Add S/R support for open FDs to deleted files.

Fixes #11425

PiperOrigin-RevId: 728549889

Author: ayushr2

pkg/sentry/fsimpl/gofer/dentry_impl.go

@@ -393,12 +393,12 @@ func (d *dentry) symlink(ctx context.Context, name, target string, creds *auth.C
 }
 
 // Precondition: !d.isSynthetic().
-func (d *dentry) openCreate(ctx context.Context, name string, accessFlags uint32, mode linux.FileMode, uid auth.KUID, gid auth.KGID) (*dentry, handle, error) {
+func (d *dentry) openCreate(ctx context.Context, name string, accessFlags uint32, mode linux.FileMode, uid auth.KUID, gid auth.KGID, createDentry bool) (*dentry, handle, error) {
 	switch dt := d.impl.(type) {
 	case *lisafsDentry:
-		return dt.openCreate(ctx, name, accessFlags, mode, uid, gid)
+		return dt.openCreate(ctx, name, accessFlags, mode, uid, gid, createDentry)
 	case *directfsDentry:
-		return dt.openCreate(name, accessFlags, mode, uid, gid)
+		return dt.openCreate(name, accessFlags, mode, uid, gid, createDentry)
 	default:
 		panic("unknown dentry implementation")
 	}

pkg/sentry/fsimpl/gofer/directfs_dentry.go

@@ -453,7 +453,7 @@ func (d *directfsDentry) getXattr(ctx context.Context, name string, size uint64)
 
 // getCreatedChild opens the newly created child, sets its uid/gid, constructs
 // a disconnected dentry and returns it.
-func (d *directfsDentry) getCreatedChild(name string, uid auth.KUID, gid auth.KGID, isDir bool) (*dentry, error) {
+func (d *directfsDentry) getCreatedChild(name string, uid auth.KUID, gid auth.KGID, isDir bool, createDentry bool) (*dentry, error) {
 	unlinkFlags := 0
 	extraOpenFlags := 0
 	if isDir {
@@ -481,12 +481,15 @@ func (d *directfsDentry) getCreatedChild(name string, uid auth.KUID, gid auth.KG
 		return nil, err
 	}
 
-	child, err := d.fs.newDirectfsDentry(childFD)
-	if err != nil {
-		// Ownership of childFD was passed to newDirectDentry(), so no need to
-		// clean that up.
-		deleteChild()
-		return nil, err
+	var child *dentry
+	if createDentry {
+		child, err = d.fs.newDirectfsDentry(childFD)
+		if err != nil {
+			// Ownership of childFD was passed to newDirectDentry(), so no need to
+			// clean that up.
+			deleteChild()
+			return nil, err
+		}
 	}
 	return child, nil
 }
@@ -506,7 +509,7 @@ func (d *directfsDentry) mknod(ctx context.Context, name string, creds *auth.Cre
 	if err := unix.Mknodat(d.controlFD, name, uint32(opts.Mode), 0); err != nil {
 		return nil, err
 	}
-	return d.getCreatedChild(name, creds.EffectiveKUID, creds.EffectiveKGID, false /* isDir */)
+	return d.getCreatedChild(name, creds.EffectiveKUID, creds.EffectiveKGID, false /* isDir */, true /* createDentry */)
 }
 
 // Precondition: opts.Endpoint != nil and is transport.HostBoundEndpoint type.
@@ -531,7 +534,7 @@ func (d *directfsDentry) bindAt(ctx context.Context, name string, creds *auth.Cr
 		return nil, err
 	}
 	// Socket already has the right UID/GID set, so use uid = gid = -1.
-	child, err := d.getCreatedChild(name, auth.NoID /* uid */, auth.NoID /* gid */, false /* isDir */)
+	child, err := d.getCreatedChild(name, auth.NoID /* uid */, auth.NoID /* gid */, false /* isDir */, true /* createDentry */)
 	if err != nil {
 		hbep.ResetBoundSocketFD(ctx)
 		return nil, err
@@ -559,31 +562,31 @@ func (d *directfsDentry) link(target *directfsDentry, name string) (*dentry, err
 	// link. The original file already has the right owner.
 	// TODO(gvisor.dev/issue/6739): Hard linked dentries should share the same
 	// inode fields.
-	return d.getCreatedChild(name, auth.NoID /* uid */, auth.NoID /* gid */, false /* isDir */)
+	return d.getCreatedChild(name, auth.NoID /* uid */, auth.NoID /* gid */, false /* isDir */, true /* createDentry */)
 }
 
 func (d *directfsDentry) mkdir(name string, mode linux.FileMode, uid auth.KUID, gid auth.KGID) (*dentry, error) {
 	if err := unix.Mkdirat(d.controlFD, name, uint32(mode)); err != nil {
 		return nil, err
 	}
-	return d.getCreatedChild(name, uid, gid, true /* isDir */)
+	return d.getCreatedChild(name, uid, gid, true /* isDir */, true /* createDentry */)
 }
 
 func (d *directfsDentry) symlink(name, target string, creds *auth.Credentials) (*dentry, error) {
 	if err := unix.Symlinkat(target, d.controlFD, name); err != nil {
 		return nil, err
 	}
-	return d.getCreatedChild(name, creds.EffectiveKUID, creds.EffectiveKGID, false /* isDir */)
+	return d.getCreatedChild(name, creds.EffectiveKUID, creds.EffectiveKGID, false /* isDir */, true /* createDentry */)
 }
 
-func (d *directfsDentry) openCreate(name string, accessFlags uint32, mode linux.FileMode, uid auth.KUID, gid auth.KGID) (*dentry, handle, error) {
+func (d *directfsDentry) openCreate(name string, accessFlags uint32, mode linux.FileMode, uid auth.KUID, gid auth.KGID, createDentry bool) (*dentry, handle, error) {
 	createFlags := unix.O_CREAT | unix.O_EXCL | int(accessFlags) | hostOpenFlags
 	childHandleFD, err := unix.Openat(d.controlFD, name, createFlags, uint32(mode&^linux.FileTypeMask))
 	if err != nil {
 		return nil, noHandle, err
 	}
 
-	child, err := d.getCreatedChild(name, uid, gid, false /* isDir */)
+	child, err := d.getCreatedChild(name, uid, gid, false /* isDir */, createDentry)
 	if err != nil {
 		_ = unix.Close(childHandleFD)
 		return nil, noHandle, err

pkg/sentry/fsimpl/gofer/filesystem.go

@@ -1271,7 +1271,7 @@ func (d *dentry) createAndOpenChildLocked(ctx context.Context, rp *vfs.Resolving
 		kgid = auth.KGID(d.gid.Load())
 	}
 
-	child, h, err := d.openCreate(ctx, name, opts.Flags&linux.O_ACCMODE, opts.Mode, creds.EffectiveKUID, kgid)
+	child, h, err := d.openCreate(ctx, name, opts.Flags&linux.O_ACCMODE, opts.Mode, creds.EffectiveKUID, kgid, true /* createDentry */)
 	if err != nil {
 		return nil, err
 	}

pkg/sentry/fsimpl/gofer/gofer.go

@@ -978,6 +978,11 @@ type dentry struct {
 	// tracks dirty segments in cache. dirty is protected by dataMu.
 	dirty fsutil.DirtySet
 
+	// If this dentry represents a deleted regular file, deletedDataSR is used to
+	// store file data for save/restore.
+	// TODO(ayushranjan): Figure out how to clear this field on resume.
+	deletedDataSR []byte
+
 	// pf implements memmap.File for mappings of hostFD.
 	pf dentryPlatformFile
 

pkg/sentry/fsimpl/gofer/lisafs_dentry.go

@@ -448,7 +448,7 @@ func (d *lisafsDentry) symlink(ctx context.Context, name, target string, creds *
 	return d.newChildDentry(ctx, &symlinkInode, name)
 }
 
-func (d *lisafsDentry) openCreate(ctx context.Context, name string, flags uint32, mode linux.FileMode, uid auth.KUID, gid auth.KGID) (*dentry, handle, error) {
+func (d *lisafsDentry) openCreate(ctx context.Context, name string, flags uint32, mode linux.FileMode, uid auth.KUID, gid auth.KGID, createDentry bool) (*dentry, handle, error) {
 	ino, openFD, hostFD, err := d.controlFD.OpenCreateAt(ctx, name, flags, mode, lisafs.UID(uid), lisafs.GID(gid))
 	if err != nil {
 		return nil, noHandle, err
@@ -458,10 +458,13 @@ func (d *lisafsDentry) openCreate(ctx context.Context, name string, flags uint32
 		fdLisa: d.fs.client.NewFD(openFD),
 		fd:     int32(hostFD),
 	}
-	child, err := d.fs.newLisafsDentry(ctx, &ino)
-	if err != nil {
-		h.close(ctx)
-		return nil, noHandle, err
+	var child *dentry
+	if createDentry {
+		child, err = d.fs.newLisafsDentry(ctx, &ino)
+		if err != nil {
+			h.close(ctx)
+			return nil, noHandle, err
+		}
 	}
 	return child, h, nil
 }

pkg/sentry/fsimpl/gofer/save_restore.go

@@ -25,8 +25,10 @@ import (
 	"gvisor.dev/gvisor/pkg/errors/linuxerr"
 	"gvisor.dev/gvisor/pkg/fdnotifier"
 	"gvisor.dev/gvisor/pkg/hostarch"
+	"gvisor.dev/gvisor/pkg/log"
 	"gvisor.dev/gvisor/pkg/refs"
 	"gvisor.dev/gvisor/pkg/safemem"
+	"gvisor.dev/gvisor/pkg/sentry/kernel/auth"
 	"gvisor.dev/gvisor/pkg/sentry/pgalloc"
 	"gvisor.dev/gvisor/pkg/sentry/vfs"
 )
@@ -48,6 +50,7 @@ func (fs *filesystem) PrepareSave(ctx context.Context) error {
 	fs.renameMu.Lock()
 	fs.evictAllCachedDentriesLocked(ctx)
 	fs.renameMu.Unlock()
+	fs.savedDentryRW = make(map[*dentry]savedDentryRW)
 
 	// Buffer pipe data so that it's available for reading after restore. (This
 	// is a legacy VFS1 feature.)
@@ -60,14 +63,23 @@ func (fs *filesystem) PrepareSave(ctx context.Context) error {
 			}
 		}
 	}
+	// Save file data for deleted regular files which are still accessible via
+	// open application FDs.
+	for sd := fs.syncableDentries.Front(); sd != nil; sd = sd.Next() {
+		if sd.d.vfsd.IsDead() {
+			if err := sd.d.prepareSaveDead(ctx); err != nil {
+				fs.syncMu.Unlock()
+				return err
+			}
+		}
+	}
 	fs.syncMu.Unlock()
 
 	// Flush local state to the remote filesystem.
 	if err := fs.Sync(ctx); err != nil {
 		return err
 	}
 
-	fs.savedDentryRW = make(map[*dentry]savedDentryRW)
 	return fs.root.prepareSaveRecursive(ctx)
 }
 
@@ -96,6 +108,55 @@ func (fd *specialFileFD) savePipeData(ctx context.Context) error {
 	return nil
 }
 
+func (d *dentry) prepareSaveDead(ctx context.Context) error {
+	if !d.isRegularFile() {
+		return fmt.Errorf("gofer.dentry(%q).prepareSaveDead: only regular deleted dentries can be saved, got %s", genericDebugPathname(d.fs, d), linux.FileMode(d.mode.Load()))
+	}
+	if !d.isDeleted() {
+		return fmt.Errorf("gofer.dentry(%q).prepareSaveDead: invalidated dentries can't be saved", genericDebugPathname(d.fs, d))
+	}
+	if !d.cachedMetadataAuthoritative() {
+		if err := d.updateMetadata(ctx); err != nil {
+			return err
+		}
+	}
+	if d.isReadHandleOk() || d.isWriteHandleOk() {
+		d.fs.savedDentryRW[d] = savedDentryRW{
+			read:  d.isReadHandleOk(),
+			write: d.isWriteHandleOk(),
+		}
+	}
+	d.handleMu.RLock()
+	defer d.handleMu.RUnlock()
+	var h handle
+	if d.isReadHandleOk() {
+		h = d.readHandle()
+	} else {
+		var err error
+		h, err = d.openHandle(ctx, true /* read */, false /* write */, false /* trunc */)
+		if err != nil {
+			return fmt.Errorf("failed to open read handle for deleted file %q: %w", genericDebugPathname(d.fs, d), err)
+		}
+		defer h.close(ctx)
+	}
+	d.dataMu.RLock()
+	defer d.dataMu.RUnlock()
+	d.deletedDataSR = make([]byte, d.size.Load())
+	done := uint64(0)
+	for done < uint64(len(d.deletedDataSR)) {
+		n, err := h.readToBlocksAt(ctx, safemem.BlockSeqOf(safemem.BlockFromSafeSlice(d.deletedDataSR[done:])), done)
+		done += n
+		if err != nil {
+			if err == io.EOF {
+				break
+			}
+			return fmt.Errorf("failed to read deleted file %q: %w", genericDebugPathname(d.fs, d), err)
+		}
+	}
+	d.deletedDataSR = d.deletedDataSR[:done]
+	return nil
+}
+
 func (d *dentry) prepareSaveRecursive(ctx context.Context) error {
 	if d.isRegularFile() && !d.cachedMetadataAuthoritative() {
 		// Get updated metadata for d in case we need to perform metadata
@@ -129,7 +190,7 @@ func (d *dentry) prepareSaveRecursive(ctx context.Context) error {
 
 // beforeSave is invoked by stateify.
 func (d *dentry) beforeSave() {
-	if d.vfsd.IsDead() {
+	if d.vfsd.IsDead() && d.deletedDataSR == nil {
 		panic(fmt.Sprintf("gofer.dentry(%q).beforeSave: deleted and invalidated dentries can't be restored", genericDebugPathname(d.fs, d)))
 	}
 }
@@ -204,6 +265,7 @@ func (fs *filesystem) CompleteRestore(ctx context.Context, opts vfs.CompleteRest
 		return err
 	}
 
+	fs.syncMu.Lock()
 	// Re-open handles for specialFileFDs. Unlike the initial open
 	// (dentry.openSpecialFile()), pipes are always opened without blocking;
 	// non-readable pipe FDs are opened last to ensure that they don't get
@@ -216,18 +278,30 @@ func (fs *filesystem) CompleteRestore(ctx context.Context, opts vfs.CompleteRest
 			continue
 		}
 		if err := fd.completeRestore(ctx); err != nil {
+			fs.syncMu.Unlock()
 			return err
 		}
 	}
 	if haveWriteOnlyPipes {
 		for fd := fs.specialFileFDs.Front(); fd != nil; fd = fd.Next() {
 			if fd.dentry().fileType() == linux.S_IFIFO && !fd.vfsfd.IsReadable() {
 				if err := fd.completeRestore(ctx); err != nil {
+					fs.syncMu.Unlock()
 					return err
 				}
 			}
 		}
 	}
+	// Restore deleted files which are still accessible via open application FDs.
+	for sd := fs.syncableDentries.Front(); sd != nil; sd = sd.Next() {
+		if sd.d.deletedDataSR != nil {
+			if err := sd.d.restoreDead(ctx, &opts); err != nil {
+				fs.syncMu.Unlock()
+				return err
+			}
+		}
+	}
+	fs.syncMu.Unlock()
 
 	// Discard state only required during restore.
 	fs.savedDentryRW = nil
@@ -256,6 +330,37 @@ func (d *dentry) restoreDescendantsRecursive(ctx context.Context, opts *vfs.Comp
 	return nil
 }
 
+// Preconditions: d.deletedDataSR != nil.
+func (d *dentry) restoreDead(ctx context.Context, opts *vfs.CompleteRestoreOptions) error {
+	parent := d.parent.Load()
+	// This is a deleted regular file. Recreate it on the host filesystem
+	// temporarily, fill it with data and then proceed with the restore.
+	_, h, err := parent.openCreate(ctx, d.name, linux.O_WRONLY, linux.FileMode(d.mode.Load()), auth.KUID(d.uid.Load()), auth.KGID(d.gid.Load()), false /* createDentry */)
+	if err != nil {
+		return fmt.Errorf("failed to re-create deleted file %q: %w", genericDebugPathname(d.fs, d), err)
+	}
+	defer h.close(ctx)
+	n, err := h.writeFromBlocksAt(ctx, safemem.BlockSeqOf(safemem.BlockFromSafeSlice(d.deletedDataSR)), 0)
+	if err != nil {
+		return fmt.Errorf("failed to write deleted file %q: %w", genericDebugPathname(d.fs, d), err)
+	}
+	if n != uint64(len(d.deletedDataSR)) {
+		return fmt.Errorf("failed to write all of deleted file %q: wrote %d bytes, expected %d", genericDebugPathname(d.fs, d), n, len(d.deletedDataSR))
+	}
+	d.deletedDataSR = nil
+	if err := d.restoreFile(ctx, opts); err != nil {
+		if err := parent.unlink(ctx, d.name, 0 /* flags */); err != nil {
+			// Log warning, give preference to the restore error.
+			log.Warningf("failed to clean up recreated deleted file %q: %v", genericDebugPathname(d.fs, d), err)
+		}
+		return err
+	}
+	if err := parent.unlink(ctx, d.name, 0 /* flags */); err != nil {
+		return fmt.Errorf("failed to clean up recreated deleted file %q: %v", genericDebugPathname(d.fs, d), err)
+	}
+	return nil
+}
+
 func (fd *specialFileFD) completeRestore(ctx context.Context) error {
 	d := fd.dentry()
 	h, err := d.openHandle(ctx, fd.vfsfd.IsReadable(), fd.vfsfd.IsWritable(), false /* trunc */)