share our file descriptor table, and have now
|
|
|
|
|
* created a private one, make sure we're using it below.
|
|
|
|
|
*/
|
|
|
|
|
if (fds)
|
|
|
|
|
swap(cur_fds, fds);
|
|
|
|
|
}
|
|
|
|
|
|
fs, close_range: add flag CLOSE_RANGE_CLOEXEC
When the flag CLOSE_RANGE_CLOEXEC is set, close_range doesn't
immediately close the files but it sets the close-on-exec bit.
It is useful for e.g. container runtimes that usually install a
seccomp profile "as late as possible" before execv'ing the container
process itself. The container runtime could either do:
1 2
- install_seccomp_profile(); - close_range(MIN_FD, MAX_INT, 0);
- close_range(MIN_FD, MAX_INT, 0); - install_seccomp_profile();
- execve(...); - execve(...);
Both alternative have some disadvantages.
In the first variant the seccomp_profile cannot block the close_range
syscall, as well as opendir/read/close/... for the fallback on older
kernels.
In the second variant, close_range() can be used only on the fds
that are not going to be needed by the runtime anymore, and it must be
potentially called multiple times to account for the different ranges
that must be closed.
Using close_range(..., ..., CLOSE_RANGE_CLOEXEC) solves these issues.
The runtime is able to use the existing open fds, the seccomp profile
can block close_range() and the syscalls used for its fallback.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Link: https://lore.kernel.org/r/20201118104746.873084-2-gscrivan@redhat.com
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2020-11-18 10:47:45 +00:00
|
|
|
if (flags & CLOSE_RANGE_CLOEXEC)
|
|
|
|
|
__range_cloexec(cur_fds, fd, max_fd);
|
|
|
|
|
else
|
|
|
|
|
__range_close(cur_fds, fd, max_fd);
|
open: add close_range()
This adds the close_range() syscall. It allows to efficiently close a range
of file descriptors up to all file descriptors of a calling task.
I was contacted by FreeBSD as they wanted to have the same close_range()
syscall as we proposed here. We've coordinated this and in the meantime, Kyle
was fast enough to merge close_range() into FreeBSD already in April:
https://reviews.freebsd.org/D21627
https://svnweb.freebsd.org/base?view=revision&revision=359836
and the current plan is to backport close_range() to FreeBSD 12.2 (cf. [2])
once its merged in Linux too. Python is in the process of switching to
close_range() on FreeBSD and they are waiting on us to merge this to switch on
Linux as well: https://bugs.python.org/issue38061
The syscall came up in a recent discussion around the new mount API and
making new file descriptor types cloexec by default. During this
discussion, Al suggested the close_range() syscall (cf. [1]). Note, a
syscall in this manner has been requested by various people over time.
First, it helps to close all file descriptors of an exec()ing task. This
can be done safely via (quoting Al's example from [1] verbatim):
/* that exec is sensitive */
unshare(CLONE_FILES);
/* we don't want anything past stderr here */
close_range(3, ~0U);
execve(....);
The code snippet above is one way of working around the problem that file
descriptors are not cloexec by default. This is aggravated by the fact that
we can't just switch them over without massively regressing userspace. For
a whole class of programs having an in-kernel method of closing all file
descriptors is very helpful (e.g. demons, service managers, programming
language standard libraries, container managers etc.).
(Please note, unshare(CLONE_FILES) should only be needed if the calling
task is multi-threaded and shares the file descriptor table with another
thread in which case two threads could race with one thread allocating file
descriptors and the other one closing them via close_range(). For the
general case close_range() before the execve() is sufficient.)
Second, it allows userspace to avoid implementing closing all file
descriptors by parsing through /proc/<pid>/fd/* and calling close() on each
file descriptor. From looking at various large(ish) userspace code bases
this or similar patterns are very common in:
- service managers (cf. [4])
- libcs (cf. [6])
- container runtimes (cf. [5])
- programming language runtimes/standard libraries
- Python (cf. [2])
- Rust (cf. [7], [8])
As Dmitry pointed out there's even a long-standing glibc bug about missing
kernel support for this task (cf. [3]).
In addition, the syscall will also work for tasks that do not have procfs
mounted and on kernels that do not have procfs support compiled in. In such
situations the only way to make sure that all file descriptors are closed
is to call close() on each file descriptor up to UINT_MAX or RLIMIT_NOFILE,
OPEN_MAX trickery (cf. comment [8] on Rust).
The performance is striking. For good measure, comparing the following
simple close_all_fds() userspace implementation that is essentially just
glibc's version in [6]:
static int close_all_fds(void)
{
int dir_fd;
DIR *dir;
struct dirent *direntp;
dir = opendir("/proc/self/fd");
if (!dir)
return -1;
dir_fd = dirfd(dir);
while ((direntp = readdir(dir))) {
int fd;
if (strcmp(direntp->d_name, ".") == 0)
continue;
if (strcmp(direntp->d_name, "..") == 0)
continue;
fd = atoi(direntp->d_name);
if (fd == dir_fd || fd == 0 || fd == 1 || fd == 2)
continue;
close(fd);
}
closedir(dir);
return 0;
}
to close_range() yields:
1. closing 4 open files:
- close_all_fds(): ~280 us
- close_range(): ~24 us
2. closing 1000 open files:
- close_all_fds(): ~5000 us
- close_range(): ~800 us
close_range() is designed to allow for some flexibility. Specifically, it
does not simply always close all open file descriptors of a task. Instead,
callers can specify an upper bound.
This is e.g. useful for scenarios where specific file descriptors are
created with well-known numbers that are supposed to be excluded from
getting closed.
For extra paranoia close_range() comes with a flags argument. This can e.g.
be used to implement extension. Once can imagine userspace wanting to stop
at the first error instead of ignoring errors under certain circumstances.
There might be other valid ideas in the future. In any case, a flag
argument doesn't hurt and keeps us on the safe side.
From an implementation side this is kept rather dumb. It saw some input
from David and Jann but all nonsense is obviously my own!
- Errors to close file descriptors are currently ignored. (Could be changed
by setting a flag in the future if needed.)
- __close_range() is a rather simplistic wrapper around __close_fd().
My reasoning behind this is based on the nature of how __close_fd() needs
to release an fd. But maybe I misunderstood specifics:
We take the files_lock and rcu-dereference the fdtable of the calling
task, we find the entry in the fdtable, get the file and need to release
files_lock before calling filp_close().
In the meantime the fdtable might have been altered so we can't just
retake the spinlock and keep the old rcu-reference of the fdtable
around. Instead we need to grab a fresh reference to the fdtable.
If my reasoning is correct then there's really no point in fancyfying
__close_range(): We just need to rcu-dereference the fdtable of the
calling task once to cap the max_fd value correctly and then go on
calling __close_fd() in a loop.
/* References */
[1]: https://lore.kernel.org/lkml/20190516165021.GD17978@ZenIV.linux.org.uk/
[2]: https://github.com/python/cpython/blob/9e4f2f3a6b8ee995c365e86d976937c141d867f8/Modules/_posixsubprocess.c#L220
[3]: https://sourceware.org/bugzilla/show_bug.cgi?id=10353#c7
[4]: https://github.com/systemd/systemd/blob/5238e9575906297608ff802a27e2ff9effa3b338/src/basic/fd-util.c#L217
[5]: https://github.com/lxc/lxc/blob/ddf4b77e11a4d08f09b7b9cd13e593f8c047edc5/src/lxc/start.c#L236
[6]: https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/grantpt.c;h=2030e07fa6e652aac32c775b8c6e005844c3c4eb;hb=HEAD#l17
Note that this is an internal implementation that is not exported.
Currently, libc seems to not provide an exported version of this
because of missing kernel support to do this.
Note, in a recent patch series Florian made grantpt() a nop thereby
removing the code referenced here.
[7]: https://github.com/rust-lang/rust/issues/12148
[8]: https://github.com/rust-lang/rust/blob/5f47c0613ed4eb46fca3633c1297364c09e5e451/src/libstd/sys/unix/process2.rs#L303-L308
Rust's solution is slightly different but is equally unperformant.
Rust calls getdtablesize() which is a glibc library function that
simply returns the current RLIMIT_NOFILE or OPEN_MAX values. Rust then
goes on to call close() on each fd. That's obviously overkill for most
tasks. Rarely, tasks - especially non-demons - hit RLIMIT_NOFILE or
OPEN_MAX.
Let's be nice and assume an unprivileged user with RLIMIT_NOFILE set
to 1024. Even in this case, there's a very high chance that in the
common case Rust is calling the close() syscall 1021 times pointlessly
if the task just has 0, 1, and 2 open.
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Kyle Evans <self@kyle-evans.net>
Cc: Jann Horn <jannh@google.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Dmitry V. Levin <ldv@altlinux.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Florian Weimer <fweimer@redhat.com>
Cc: linux-api@vger.kernel.org
2019-05-24 09:30:34 +00:00
|
|
|
|
2020-06-03 19:48:55 +00:00
|
|
|
if (fds) {
|
|
|
|
|
/*
|
|
|
|
|
* We're done closing the files we were supposed to. Time to install
|
|
|
|
|
* the new file descriptor table and drop the old one.
|
|
|
|
|
*/
|
|
|
|
|
task_lock(me);
|
|
|
|
|
me->files = cur_fds;
|
|
|
|
|
task_unlock(me);
|
|
|
|
|
put_files_struct(fds);
|
|
|
|
|
}
|
|
|
|
|
|
open: add close_range()
This adds the close_range() syscall. It allows to efficiently close a range
of file descriptors up to all file descriptors of a calling task.
I was contacted by FreeBSD as they wanted to have the same close_range()
syscall as we proposed here. We've coordinated this and in the meantime, Kyle
was fast enough to merge close_range() into FreeBSD already in April:
https://reviews.freebsd.org/D21627
https://svnweb.freebsd.org/base?view=revision&revision=359836
and the current plan is to backport close_range() to FreeBSD 12.2 (cf. [2])
once its merged in Linux too. Python is in the process of switching to
close_range() on FreeBSD and they are waiting on us to merge this to switch on
Linux as well: https://bugs.python.org/issue38061
The syscall came up in a recent discussion around the new mount API and
making new file descriptor types cloexec by default. During this
discussion, Al suggested the close_range() syscall (cf. [1]). Note, a
syscall in this manner has been requested by various people over time.
First, it helps to close all file descriptors of an exec()ing task. This
can be done safely via (quoting Al's example from [1] verbatim):
/* that exec is sensitive */
unshare(CLONE_FILES);
/* we don't want anything past stderr here */
close_range(3, ~0U);
execve(....);
The code snippet above is one way of working around the problem that file
descriptors are not cloexec by default. This is aggravated by the fact that
we can't just switch them over without massively regressing userspace. For
a whole class of programs having an in-kernel method of closing all file
descriptors is very helpful (e.g. demons, service managers, programming
language standard libraries, container managers etc.).
(Please note, unshare(CLONE_FILES) should only be needed if the calling
task is multi-threaded and shares the file descriptor table with another
thread in which case two threads could race with one thread allocating file
descriptors and the other one closing them via close_range(). For the
general case close_range() before the execve() is sufficient.)
Second, it allows userspace to avoid implementing closing all file
descriptors by parsing through /proc/<pid>/fd/* and calling close() on each
file descriptor. From looking at various large(ish) userspace code bases
this or similar patterns are very common in:
- service managers (cf. [4])
- libcs (cf. [6])
- container runtimes (cf. [5])
- programming language runtimes/standard libraries
- Python (cf. [2])
- Rust (cf. [7], [8])
As Dmitry pointed out there's even a long-standing glibc bug about missing
kernel support for this task (cf. [3]).
In addition, the syscall will also work for tasks that do not have procfs
mounted and on kernels that do not have procfs support compiled in. In such
situations the only way to make sure that all file descriptors are closed
is to call close() on each file descriptor up to UINT_MAX or RLIMIT_NOFILE,
OPEN_MAX trickery (cf. comment [8] on Rust).
The performance is striking. For good measure, comparing the following
simple close_all_fds() userspace implementation that is essentially just
glibc's version in [6]:
static int close_all_fds(void)
{
int dir_fd;
DIR *dir;
struct dirent *direntp;
dir = opendir("/proc/self/fd");
if (!dir)
return -1;
dir_fd = dirfd(dir);
while ((direntp = readdir(dir))) {
int fd;
if (strcmp(direntp->d_name, ".") == 0)
continue;
if (strcmp(direntp->d_name, "..") == 0)
continue;
fd = atoi(direntp->d_name);
if (fd == dir_fd || fd == 0 || fd == 1 || fd == 2)
continue;
close(fd);
}
closedir(dir);
return 0;
}
to close_range() yields:
1. closing 4 open files:
- close_all_fds(): ~280 us
- close_range(): ~24 us
2. closing 1000 open files:
- close_all_fds(): ~5000 us
- close_range(): ~800 us
close_range() is designed to allow for some flexibility. Specifically, it
does not simply always close all open file descriptors of a task. Instead,
callers can specify an upper bound.
This is e.g. useful for scenarios where specific file descriptors are
created with well-known numbers that are supposed to be excluded from
getting closed.
For extra paranoia close_range() comes with a flags argument. This can e.g.
be used to implement extension. Once can imagine userspace wanting to stop
at the first error instead of ignoring errors under certain circumstances.
There might be other valid ideas in the future. In any case, a flag
argument doesn't hurt and keeps us on the safe side.
From an implementation side this is kept rather dumb. It saw some input
from David and Jann but all nonsense is obviously my own!
- Errors to close file descriptors are currently ignored. (Could be changed
by setting a flag in the future if needed.)
- __close_range() is a rather simplistic wrapper around __close_fd().
My reasoning behind this is based on the nature of how __close_fd() needs
to release an fd. But maybe I misunderstood specifics:
We take the files_lock and rcu-dereference the fdtable of the calling
task, we find the entry in the fdtable, get the file and need to release
files_lock before calling filp_close().
In the meantime the fdtable might have been altered so we can't just
retake the spinlock and keep the old rcu-reference of the fdtable
around. Instead we need to grab a fresh reference to the fdtable.
If my reasoning is correct then there's really no point in fancyfying
__close_range(): We just need to rcu-dereference the fdtable of the
calling task once to cap the max_fd value correctly and then go on
calling __close_fd() in a loop.
/* References */
[1]: https://lore.kernel.org/lkml/20190516165021.GD17978@ZenIV.linux.org.uk/
[2]: https://github.com/python/cpython/blob/9e4f2f3a6b8ee995c365e86d976937c141d867f8/Modules/_posixsubprocess.c#L220
[3]: https://sourceware.org/bugzilla/show_bug.cgi?id=10353#c7
[4]: https://github.com/systemd/systemd/blob/5238e9575906297608ff802a27e2ff9effa3b338/src/basic/fd-util.c#L217
[5]: https://github.com/lxc/lxc/blob/ddf4b77e11a4d08f09b7b9cd13e593f8c047edc5/src/lxc/start.c#L236
[6]: https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/grantpt.c;h=2030e07fa6e652aac32c775b8c6e005844c3c4eb;hb=HEAD#l17
Note that this is an internal implementation that is not exported.
Currently, libc seems to not provide an exported version of this
because of missing kernel support to do this.
Note, in a recent patch series Florian made grantpt() a nop thereby
removing the code referenced here.
[7]: https://github.com/rust-lang/rust/issues/12148
[8]: https://github.com/rust-lang/rust/blob/5f47c0613ed4eb46fca3633c1297364c09e5e451/src/libstd/sys/unix/process2.rs#L303-L308
Rust's solution is slightly different but is equally unperformant.
Rust calls getdtablesize() which is a glibc library function that
simply returns the current RLIMIT_NOFILE or OPEN_MAX values. Rust then
goes on to call close() on each fd. That's obviously overkill for most
tasks. Rarely, tasks - especially non-demons - hit RLIMIT_NOFILE or
OPEN_MAX.
Let's be nice and assume an unprivileged user with RLIMIT_NOFILE set
to 1024. Even in this case, there's a very high chance that in the
common case Rust is calling the close() syscall 1021 times pointlessly
if the task just has 0, 1, and 2 open.
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Kyle Evans <self@kyle-evans.net>
Cc: Jann Horn <jannh@google.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Dmitry V. Levin <ldv@altlinux.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Florian Weimer <fweimer@redhat.com>
Cc: linux-api@vger.kernel.org
2019-05-24 09:30:34 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-14 23:58:21 +00:00
|
|
|
/*
|
2021-01-19 22:41:52 +00:00
|
|
|
* See close_fd_get_file() below, this variant assumes current->files->file_lock
|
|
|
|
|
* is held.
|
2018-12-14 23:58:21 +00:00
|
|
|
*/
|
2021-01-19 22:41:52 +00:00
|
|
|
int __close_fd_get_file(unsigned int fd, struct file **res)
|
2018-12-14 23:58:21 +00:00
|
|
|
{
|
|
|
|
|
struct files_struct *files = current->files;
|
|
|
|
|
struct file *file;
|
|
|
|
|
struct fdtable *fdt;
|
|
|
|
|
|
|
|
|
|
fdt = files_fdtable(files);
|
|
|
|
|
if (fd >= fdt->max_fds)
|
2021-01-19 22:41:52 +00:00
|
|
|
goto out_err;
|
2018-12-14 23:58:21 +00:00
|
|
|
file = fdt->fd[fd];
|
|
|
|
|
if (!file)
|
2021-01-19 22:41:52 +00:00
|
|
|
goto out_err;
|
2018-12-14 23:58:21 +00:00
|
|
|
rcu_assign_pointer(fdt->fd[fd], NULL);
|
|
|
|
|
__put_unused_fd(files, fd);
|
|
|
|
|
get_file(file);
|
|
|
|
|
*res = file;
|
2019-12-11 21:10:35 +00:00
|
|
|
return 0;
|
2021-01-19 22:41:52 +00:00
|
|
|
out_err:
|
2018-12-14 23:58:21 +00:00
|
|
|
*res = NULL;
|
|
|
|
|
return -ENOENT;
|
|
|
|
|
}
|
|
|
|
|
|
2021-01-19 22:41:52 +00:00
|
|
|
/*
|
|
|
|
|
* variant of close_fd that gets a ref on the file for later fput.
|
|
|
|
|
* The caller must ensure that filp_close() called on the file, and then
|
|
|
|
|
* an fput().
|
|
|
|
|
*/
|
|
|
|
|
int close_fd_get_file(unsigned int fd, struct file **res)
|
|
|
|
|
{
|
|
|
|
|
struct files_struct *files = current->files;
|
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
spin_lock(&files->file_lock);
|
|
|
|
|
ret = __close_fd_get_file(fd, res);
|
|
|
|
|
spin_unlock(&files->file_lock);
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2012-08-21 13:56:33 +00:00
|
|
|
void do_close_on_exec(struct files_struct *files)
|
|
|
|
|
{
|
|
|
|
|
unsigned i;
|
|
|
|
|
struct fdtable *fdt;
|
|
|
|
|
|
|
|
|
|
/* exec unshares first */
|
|
|
|
|
spin_lock(&files->file_lock);
|
|
|
|
|
for (i = 0; ; i++) {
|
|
|
|
|
unsigned long set;
|
|
|
|
|
unsigned fd = i * BITS_PER_LONG;
|
|
|
|
|
fdt = files_fdtable(files);
|
|
|
|
|
if (fd >= fdt->max_fds)
|
|
|
|
|
break;
|
|
|
|
|
set = fdt->close_on_exec[i];
|
|
|
|
|
if (!set)
|
|
|
|
|
continue;
|
|
|
|
|
fdt->close_on_exec[i] = 0;
|
|
|
|
|
for ( ; set ; fd++, set >>= 1) {
|
|
|
|
|
struct file *file;
|
|
|
|
|
if (!(set & 1))
|
|
|
|
|
continue;
|
|
|
|
|
file = fdt->fd[fd];
|
|
|
|
|
if (!file)
|
|
|
|
|
continue;
|
|
|
|
|
rcu_assign_pointer(fdt->fd[fd], NULL);
|
|
|
|
|
__put_unused_fd(files, fd);
|
|
|
|
|
spin_unlock(&files->file_lock);
|
|
|
|
|
filp_close(file, files);
|
|
|
|
|
cond_resched();
|
|
|
|
|
spin_lock(&files->file_lock);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
spin_unlock(&files->file_lock);
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-10 22:00:15 +00:00
|
|
|
static inline struct file *__fget_files_rcu(struct files_struct *files,
|
2021-11-02 02:46:48 +00:00
|
|
|
unsigned int fd, fmode_t mask)
|
2012-08-16 01:12:10 +00:00
|
|
|
{
|
2021-12-10 22:00:15 +00:00
|
|
|
for (;;) {
|
|
|
|
|
struct file *file;
|
|
|
|
|
struct fdtable *fdt = rcu_dereference_raw(files->fdt);
|
|
|
|
|
struct file __rcu **fdentry;
|
2012-08-16 01:12:10 +00:00
|
|
|
|
2021-12-10 22:00:15 +00:00
|
|
|
if (unlikely(fd >= fdt->max_fds))
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
fdentry = fdt->fd + array_index_nospec(fd, fdt->max_fds);
|
|
|
|
|
file = rcu_dereference_raw(*fdentry);
|
|
|
|
|
if (unlikely(!file))
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
if (unlikely(file->f_mode & mask))
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Ok, we have a file pointer. However, because we do
|
|
|
|
|
* this all locklessly under RCU, we may be racing with
|
|
|
|
|
* that file being closed.
|
|
|
|
|
*
|
|
|
|
|
* Such a race can take two forms:
|
|
|
|
|
*
|
|
|
|
|
* (a) the file ref already went down to zero,
|
2021-11-02 02:46:48 +00:00
|
|
|
* and get_file_rcu() fails. Just try again:
|
2021-12-10 22:00:15 +00:00
|
|
|
*/
|
2021-11-02 02:46:48 +00:00
|
|
|
if (unlikely(!get_file_rcu(file)))
|
2021-12-10 22:00:15 +00:00
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* (b) the file table entry has changed under us.
|
|
|
|
|
* Note that we don't need to re-check the 'fdt->fd'
|
|
|
|
|
* pointer having changed, because it always goes
|
|
|
|
|
* hand-in-hand with 'fdt'.
|
|
|
|
|
*
|
2021-11-02 02:46:48 +00:00
|
|
|
* If so, we need to put our ref and try again.
|
fs/file.c: __fget() and dup2() atomicity rules
__fget() does lockless fetch of pointer from the descriptor
table, attempts to grab a reference and treats "it was already
zero" as "it's already gone from the table, we just hadn't
seen the store, let's fail". Unfortunately, that breaks the
atomicity of dup2() - __fget() might see the old pointer,
notice that it's been already dropped and treat that as
"it's closed". What we should be getting is either the
old file or new one, depending whether we come before or after
dup2().
Dmitry had following test failing sometimes :
int fd;
void *Thread(void *x) {
char buf;
int n = read(fd, &buf, 1);
if (n != 1)
exit(printf("read failed: n=%d errno=%d\n", n, errno));
return 0;
}
int main()
{
fd = open("/dev/urandom", O_RDONLY);
int fd2 = open("/dev/urandom", O_RDONLY);
if (fd == -1 || fd2 == -1)
exit(printf("open failed\n"));
pthread_t th;
pthread_create(&th, 0, Thread, 0);
if (dup2(fd2, fd) == -1)
exit(printf("dup2 failed\n"));
pthread_join(th, 0);
if (close(fd) == -1)
exit(printf("close failed\n"));
if (close(fd2) == -1)
exit(printf("close failed\n"));
printf("DONE\n");
return 0;
}
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2015-06-29 15:10:30 +00:00
|
|
|
*/
|
2021-12-10 22:00:15 +00:00
|
|
|
if (unlikely(rcu_dereference_raw(files->fdt) != fdt) ||
|
|
|
|
|
unlikely(rcu_dereference_raw(*fdentry) != file)) {
|
2021-11-02 02:46:48 +00:00
|
|
|
fput(file);
|
2021-12-10 22:00:15 +00:00
|
|
|
continue;
|
2021-12-01 18:06:14 +00:00
|
|
|
}
|
2021-12-10 22:00:15 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Ok, we have a ref to the file, and checked that it
|
|
|
|
|
* still exists.
|
|
|
|
|
*/
|
|
|
|
|
return file;
|
2012-08-16 01:12:10 +00:00
|
|
|
}
|
2021-12-10 22:00:15 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct file *__fget_files(struct files_struct *files, unsigned int fd,
|
2021-11-02 02:46:48 +00:00
|
|
|
fmode_t mask)
|
2021-12-10 22:00:15 +00:00
|
|
|
{
|
|
|
|
|
struct file *file;
|
|
|
|
|
|
|
|
|
|
rcu_read_lock();
|
2021-11-02 02:46:48 +00:00
|
|
|
file = __fget_files_rcu(files, fd, mask);
|
2012-08-16 01:12:10 +00:00
|
|
|
rcu_read_unlock();
|
|
|
|
|
|
|
|
|
|
return file;
|
|
|
|
|
}
|
|
|
|
|
|
2021-11-02 02:46:48 +00:00
|
|
|
static inline struct file *__fget(unsigned int fd, fmode_t mask)
|
2020-01-07 17:59:24 +00:00
|
|
|
{
|
2021-11-02 02:46:48 +00:00
|
|
|
return __fget_files(current->files, fd, mask);
|
2018-11-21 17:32:39 +00:00
|
|
|
}
|
|
|
|
|
|
2014-01-13 15:48:19 +00:00
|
|
|
struct file *fget(unsigned int fd)
|
|
|
|
|
{
|
2021-11-02 02:46:48 +00:00
|
|
|
return __fget(fd, FMODE_PATH);
|
2014-01-13 15:48:19 +00:00
|
|
|
}
|
2012-08-16 01:12:10 +00:00
|
|
|
EXPORT_SYMBOL(fget);
|
|
|
|
|
|
|
|
|
|
struct file *fget_raw(unsigned int fd)
|
|
|
|
|
{
|
2021-11-02 02:46:48 +00:00
|
|
|
return __fget(fd, 0);
|
2012-08-16 01:12:10 +00:00
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(fget_raw);
|
|
|
|
|
|
2020-01-07 17:59:24 +00:00
|
|
|
struct file *fget_task(struct task_struct *task, unsigned int fd)
|
|
|
|
|
{
|
|
|
|
|
struct file *file = NULL;
|
|
|
|
|
|
|
|
|
|
task_lock(task);
|
|
|
|
|
if (task->files)
|
2021-11-02 02:46:48 +00:00
|
|
|
file = __fget_files(task->files, fd, 0);
|
2020-01-07 17:59:24 +00:00
|
|
|
task_unlock(task);
|
|
|
|
|
|
|
|
|
|
return file;
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-20 23:14:28 +00:00
|
|
|
struct file *task_lookup_fd_rcu(struct task_struct *task, unsigned int fd)
|
|
|
|
|
{
|
|
|
|
|
/* Must be called with rcu_read_lock held */
|
|
|
|
|
struct files_struct *files;
|
|
|
|
|
struct file *file = NULL;
|
|
|
|
|
|
|
|
|
|
task_lock(task);
|
|
|
|
|
files = task->files;
|
|
|
|
|
if (files)
|
|
|
|
|
file = files_lookup_fd_rcu(files, fd);
|
|
|
|
|
task_unlock(task);
|
|
|
|
|
|
|
|
|
|
return file;
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-20 23:14:31 +00:00
|
|
|
struct file *task_lookup_next_fd_rcu(struct task_struct *task, unsigned int *ret_fd)
|
|
|
|
|
{
|
|
|
|
|
/* Must be called with rcu_read_lock held */
|
|
|
|
|
struct files_struct *files;
|
|
|
|
|
unsigned int fd = *ret_fd;
|
|
|
|
|
struct file *file = NULL;
|
|
|
|
|
|
|
|
|
|
task_lock(task);
|
|
|
|
|
files = task->files;
|
|
|
|
|
if (files) {
|
|
|
|
|
for (; fd < files_fdtable(files)->max_fds; fd++) {
|
|
|
|
|
file = files_lookup_fd_rcu(files, fd);
|
|
|
|
|
if (file)
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
task_unlock(task);
|
|
|
|
|
*ret_fd = fd;
|
|
|
|
|
return file;
|
|
|
|
|
}
|
|
|
|
|
|
2012-08-16 01:12:10 +00:00
|
|
|
/*
|
|
|
|
|
* Lightweight file lookup - no refcnt increment if fd table isn't shared.
|
|
|
|
|
*
|
|
|
|
|
* You can use this instead of fget if you satisfy all of the following
|
|
|
|
|
* conditions:
|
|
|
|
|
* 1) You must call fput_light before exiting the syscall and returning control
|
|
|
|
|
* to userspace (i.e. you cannot remember the returned struct file * after
|
|
|
|
|
* returning to userspace).
|
|
|
|
|
* 2) You must not call filp_close on the returned struct file * in between
|
|
|
|
|
* calls to fget_light and fput_light.
|
|
|
|
|
* 3) You must not clone the current task in between the calls to fget_light
|
|
|
|
|
* and fput_light.
|
|
|
|
|
*
|
|
|
|
|
* The fput_needed flag returned by fget_light should be passed to the
|
|
|
|
|
* corresponding fput_light.
|
|
|
|
|
*/
|
2014-03-04 19:54:22 +00:00
|
|
|
static unsigned long __fget_light(unsigned int fd, fmode_t mask)
|
2012-08-16 01:12:10 +00:00
|
|
|
{
|
|
|
|
|
struct files_struct *files = current->files;
|
2014-01-13 15:48:40 +00:00
|
|
|
struct file *file;
|
2012-08-16 01:12:10 +00:00
|
|
|
|
|
|
|
|
if (atomic_read(&files->count) == 1) {
|
2020-11-20 23:14:24 +00:00
|
|
|
file = files_lookup_fd_raw(files, fd);
|
2014-03-04 19:54:22 +00:00
|
|
|
if (!file || unlikely(file->f_mode & mask))
|
|
|
|
|
return 0;
|
|
|
|
|
return (unsigned long)file;
|
2012-08-16 01:12:10 +00:00
|
|
|
} else {
|
2021-11-02 02:46:48 +00:00
|
|
|
file = __fget(fd, mask);
|
2014-03-04 19:54:22 +00:00
|
|
|
if (!file)
|
|
|
|
|
return 0;
|
|
|
|
|
return FDPUT_FPUT | (unsigned long)file;
|
2012-08-16 01:12:10 +00:00
|
|
|
}
|
|
|
|
|
}
|
2014-03-04 19:54:22 +00:00
|
|
|
unsigned long __fdget(unsigned int fd)
|
2014-01-13 15:48:40 +00:00
|
|
|
{
|
2014-03-04 19:54:22 +00:00
|
|
|
return __fget_light(fd, FMODE_PATH);
|
2014-01-13 15:48:40 +00:00
|
|
|
}
|
2014-03-04 19:54:22 +00:00
|
|
|
EXPORT_SYMBOL(__fdget);
|
2012-08-16 01:12:10 +00:00
|
|
|
|
2014-03-04 19:54:22 +00:00
|
|
|
unsigned long __fdget_raw(unsigned int fd)
|
2012-08-16 01:12:10 +00:00
|
|
|
{
|
2014-03-04 19:54:22 +00:00
|
|
|
return __fget_light(fd, 0);
|
2012-08-16 01:12:10 +00:00
|
|
|
}
|
2012-08-21 15:48:11 +00:00
|
|
|
|
2014-03-04 19:54:22 +00:00
|
|
|
unsigned long __fdget_pos(unsigned int fd)
|
|
|
|
|
{
|
2014-03-16 20:47:48 +00:00
|
|
|
unsigned long v = __fdget(fd);
|
|
|
|
|
struct file *file = (struct file *)(v & ~3);
|
2014-03-04 19:54:22 +00:00
|
|
|
|
Revert "vfs: properly and reliably lock f_pos in fdget_pos()"
This reverts commit 0be0ee71816b2b6725e2b4f32ad6726c9d729777.
I was hoping it would be benign to switch over entirely to FMODE_STREAM,
and we'd have just a couple of small fixups we'd need, but it looks like
we're not quite there yet.
While it worked fine on both my desktop and laptop, they are fairly
similar in other respects, and run mostly the same loads. Kenneth
Crudup reports that it seems to break both his vmware installation and
the KDE upower service. In both cases apparently leading to timeouts
due to waitinmg for the f_pos lock.
There are a number of character devices in particular that definitely
want stream-like behavior, but that currently don't get marked as
streams, and as a result get the exclusion between concurrent
read()/write() on the same file descriptor. Which doesn't work well for
them.
The most obvious example if this is /dev/console and /dev/tty, which use
console_fops and tty_fops respectively (and ptmx_fops for the pty master
side). It may be that it's just this that causes problems, but we
clearly weren't ready yet.
Because there's a number of other likely common cases that don't have
llseek implementations and would seem to act as stream devices:
/dev/fuse (fuse_dev_operations)
/dev/mcelog (mce_chrdev_ops)
/dev/mei0 (mei_fops)
/dev/net/tun (tun_fops)
/dev/nvme0 (nvme_dev_fops)
/dev/tpm0 (tpm_fops)
/proc/self/ns/mnt (ns_file_operations)
/dev/snd/pcm* (snd_pcm_f_ops[])
and while some of these could be trivially automatically detected by the
vfs layer when the character device is opened by just noticing that they
have no read or write operations either, it often isn't that obvious.
Some character devices most definitely do use the file position, even if
they don't allow seeking: the firmware update code, for example, uses
simple_read_from_buffer() that does use f_pos, but doesn't allow seeking
back and forth.
We'll revisit this when there's a better way to detect the problem and
fix it (possibly with a coccinelle script to do more of the FMODE_STREAM
annotations).
Reported-by: Kenneth R. Crudup <kenny@panix.com>
Cc: Kirill Smelkov <kirr@nexedi.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-11-26 19:34:06 +00:00
|
|
|
if (file && (file->f_mode & FMODE_ATOMIC_POS)) {
|
2014-03-04 19:54:22 +00:00
|
|
|
if (file_count(file) > 1) {
|
|
|
|
|
v |= FDPUT_POS_UNLOCK;
|
|
|
|
|
mutex_lock(&file->f_pos_lock);
|
|
|
|
|
}
|
|
|
|
|
}
|
2014-03-16 20:47:48 +00:00
|
|
|
return v;
|
2014-03-04 19:54:22 +00:00
|
|
|
}
|
|
|
|
|
|
2016-04-20 21:08:21 +00:00
|
|
|
void __f_unlock_pos(struct file *f)
|
|
|
|
|
{
|
|
|
|
|
mutex_unlock(&f->f_pos_lock);
|
|
|
|
|
}
|
|
|
|
|
|
2014-03-04 19:54:22 +00:00
|
|
|
/*
|
|
|
|
|
* We only lock f_pos if we have threads or if the file might be
|
|
|
|
|
* shared with another process. In both cases we'll have an elevated
|
|
|
|
|
* file count (done either by fdget() or by fork()).
|
|
|
|
|
*/
|
|
|
|
|
|
2012-08-21 15:48:11 +00:00
|
|
|
void set_close_on_exec(unsigned int fd, int flag)
|
|
|
|
|
{
|
|
|
|
|
struct files_struct *files = current->files;
|
|
|
|
|
struct fdtable *fdt;
|
|
|
|
|
spin_lock(&files->file_lock);
|
|
|
|
|
fdt = files_fdtable(files);
|
|
|
|
|
if (flag)
|
|
|
|
|
__set_close_on_exec(fd, fdt);
|
|
|
|
|
else
|
|
|
|
|
__clear_close_on_exec(fd, fdt);
|
|
|
|
|
spin_unlock(&files->file_lock);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool get_close_on_exec(unsigned int fd)
|
|
|
|
|
{
|
|
|
|
|
struct files_struct *files = current->files;
|
|
|
|
|
struct fdtable *fdt;
|
|
|
|
|
bool res;
|
|
|
|
|
rcu_read_lock();
|
|
|
|
|
fdt = files_fdtable(files);
|
|
|
|
|
res = close_on_exec(fd, fdt);
|
|
|
|
|
rcu_read_unlock();
|
|
|
|
|
return res;
|
|
|
|
|
}
|
|
|
|
|
|
2012-08-21 16:11:46 +00:00
|
|
|
static int do_dup2(struct files_struct *files,
|
|
|
|
|
struct file *file, unsigned fd, unsigned flags)
|
2014-08-31 18:12:09 +00:00
|
|
|
__releases(&files->file_lock)
|
2012-08-21 15:48:11 +00:00
|
|
|
{
|
2012-08-21 16:11:46 +00:00
|
|
|
struct file *tofree;
|
2012-08-21 15:48:11 +00:00
|
|
|
struct fdtable *fdt;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We need to detect attempts to do dup2() over allocated but still
|
|
|
|
|
* not finished descriptor. NB: OpenBSD avoids that at the price of
|
|
|
|
|
* extra work in their equivalent of fget() - they insert struct
|
|
|
|
|
* file immediately after grabbing descriptor, mark it larval if
|
|
|
|
|
* more work (e.g. actual opening) is needed and make sure that
|
|
|
|
|
* fget() treats larval files as absent. Potentially interesting,
|
|
|
|
|
* but while extra work in fget() is trivial, locking implications
|
|
|
|
|
* and amount of surgery on open()-related paths in VFS are not.
|
|
|
|
|
* FreeBSD fails with -EBADF in the same situation, NetBSD "solution"
|
|
|
|
|
* deadlocks in rather amusing ways, AFAICS. All of that is out of
|
|
|
|
|
* scope of POSIX or SUS, since neither considers shared descriptor
|
|
|
|
|
* tables and this condition does not arise without those.
|
|
|
|
|
*/
|
|
|
|
|
fdt = files_fdtable(files);
|
2012-08-21 16:11:46 +00:00
|
|
|
tofree = fdt->fd[fd];
|
|
|
|
|
if (!tofree && fd_is_open(fd, fdt))
|
|
|
|
|
goto Ebusy;
|
2012-08-21 15:48:11 +00:00
|
|
|
get_file(file);
|
2012-08-21 16:11:46 +00:00
|
|
|
rcu_assign_pointer(fdt->fd[fd], file);
|
|
|
|
|
__set_open_fd(fd, fdt);
|
2012-08-21 15:48:11 +00:00
|
|
|
if (flags & O_CLOEXEC)
|
2012-08-21 16:11:46 +00:00
|
|
|
__set_close_on_exec(fd, fdt);
|
2012-08-21 15:48:11 +00:00
|
|
|
else
|
2012-08-21 16:11:46 +00:00
|
|
|
__clear_close_on_exec(fd, fdt);
|
2012-08-21 15:48:11 +00:00
|
|
|
spin_unlock(&files->file_lock);
|
|
|
|
|
|
|
|
|
|
if (tofree)
|
|
|
|
|
filp_close(tofree, files);
|
|
|
|
|
|
2012-08-21 16:11:46 +00:00
|
|
|
return fd;
|
|
|
|
|
|
|
|
|
|
Ebusy:
|
|
|
|
|
spin_unlock(&files->file_lock);
|
|
|
|
|
return -EBUSY;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int replace_fd(unsigned fd, struct file *file, unsigned flags)
|
|
|
|
|
{
|
|
|
|
|
int err;
|
|
|
|
|
struct files_struct *files = current->files;
|
|
|
|
|
|
|
|
|
|
if (!file)
|
2020-11-20 23:14:38 +00:00
|
|
|
return close_fd(fd);
|
2012-08-21 16:11:46 +00:00
|
|
|
|
|
|
|
|
if (fd >= rlimit(RLIMIT_NOFILE))
|
2012-10-31 03:37:48 +00:00
|
|
|
return -EBADF;
|
2012-08-21 16:11:46 +00:00
|
|
|
|
|
|
|
|
spin_lock(&files->file_lock);
|
|
|
|
|
err = expand_files(files, fd);
|
|
|
|
|
if (unlikely(err < 0))
|
|
|
|
|
goto out_unlock;
|
|
|
|
|
return do_dup2(files, file, fd, flags);
|
|
|
|
|
|
|
|
|
|
out_unlock:
|
|
|
|
|
spin_unlock(&files->file_lock);
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
2020-06-10 15:20:05 +00:00
|
|
|
/**
|
|
|
|
|
* __receive_fd() - Install received file into file descriptor table
|
|
|
|
|
* @file: struct file that was received from another process
|
|
|
|
|
* @ufd: __user pointer to write new fd number to
|
|
|
|
|
* @o_flags: the O_* flags to apply to the new fd entry
|
|
|
|
|
*
|
|
|
|
|
* Installs a received file into the file descriptor table, with appropriate
|
2020-06-11 03:47:45 +00:00
|
|
|
* checks and count updates. Optionally writes the fd number to userspace, if
|
|
|
|
|
* @ufd is non-NULL.
|
2020-06-10 15:20:05 +00:00
|
|
|
*
|
|
|
|
|
* This helper handles its own reference counting of the incoming
|
|
|
|
|
* struct file.
|
|
|
|
|
*
|
2020-06-11 03:47:45 +00:00
|
|
|
* Returns newly install fd or -ve on error.
|
2020-06-10 15:20:05 +00:00
|
|
|
*/
|
2021-03-25 08:22:09 +00:00
|
|
|
int __receive_fd(struct file *file, int __user *ufd, unsigned int o_flags)
|
2020-06-10 15:20:05 +00:00
|
|
|
{
|
|
|
|
|
int new_fd;
|
|
|
|
|
int error;
|
|
|
|
|
|
|
|
|
|
error = security_file_receive(file);
|
|
|
|
|
if (error)
|
|
|
|
|
return error;
|
|
|
|
|
|
2021-03-25 08:22:09 +00:00
|
|
|
new_fd = get_unused_fd_flags(o_flags);
|
|
|
|
|
if (new_fd < 0)
|
|
|
|
|
return new_fd;
|
2020-06-10 15:20:05 +00:00
|
|
|
|
2020-06-11 03:47:45 +00:00
|
|
|
if (ufd) {
|
|
|
|
|
error = put_user(new_fd, ufd);
|
|
|
|
|
if (error) {
|
2021-03-25 08:22:09 +00:00
|
|
|
put_unused_fd(new_fd);
|
2020-06-11 03:47:45 +00:00
|
|
|
return error;
|
|
|
|
|
}
|
2020-06-10 15:20:05 +00:00
|
|
|
}
|
|
|
|
|
|
2021-03-25 08:22:09 +00:00
|
|
|
fd_install(new_fd, get_file(file));
|
|
|
|
|
__receive_sock(file);
|
|
|
|
|
return new_fd;
|
|
|
|
|
}
|
2020-06-10 15:46:58 +00:00
|
|
|
|
2021-03-25 08:22:09 +00:00
|
|
|
int receive_fd_replace(int new_fd, struct file *file, unsigned int o_flags)
|
|
|
|
|
{
|
|
|
|
|
int error;
|
|
|
|
|
|
|
|
|
|
error = security_file_receive(file);
|
|
|
|
|
if (error)
|
|
|
|
|
return error;
|
|
|
|
|
error = replace_fd(new_fd, file, o_flags);
|
|
|
|
|
if (error)
|
|
|
|
|
return error;
|
2020-06-10 15:20:05 +00:00
|
|
|
__receive_sock(file);
|
2020-06-11 03:47:45 +00:00
|
|
|
return new_fd;
|
2020-06-10 15:20:05 +00:00
|
|
|
}
|
|
|
|
|
|
2021-08-31 10:36:24 +00:00
|
|
|
int receive_fd(struct file *file, unsigned int o_flags)
|
|
|
|
|
{
|
|
|
|
|
return __receive_fd(file, NULL, o_flags);
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(receive_fd);
|
|
|
|
|
|
fs: add ksys_dup{,3}() helper; remove in-kernel calls to sys_dup{,3}()
Using ksys_dup() and ksys_dup3() as helper functions allows us to
avoid the in-kernel calls to the sys_dup() and sys_dup3() syscalls.
The ksys_ prefix denotes that these functions are meant as a drop-in
replacement for the syscalls. In particular, they use the same
calling convention as sys_dup{,3}().
In the near future, the fs-external callers of ksys_dup{,3}() should be
converted to call do_dup2() directly. Then, ksys_dup{,3}() can be moved
within sys_dup{,3}() again.
This patch is part of a series which removes in-kernel calls to syscalls.
On this basis, the syscall entry path can be streamlined. For details, see
http://lkml.kernel.org/r/20180325162527.GA17492@light.dominikbrodowski.net
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
2018-03-11 10:34:40 +00:00
|
|
|
static int ksys_dup3(unsigned int oldfd, unsigned int newfd, int flags)
|
2012-08-21 16:11:46 +00:00
|
|
|
{
|
|
|
|
|
int err = -EBADF;
|
|
|
|
|
struct file *file;
|
|
|
|
|
struct files_struct *files = current->files;
|
|
|
|
|
|
|
|
|
|
if ((flags & ~O_CLOEXEC) != 0)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
2012-10-09 14:27:43 +00:00
|
|
|
if (unlikely(oldfd == newfd))
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
2012-08-21 16:11:46 +00:00
|
|
|
if (newfd >= rlimit(RLIMIT_NOFILE))
|
2012-10-31 03:37:48 +00:00
|
|
|
return -EBADF;
|
2012-08-21 16:11:46 +00:00
|
|
|
|
|
|
|
|
spin_lock(&files->file_lock);
|
|
|
|
|
err = expand_files(files, newfd);
|
2020-11-20 23:14:25 +00:00
|
|
|
file = files_lookup_fd_locked(files, oldfd);
|
2012-08-21 16:11:46 +00:00
|
|
|
if (unlikely(!file))
|
|
|
|
|
goto Ebadf;
|
|
|
|
|
if (unlikely(err < 0)) {
|
|
|
|
|
if (err == -EMFILE)
|
|
|
|
|
goto Ebadf;
|
|
|
|
|
goto out_unlock;
|
|
|
|
|
}
|
|
|
|
|
return do_dup2(files, file, newfd, flags);
|
2012-08-21 15:48:11 +00:00
|
|
|
|
|
|
|
|
Ebadf:
|
|
|
|
|
err = -EBADF;
|
|
|
|
|
out_unlock:
|
|
|
|
|
spin_unlock(&files->file_lock);
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
fs: add ksys_dup{,3}() helper; remove in-kernel calls to sys_dup{,3}()
Using ksys_dup() and ksys_dup3() as helper functions allows us to
avoid the in-kernel calls to the sys_dup() and sys_dup3() syscalls.
The ksys_ prefix denotes that these functions are meant as a drop-in
replacement for the syscalls. In particular, they use the same
calling convention as sys_dup{,3}().
In the near future, the fs-external callers of ksys_dup{,3}() should be
converted to call do_dup2() directly. Then, ksys_dup{,3}() can be moved
within sys_dup{,3}() again.
This patch is part of a series which removes in-kernel calls to syscalls.
On this basis, the syscall entry path can be streamlined. For details, see
http://lkml.kernel.org/r/20180325162527.GA17492@light.dominikbrodowski.net
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
2018-03-11 10:34:40 +00:00
|
|
|
SYSCALL_DEFINE3(dup3, unsigned int, oldfd, unsigned int, newfd, int, flags)
|
|
|
|
|
{
|
|
|
|
|
return ksys_dup3(oldfd, newfd, flags);
|
|
|
|
|
}
|
|
|
|
|
|
2012-08-21 15:48:11 +00:00
|
|
|
SYSCALL_DEFINE2(dup2, unsigned int, oldfd, unsigned int, newfd)
|
|
|
|
|
{
|
|
|
|
|
if (unlikely(newfd == oldfd)) { /* corner case */
|
|
|
|
|
struct files_struct *files = current->files;
|
|
|
|
|
int retval = oldfd;
|
|
|
|
|
|
|
|
|
|
rcu_read_lock();
|
2020-11-20 23:14:26 +00:00
|
|
|
if (!files_lookup_fd_rcu(files, oldfd))
|
2012-08-21 15:48:11 +00:00
|
|
|
retval = -EBADF;
|
|
|
|
|
rcu_read_unlock();
|
|
|
|
|
return retval;
|
|
|
|
|
}
|
fs: add ksys_dup{,3}() helper; remove in-kernel calls to sys_dup{,3}()
Using ksys_dup() and ksys_dup3() as helper functions allows us to
avoid the in-kernel calls to the sys_dup() and sys_dup3() syscalls.
The ksys_ prefix denotes that these functions are meant as a drop-in
replacement for the syscalls. In particular, they use the same
calling convention as sys_dup{,3}().
In the near future, the fs-external callers of ksys_dup{,3}() should be
converted to call do_dup2() directly. Then, ksys_dup{,3}() can be moved
within sys_dup{,3}() again.
This patch is part of a series which removes in-kernel calls to syscalls.
On this basis, the syscall entry path can be streamlined. For details, see
http://lkml.kernel.org/r/20180325162527.GA17492@light.dominikbrodowski.net
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
2018-03-11 10:34:40 +00:00
|
|
|
return ksys_dup3(oldfd, newfd, 0);
|
2012-08-21 15:48:11 +00:00
|
|
|
}
|
|
|
|
|
|
2020-07-14 06:58:49 +00:00
|
|
|
SYSCALL_DEFINE1(dup, unsigned int, fildes)
|
2012-08-21 15:48:11 +00:00
|
|
|
{
|
|
|
|
|
int ret = -EBADF;
|
|
|
|
|
struct file *file = fget_raw(fildes);
|
|
|
|
|
|
|
|
|
|
if (file) {
|
2014-12-10 23:45:44 +00:00
|
|
|
ret = get_unused_fd_flags(0);
|
2012-08-21 15:48:11 +00:00
|
|
|
if (ret >= 0)
|
|
|
|
|
fd_install(ret, file);
|
|
|
|
|
else
|
|
|
|
|
fput(file);
|
|
|
|
|
}
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int f_dupfd(unsigned int from, struct file *file, unsigned flags)
|
|
|
|
|
{
|
2020-11-20 23:14:36 +00:00
|
|
|
unsigned long nofile = rlimit(RLIMIT_NOFILE);
|
2012-08-21 15:48:11 +00:00
|
|
|
int err;
|
2020-11-20 23:14:36 +00:00
|
|
|
if (from >= nofile)
|
2012-08-21 15:48:11 +00:00
|
|
|
return -EINVAL;
|
2020-11-20 23:14:36 +00:00
|
|
|
err = alloc_fd(from, nofile, flags);
|
2012-08-21 15:48:11 +00:00
|
|
|
if (err >= 0) {
|
|
|
|
|
get_file(file);
|
|
|
|
|
fd_install(err, file);
|
|
|
|
|
}
|
|
|
|
|
return err;
|
|
|
|
|
}
|
2012-08-22 02:32:06 +00:00
|
|
|
|
|
|
|
|
int iterate_fd(struct files_struct *files, unsigned n,
|
|
|
|
|
int (*f)(const void *, struct file *, unsigned),
|
|
|
|
|
const void *p)
|
|
|
|
|
{
|
|
|
|
|
struct fdtable *fdt;
|
|
|
|
|
int res = 0;
|
|
|
|
|
if (!files)
|
|
|
|
|
return 0;
|
|
|
|
|
spin_lock(&files->file_lock);
|
2012-11-30 03:57:33 +00:00
|
|
|
for (fdt = files_fdtable(files); n < fdt->max_fds; n++) {
|
|
|
|
|
struct file *file;
|
|
|
|
|
file = rcu_dereference_check_fdtable(files, fdt->fd[n]);
|
|
|
|
|
if (!file)
|
|
|
|
|
continue;
|
|
|
|
|
res = f(p, file, n);
|
|
|
|
|
if (res)
|
|
|
|
|
break;
|
2012-08-22 02:32:06 +00:00
|
|
|
}
|
|
|
|
|
spin_unlock(&files->file_lock);
|
|
|
|
|
return res;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(iterate_fd);
|
