Remove map from fd_map, change to fd_table.

This renames FDMap to FDTable and drops the kernel.FD type, which had an entire
package to itself and didn't serve much use (it was freely cast between types,
and served as more of an annoyance than providing any protection.)

Based on BenchmarkFDLookupAndDecRef-12, we can expect 5-10 ns per lookup
operation, and 10-15 ns per concurrent lookup operation of savings.

This also fixes two tangential usage issues with the FDMap. Namely, non-atomic
use of NewFDFrom and associated calls to Remove (that are both racy and fail to
drop the reference on the underlying file.)

PiperOrigin-RevId: 256285890

4 files changed, 22 insertions, 32 deletions

diff --git a/runsc/boot/BUILD b/runsc/boot/BUILD
index d91f66d95..16cd6540f 100644
--- a/runsc/boot/BUILD
+++ b/runsc/boot/BUILD
@@ -52,7 +52,6 @@ go_library(
         "//pkg/sentry/kernel",
         "//pkg/sentry/kernel:uncaught_signal_go_proto",
         "//pkg/sentry/kernel/auth",
-        "//pkg/sentry/kernel/kdefs",
         "//pkg/sentry/limits",
         "//pkg/sentry/loader",
         "//pkg/sentry/pgalloc",
diff --git a/runsc/boot/fds.go b/runsc/boot/fds.go
index 59e1b46ec..e5de1f3d7 100644
--- a/runsc/boot/fds.go
+++ b/runsc/boot/fds.go
@@ -21,32 +21,23 @@ import (
 	"gvisor.dev/gvisor/pkg/sentry/fs"
 	"gvisor.dev/gvisor/pkg/sentry/fs/host"
 	"gvisor.dev/gvisor/pkg/sentry/kernel"
-	"gvisor.dev/gvisor/pkg/sentry/kernel/kdefs"
-	"gvisor.dev/gvisor/pkg/sentry/limits"
 )
 
-// createFDMap creates an FD map that contains stdin, stdout, and stderr. If
-// console is true, then ioctl calls will be passed through to the host FD.
+// createFDTable creates an FD table that contains stdin, stdout, and stderr.
+// If console is true, then ioctl calls will be passed through to the host FD.
 // Upon success, createFDMap dups then closes stdioFDs.
-func createFDMap(ctx context.Context, l *limits.LimitSet, console bool, stdioFDs []int) (*kernel.FDMap, error) {
+func createFDTable(ctx context.Context, console bool, stdioFDs []int) (*kernel.FDTable, error) {
 	if len(stdioFDs) != 3 {
 		return nil, fmt.Errorf("stdioFDs should contain exactly 3 FDs (stdin, stdout, and stderr), but %d FDs received", len(stdioFDs))
 	}
 
 	k := kernel.KernelFromContext(ctx)
-	fdm := k.NewFDMap()
-	defer fdm.DecRef()
+	fdTable := k.NewFDTable()
+	defer fdTable.DecRef()
 	mounter := fs.FileOwnerFromContext(ctx)
 
-	// Maps sandbox FD to host FD.
-	fdMap := map[int]int{
-		0: stdioFDs[0],
-		1: stdioFDs[1],
-		2: stdioFDs[2],
-	}
-
 	var ttyFile *fs.File
-	for appFD, hostFD := range fdMap {
+	for appFD, hostFD := range stdioFDs {
 		var appFile *fs.File
 
 		if console && appFD < 3 {
@@ -80,11 +71,11 @@ func createFDMap(ctx context.Context, l *limits.LimitSet, console bool, stdioFDs
 		}
 
 		// Add the file to the FD map.
-		if err := fdm.NewFDAt(kdefs.FD(appFD), appFile, kernel.FDFlags{}, l); err != nil {
+		if err := fdTable.NewFDAt(ctx, int32(appFD), appFile, kernel.FDFlags{}); err != nil {
 			return nil, err
 		}
 	}
 
-	fdm.IncRef()
-	return fdm, nil
+	fdTable.IncRef()
+	return fdTable, nil
 }
diff --git a/runsc/boot/fs.go b/runsc/boot/fs.go
index 9da0c7067..f9a6f2d3c 100644
--- a/runsc/boot/fs.go
+++ b/runsc/boot/fs.go
@@ -25,8 +25,10 @@ import (
 
 	// Include filesystem types that OCI spec might mount.
 	_ "gvisor.dev/gvisor/pkg/sentry/fs/dev"
+	"gvisor.dev/gvisor/pkg/sentry/fs/gofer"
 	_ "gvisor.dev/gvisor/pkg/sentry/fs/host"
 	_ "gvisor.dev/gvisor/pkg/sentry/fs/proc"
+	"gvisor.dev/gvisor/pkg/sentry/fs/ramfs"
 	_ "gvisor.dev/gvisor/pkg/sentry/fs/sys"
 	_ "gvisor.dev/gvisor/pkg/sentry/fs/tmpfs"
 	_ "gvisor.dev/gvisor/pkg/sentry/fs/tty"
@@ -36,8 +38,6 @@ import (
 	"gvisor.dev/gvisor/pkg/log"
 	"gvisor.dev/gvisor/pkg/sentry/context"
 	"gvisor.dev/gvisor/pkg/sentry/fs"
-	"gvisor.dev/gvisor/pkg/sentry/fs/gofer"
-	"gvisor.dev/gvisor/pkg/sentry/fs/ramfs"
 	"gvisor.dev/gvisor/pkg/sentry/kernel"
 	"gvisor.dev/gvisor/pkg/sentry/kernel/auth"
 	"gvisor.dev/gvisor/pkg/syserror"
diff --git a/runsc/boot/loader.go b/runsc/boot/loader.go
index 89f7d9f94..7e27d1f49 100644
--- a/runsc/boot/loader.go
+++ b/runsc/boot/loader.go
@@ -517,13 +517,13 @@ func (l *Loader) run() error {
 		// Create the FD map, which will set stdin, stdout, and stderr.  If console
 		// is true, then ioctl calls will be passed through to the host fd.
 		ctx := l.rootProcArgs.NewContext(l.k)
-		fdm, err := createFDMap(ctx, l.rootProcArgs.Limits, l.console, l.stdioFDs)
+		fdTable, err := createFDTable(ctx, l.console, l.stdioFDs)
 		if err != nil {
 			return fmt.Errorf("importing fds: %v", err)
 		}
 		// CreateProcess takes a reference on FDMap if successful. We won't need
 		// ours either way.
-		l.rootProcArgs.FDMap = fdm
+		l.rootProcArgs.FDTable = fdTable
 
 		// cid for root container can be empty. Only subcontainers need it to set
 		// the mount location.
@@ -562,13 +562,13 @@ func (l *Loader) run() error {
 			return fmt.Errorf("creating init process: %v", err)
 		}
 
-		// CreateProcess takes a reference on FDMap if successful.
-		l.rootProcArgs.FDMap.DecRef()
+		// CreateProcess takes a reference on FDTable if successful.
+		l.rootProcArgs.FDTable.DecRef()
 	}
 
 	ep.tg = l.k.GlobalInit()
 	if l.console {
-		ttyFile := l.rootProcArgs.FDMap.GetFile(0)
+		ttyFile, _ := l.rootProcArgs.FDTable.Get(0)
 		defer ttyFile.DecRef()
 		ep.tty = ttyFile.FileOperations.(*host.TTYFileOperations)
 
@@ -648,13 +648,13 @@ func (l *Loader) startContainer(spec *specs.Spec, conf *Config, cid string, file
 
 	// Create the FD map, which will set stdin, stdout, and stderr.
 	ctx := procArgs.NewContext(l.k)
-	fdm, err := createFDMap(ctx, procArgs.Limits, false, stdioFDs)
+	fdTable, err := createFDTable(ctx, false, stdioFDs)
 	if err != nil {
 		return fmt.Errorf("importing fds: %v", err)
 	}
-	// CreateProcess takes a reference on FDMap if successful. We won't need ours
-	// either way.
-	procArgs.FDMap = fdm
+	// CreateProcess takes a reference on fdTable if successful. We won't
+	// need ours either way.
+	procArgs.FDTable = fdTable
 
 	// Can't take ownership away from os.File. dup them to get a new FDs.
 	var goferFDs []int
@@ -683,8 +683,8 @@ func (l *Loader) startContainer(spec *specs.Spec, conf *Config, cid string, file
 	}
 	l.k.StartProcess(tg)
 
-	// CreateProcess takes a reference on FDMap if successful.
-	procArgs.FDMap.DecRef()
+	// CreateProcess takes a reference on FDTable if successful.
+	procArgs.FDTable.DecRef()
 
 	l.processes[eid].tg = tg
 	return nil