On Wed, Nov 20, 2024 at 07:46:46PM +0000, Lorenzo Stoakes wrote:
> On Wed, Nov 20, 2024 at 02:49:59PM +0000, Alice Ryhl wrote:
> > Adds an MmWithUserAsync type that uses mmput_async when dropped but is
> > otherwise identical to MmWithUser. This has to be done using a separate
> > type because the thing we are changing is the destructor.
> >
> > Rust Binder needs this to avoid a certain deadlock. See commit
> > 9a9ab0d96362 ("binder: fix race between mmput() and do_exit()") for
> > details. It's also needed in the shrinker to avoid cleaning up the mm in
> > the shrinker's context.
>
> Oh Lord, I didn't even know this existed... I see it was (re-)added in commit
> a1b2289cef92 ("android: binder: drop lru lock in isolate callback") back in 2017
> so quite a history of being necessary for binder.
>
> I see mmdrop_async(), I guess that's not needed for anything binder-ish? A quick
> look in the code suggests this is invoked in free_signal_struct() and is there
> due to some softirq stuff on x86... so yeah I guess not :)
>
> >
> > Signed-off-by: Alice Ryhl <aliceryhl@xxxxxxxxxx>
Other than queries, looks good to me from mm side so:
Acked-by: Lorenzo Stoakes <lorenzo.stoakes@xxxxxxxxxx> (for mm bits)
> > ---
> > rust/kernel/mm.rs | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
> > 1 file changed, 49 insertions(+)
> >
> > diff --git a/rust/kernel/mm.rs b/rust/kernel/mm.rs
> > index a15acb546f68..f800b6c244cd 100644
> > --- a/rust/kernel/mm.rs
> > +++ b/rust/kernel/mm.rs
> > @@ -98,6 +98,48 @@ fn deref(&self) -> &Mm {
> > }
> > }
> >
> > +/// A wrapper for the kernel's `struct mm_struct`.
> > +///
> > +/// This type is identical to `MmWithUser` except that it uses `mmput_async` when dropping a
> > +/// refcount. This means that the destructor of `ARef<MmWithUserAsync>` is safe to call in atomic
> > +/// context.
> > +///
> > +/// # Invariants
> > +///
> > +/// Values of this type are always refcounted using `mmget`. The value of `mm_users` is non-zero.
> > +#[repr(transparent)]
> > +pub struct MmWithUserAsync {
> > + mm: MmWithUser,
> > +}
> > +
> > +// SAFETY: It is safe to call `mmput_async` on another thread than where `mmget` was called.
> > +unsafe impl Send for MmWithUserAsync {}
> > +// SAFETY: All methods on `MmWithUserAsync` can be called in parallel from several threads.
> > +unsafe impl Sync for MmWithUserAsync {}
> > +
> > +// SAFETY: By the type invariants, this type is always refcounted.
> > +unsafe impl AlwaysRefCounted for MmWithUserAsync {
> > + fn inc_ref(&self) {
> > + // SAFETY: The pointer is valid since self is a reference.
> > + unsafe { bindings::mmget(self.as_raw()) };
> > + }
> > +
> > + unsafe fn dec_ref(obj: NonNull<Self>) {
> > + // SAFETY: The caller is giving up their refcount.
> > + unsafe { bindings::mmput_async(obj.cast().as_ptr()) };
> > + }
> > +}
> > +
> > +// Make all `MmWithUser` methods available on `MmWithUserAsync`.
> > +impl Deref for MmWithUserAsync {
> > + type Target = MmWithUser;
> > +
> > + #[inline]
> > + fn deref(&self) -> &MmWithUser {
> > + &self.mm
> > + }
> > +}
> > +
> > // These methods are safe to call even if `mm_users` is zero.
> > impl Mm {
> > /// Call `mmgrab` on `current.mm`.
> > @@ -171,6 +213,13 @@ pub unsafe fn from_raw<'a>(ptr: *const bindings::mm_struct) -> &'a MmWithUser {
> > unsafe { &*ptr.cast() }
> > }
> >
> > + /// Use `mmput_async` when dropping this refcount.
> > + #[inline]
> > + pub fn use_mmput_async(me: ARef<MmWithUser>) -> ARef<MmWithUserAsync> {
>
> Again, nitty, but I wonder if this should be as_xxx()?
>
> But I guess this makes sense too.
>
> > + // SAFETY: The layouts and invariants are compatible.
> > + unsafe { ARef::from_raw(ARef::into_raw(me).cast()) }
> > + }
> > +
> > /// Try to lock the vma read lock under rcu.
> > ///
> > /// If this operation fails, the vma may still exist. In that case, you should take the mmap
> >
> > --
> > 2.47.0.371.ga323438b13-goog
> >
