Introduce fs_revocable_replace() to simplify the use of the revocable API with file_operations.
The function, should be called from a driver's ->open(), replaces the fops with a wrapper that automatically handles the `try_access` and `withdraw_access`.
When the file is closed, the wrapper's ->release() restores the original fops and cleanups. This centralizes the revocable logic, making drivers cleaner and easier to maintain.
Signed-off-by: Tzung-Bi Shih tzungbi@kernel.org --- PoC patch.
Known issues: - All file operations call revocable_try_access() for guaranteeing the resource even if the resource may be unused in the fops.
v5: - Rename to "fs_revocable". - Move the replacement context to struct file. - Support multiple revocable providers.
v4: https://lore.kernel.org/chrome-platform/20250923075302.591026-6-tzungbi@kern... - New in the series.
fs/Makefile | 2 +- fs/fs_revocable.c | 154 +++++++++++++++++++++++++++++++++++ include/linux/fs.h | 2 + include/linux/fs_revocable.h | 21 +++++ 4 files changed, 178 insertions(+), 1 deletion(-) create mode 100644 fs/fs_revocable.c create mode 100644 include/linux/fs_revocable.h
diff --git a/fs/Makefile b/fs/Makefile index e3523ab2e587..ec2b21385deb 100644 --- a/fs/Makefile +++ b/fs/Makefile @@ -16,7 +16,7 @@ obj-y := open.o read_write.o file_table.o super.o \ stack.o fs_struct.o statfs.o fs_pin.o nsfs.o \ fs_types.o fs_context.o fs_parser.o fsopen.o init.o \ kernel_read_file.o mnt_idmapping.o remap_range.o pidfs.o \ - file_attr.o + file_attr.o fs_revocable.o
obj-$(CONFIG_BUFFER_HEAD) += buffer.o mpage.o obj-$(CONFIG_PROC_FS) += proc_namespace.o diff --git a/fs/fs_revocable.c b/fs/fs_revocable.c new file mode 100644 index 000000000000..4b6d755abfed --- /dev/null +++ b/fs/fs_revocable.c @@ -0,0 +1,154 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright 2025 Google LLC + * + * File operation replacement with Revocable + */ + +#include <linux/cleanup.h> +#include <linux/fs_revocable.h> +#include <linux/poll.h> +#include <linux/revocable.h> + +struct fs_revocable_replacement { + const struct fs_revocable_operations *frops; + const struct file_operations *orig_fops; + struct file_operations fops; + struct revocable **revs; + size_t num_revs; +}; + +static int fs_revocable_try_access(struct file *filp) +{ + struct fs_revocable_replacement *rr = filp->f_rr; + + return rr->frops->try_access(rr->revs, rr->num_revs, + filp->private_data); +} + +static void fs_revocable_withdraw_access(struct fs_revocable_replacement *rr) +{ + for (size_t i = 0; i < rr->num_revs; ++i) + revocable_withdraw_access(rr->revs[i]); +} + +DEFINE_FREE(fs_revocable_replacement, struct fs_revocable_replacement *, + if (_T) fs_revocable_withdraw_access(_T)) + +static ssize_t fs_revocable_read(struct file *filp, char __user *buffer, + size_t length, loff_t *offset) +{ + struct fs_revocable_replacement *rr + __free(fs_revocable_replacement) = filp->f_rr; + int ret; + + ret = fs_revocable_try_access(filp); + if (ret) + return ret; + return rr->orig_fops->read(filp, buffer, length, offset); +} + +static __poll_t fs_revocable_poll(struct file *filp, poll_table *wait) +{ + struct fs_revocable_replacement *rr + __free(fs_revocable_replacement) = filp->f_rr; + int ret; + + ret = fs_revocable_try_access(filp); + if (ret) + return ret; + return rr->orig_fops->poll(filp, wait); +} + +static long fs_revocable_unlocked_ioctl(struct file *filp, unsigned int cmd, + unsigned long arg) +{ + struct fs_revocable_replacement *rr + __free(fs_revocable_replacement) = filp->f_rr; + int ret; + + ret = fs_revocable_try_access(filp); + if (ret) + return ret; + return rr->orig_fops->unlocked_ioctl(filp, cmd, arg); +} + +static int fs_revocable_release(struct inode *inode, struct file *filp) +{ + int ret = 0; + struct fs_revocable_replacement *rr = filp->f_rr; + + if (!rr->orig_fops->release) + goto recover; + + ret = fs_revocable_try_access(filp); + if (ret) + goto recover; + + ret = rr->orig_fops->release(inode, filp); + + fs_revocable_withdraw_access(rr); +recover: + filp->f_op = rr->orig_fops; + filp->f_rr = NULL; + + for (size_t i = 0; i < rr->num_revs; ++i) + revocable_free(rr->revs[i]); + kfree(rr->revs); + kfree(rr); + + return ret; +} + +/** + * fs_revocable_replace() - Replace the file operations to be revocable-aware. + * + * Should be used only from ->open() instances. + */ +int fs_revocable_replace(struct file *filp, + const struct fs_revocable_operations *frops, + struct revocable_provider **rps, size_t num_rps) +{ + struct fs_revocable_replacement *rr; + size_t i; + + rr = kzalloc(sizeof(*rr), GFP_KERNEL); + if (!rr) + return -ENOMEM; + filp->f_rr = rr; + + rr->frops = frops; + rr->revs = kcalloc(num_rps, sizeof(*rr->revs), GFP_KERNEL); + if (!rr->revs) + goto free_rr; + for (i = 0; i < num_rps; ++i) { + rr->revs[i] = revocable_alloc(rps[i]); + if (!rr->revs[i]) + goto free_revs; + } + rr->num_revs = num_rps; + rr->orig_fops = filp->f_op; + + memcpy(&rr->fops, filp->f_op, sizeof(rr->fops)); + rr->fops.release = fs_revocable_release; + + if (rr->fops.read) + rr->fops.read = fs_revocable_read; + if (rr->fops.poll) + rr->fops.poll = fs_revocable_poll; + if (rr->fops.unlocked_ioctl) + rr->fops.unlocked_ioctl = fs_revocable_unlocked_ioctl; + + filp->f_op = &rr->fops; + return 0; +free_revs: + if (i) { + while (--i) + revocable_free(rr->revs[i]); + } + kfree(rr->revs); +free_rr: + kfree(rr); + return -ENOMEM; +} +EXPORT_SYMBOL_GPL(fs_revocable_replace); diff --git a/include/linux/fs.h b/include/linux/fs.h index 68c4a59ec8fb..a03dd7f343a9 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -80,6 +80,7 @@ struct fs_context; struct fs_parameter_spec; struct file_kattr; struct iomap_ops; +struct fs_revocable_replacement;
extern void __init inode_init(void); extern void __init inode_init_early(void); @@ -1248,6 +1249,7 @@ struct file { }; file_ref_t f_ref; /* --- cacheline 3 boundary (192 bytes) --- */ + struct fs_revocable_replacement *f_rr; } __randomize_layout __attribute__((aligned(4))); /* lest something weird decides that 2 is OK */
diff --git a/include/linux/fs_revocable.h b/include/linux/fs_revocable.h new file mode 100644 index 000000000000..bb066392d232 --- /dev/null +++ b/include/linux/fs_revocable.h @@ -0,0 +1,21 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright 2025 Google LLC + */ + +#ifndef __LINUX_FS_REVOCABLE_H +#define __LINUX_FS_REVOCABLE_H + +#include <linux/fs.h> +#include <linux/revocable.h> + +struct fs_revocable_operations { + int (*try_access)(struct revocable **revs, size_t num_revs, void *data); +}; + +int fs_revocable_replace(struct file *filp, + const struct fs_revocable_operations *frops, + struct revocable_provider **rps, size_t num_rps); + +#endif /* __LINUX_FS_REVOCABLE_H */