misc/user: use lockless update for user_creds structure

Using a reference count on user_creds structure avoids having to hold
the process's lock when reading its content. Instead, the accesser
uses a kind of RCU mechanism to only read the credentials at the time
the function was called.

This makes the code much cleaner, and avoids potentially blocking
other process operations.

NOTE: Since everything is lockless now, this introduces a potential
      TOCTOU error if 2 threads belonging to the same process call
      the set[*]uid/gid() function at the same time. This does not
      seem like a critical issue, but we may want to prevent reads
      during update operations (true RCU).

Closes #72

Author: d4ilyrun

include/kernel/process.h

@@ -107,7 +107,7 @@ struct process {
     thread_state_t state;
     uint8_t exit_status; /** Transmitted to the parent process during wait() */
 
-    struct user_creds creds; /** Process credentials. */
+    struct user_creds *creds; /** Process credentials. */
 
     spinlock_t lock;
 };

include/kernel/user.h

@@ -15,9 +15,11 @@
 
 #include <kernel/error.h>
 #include <kernel/types.h>
+#include <kernel/refcnt.h>
 
 /** User credentials. */
 struct user_creds {
+    refcnt_t ref;
     uid_t ruid; /*!< Real UID */
     uid_t rgid; /*!< Real GID */
     uid_t euid; /*!< Effective UID */
@@ -33,8 +35,11 @@ static inline bool creds_is_root(const struct user_creds *creds)
     return creds->ruid == UID_ROOT;
 }
 
-/** Copy the credentials from @c src into @c dst. */
-void creds_copy(struct user_creds *dst, const struct user_creds *src);
+struct user_creds *creds_new(void);
+struct user_creds *creds_get(struct user_creds *creds);
+void creds_put(struct user_creds *creds);
+void creds_install(struct user_creds **dest, struct user_creds *creds);
+struct user_creds *creds_clone(struct user_creds *creds);
 
 #endif /* KERNEL_USER_H */
 

kernel/fs/vfs.c

@@ -138,6 +138,7 @@ error_t vfs_unmount(const char *path)
 static inline struct vnode *
 vfs_find_child_at(struct vnode **parent, const path_segment_t *segment)
 {
+    struct user_creds *creds = NULL;
     vnode_t *node = *parent;
     vnode_t *child;
     vfs_t *fs;
@@ -161,21 +162,22 @@ vfs_find_child_at(struct vnode **parent, const path_segment_t *segment)
         *parent = node;
     }
 
+    creds = creds_get(current->process->creds);
+
     child = PTR_ERR(E_NOT_DIRECTORY);
     if (node->type != VNODE_DIRECTORY)
         goto out;
 
     /* Make sure that the user can search for files inside this directory. */
-    locked_scope (&current->process->lock) {
-        child = PTR_ERR(E_ACCESS);
-        if (!vfs_vnode_check_creds(node, &current->process->creds, O_SEARCH))
-            goto out;
-    }
+    child = PTR_ERR(E_ACCESS);
+    if (!vfs_vnode_check_creds(node, creds, O_SEARCH))
+        goto out;
 
     child = node->operations->lookup(node, segment);
 
 out:
     spinlock_release(&node->lock);
+    creds_put(creds);
     return child;
 }
 
@@ -243,6 +245,7 @@ static vnode_t *
 vfs_create_at(struct vnode *parent, const char *name, vnode_type type)
 {
     struct vnode *vnode;
+    struct user_creds *creds;
 
     if (parent->operations->create == NULL)
         return PTR_ERR(E_NOT_SUPPORTED);
@@ -251,13 +254,14 @@ vfs_create_at(struct vnode *parent, const char *name, vnode_type type)
     if (IS_ERR(vnode))
         return vnode;
 
-    vnode->stat.st_nlink = 1;
+    creds = creds_get(current->process->creds);
 
     /* TODO: set file access mode (see opengroup's description of O_CREAT). */
-    locked_scope (&current->process->lock) {
-        vnode->stat.st_gid = current->process->creds.egid;
-        vnode->stat.st_uid = current->process->creds.euid;
-    }
+    vnode->stat.st_nlink = 1;
+    vnode->stat.st_gid = creds->egid;
+    vnode->stat.st_uid = creds->euid;
+
+    creds_put(creds);
 
     return vnode;
 }
@@ -366,39 +370,45 @@ static inline error_t file_compute_flags(int oflags, int *flags)
 static struct file *vfs_open_at(struct vnode *vnode, int oflags)
 {
     struct file *file;
+    struct user_creds *creds;
     error_t err;
     int flags;
 
     err = file_compute_flags(oflags, &flags);
     if (err)
         return PTR_ERR(err);
 
+    creds = creds_get(current->process->creds);
+
     locked_scope (&vnode->lock) {
 
+        file = PTR_ERR(E_NOT_DIRECTORY);
         if (vnode->type != VNODE_DIRECTORY) {
             if (oflags & O_DIRECTORY)
-                return PTR_ERR(E_NOT_DIRECTORY);
+                goto out;
             if (oflags & O_SEARCH && O_SEARCH != O_EXEC)
-                return PTR_ERR(E_NOT_DIRECTORY);
+                goto out;
         }
 
+        file = PTR_ERR(E_NOT_SUPPORTED);
         if (!vnode->operations->open)
-            return PTR_ERR(E_NOT_SUPPORTED);
+            goto out;
 
-        locked_scope (&current->process->lock) {
-            if (!vfs_vnode_check_creds(vnode, &current->process->creds, flags))
-                return PTR_ERR(E_PERM);
-        }
+        file = PTR_ERR(E_PERM);
+        if (!vfs_vnode_check_creds(vnode, creds, flags))
+            goto out;
 
         file = vnode->operations->open(vnode);
         if (IS_ERR(file))
-            return file;
+            goto out;
     }
 
     file->flags = flags;
     if (flags & FD_APPEND)
         file_seek(file, 0, SEEK_END);
 
+out:
+    creds_put(creds);
     return file;
 }