Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp1204984imm;
        Wed, 23 May 2018 12:01:40 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZpm6iyc1Mss+HGwkq4Ryw9Exet0x7tXmbUWNpdN2n4Eavmnc7WnAcUbA8+Nvvxm+k3mYE/6
X-Received: by 2002:a63:56:: with SMTP id 83-v6mr3149367pga.29.1527102099990;
        Wed, 23 May 2018 12:01:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527102099; cv=none;
        d=google.com; s=arc-20160816;
        b=WTis+OLUmoz4iKG8StfYkXHiEjcdbPzGhisBVSJyU7JkrLhtOU5LuaGjs08Ci897QD
         tfzB418pMgE0WvKKgk1/FzkEE7WfJJF+ZqK84uiGtFTLQFhvGRym0p9P6K1/rpfd8zKT
         yWBEvVE99rFr/GX58SQ6bIaN3TxNJSHnPXSFeXlfwTh+sCc4XoK5ujAS1uECffmTHe6b
         Srx5dEAMYYJwZ1PKt8kBjVMYfFKA/r1KOPNN/U/xLOJu4qDHS/1En0U3kByL9UEAa22S
         TwEmGgQt/RecMpMeAJOjyIWgt043g1KF+frHjDUhxSfw7EbwzloJmo0SBEhfTXWiDjzC
         t84g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:arc-authentication-results;
        bh=qFcwH+7ESP86XY7Kytb5AW08+R+WX4jXJUtIl6Be2jk=;
        b=FlOOOJEM7p2nR212MbyHfHdZZAFmRgggemzE4mY6h4YWxLOOy4aHU0AeAxzXxHo3Zh
         47mMU272wLcDyr9gGlxplcTdbU6Qf/TU3sy9o9Th03YuCyfwZaQIo+rPs3VAakLsCmpY
         WIbUGS2fbbL5UQts+1V8Me7dTm/K8WXn+AUdGrKGuDW+xEe2jPaxYC/g/ZVS4A7F8kzs
         PFoWu3JswnuaitUrAAAuJMd8T4kwZQTIaduqnNnRDN/qLfRAOnOsw8M//h1FKVdxJ+N0
         eSKY6Xqdx4y7wfD3+0YGFqi4QIGaKBNh0uiOcddY8PXEdqw0pjBtFr2gh8VZKHtyFVl/
         Q/Bg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id u15-v6si15334939pgv.355.2018.05.23.12.01.24;
        Wed, 23 May 2018 12:01:39 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S934147AbeEWTBF (ORCPT <rfc822;jimmypw@gmail.com> + 99 others);
        Wed, 23 May 2018 15:01:05 -0400
Received: from mail-ot0-f195.google.com ([74.125.82.195]:42398 "EHLO
        mail-ot0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S934071AbeEWTBB (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 23 May 2018 15:01:01 -0400
Received: by mail-ot0-f195.google.com with SMTP id l13-v6so26448159otk.9
        for <linux-kernel@vger.kernel.org>; Wed, 23 May 2018 12:01:01 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=qFcwH+7ESP86XY7Kytb5AW08+R+WX4jXJUtIl6Be2jk=;
        b=ABPHIBu/MnVB2KQsdJvfZO7T14oBmL+/yf6Jx2KiTojiQn+t5m4uTpvXjcf+jkKtPM
         alKDROT1BwHLKmCZjwk+ldONsPb9Nj1069cA/EFCixHbvc+OcPaAUfs3HjGENuh9Aizd
         tw6d09ihDW3lIub1BKSTrDbqGOrpi8k1zIaxzvYaNQz9WraPMSlxQNvV4V2OBzp42K62
         omc5yJ+Rr3ixhVNSobAQl8oUuy7aQozJ0dZdTQTJ1XCN8bBUDtBAfaDR+pJ8pKde53fy
         Qzg4jwN9ZHkHCHA0AbYUbqwU5Qe+kRTjO8RWhNKFCA1DI8fiqLivZ6KkX5+TEFOraGb+
         qXwA==
X-Gm-Message-State: ALKqPwdS+nHCYSamugGfzA1Qm6MBbfchut50sV91gDKhvO71WTDLaK/m
        v0p0SJrhTF0fRiw7Hovfbqz4m6OAMUE=
X-Received: by 2002:a9d:102b:: with SMTP id h40-v6mr2721824ote.41.1527102059777;
        Wed, 23 May 2018 12:00:59 -0700 (PDT)
Received: from ?IPv6:2601:602:9802:a8dc::d2dd? ([2601:602:9802:a8dc::d2dd])
        by smtp.gmail.com with ESMTPSA id b10-v6sm9792473oiy.43.2018.05.23.12.00.56
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 23 May 2018 12:00:57 -0700 (PDT)
Subject: Re: [PATCH] dma-buf: simplified calling conventions for dma_buf_fd()
To:     Jens Wiklander <jens.wiklander@linaro.org>,
        linux-kernel@vger.kernel.org,
        Sumit Semwal <sumit.semwal@linaro.org>,
        Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Cc:     Al Viro <viro@zeniv.linux.org.uk>,
        Gustavo Padovan <gustavo@padovan.org>,
        Zhenyu Wang <zhenyuw@linux.intel.com>,
        Rodrigo Vivi <rodrigo.vivi@intel.com>,
        Christian Koenig <christian.koenig@amd.com>
References: <20180522080925.18158-1-jens.wiklander@linaro.org>
From:   Laura Abbott <labbott@redhat.com>
Message-ID: <c7d2370d-2705-9005-0642-6be85964d7f9@redhat.com>
Date:   Wed, 23 May 2018 12:00:55 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <20180522080925.18158-1-jens.wiklander@linaro.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 05/22/2018 01:09 AM, Jens Wiklander wrote:
> From: Al Viro <viro@zeniv.linux.org.uk>
> 
> Make dma_buf_fd() drop the file reference on failure, folding
> dma_buf_put() into it.
> 
> Users of dma_buf_fd() (drm, videobuf2, ion and tee) are updated to take
> the new calling convention into account.
> 

For the Ion portion,

Acked-by: Laura Abbott <labbott@redhat.com>

> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> [jw: rebased and updated commit message]
> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
> ---
> 
> I received this patch as a response to what has become
> bb765d1c331f ("tee: shm: fix use-after-free via temporarily dropped reference")
> 
>   drivers/dma-buf/dma-buf.c                     | 16 +++++----
>   drivers/gpu/drm/drm_prime.c                   | 15 +++-----
>   drivers/gpu/drm/i915/gvt/dmabuf.c             |  4 +--
>   drivers/gpu/drm/ttm/ttm_object.c              |  3 +-
>   .../media/common/videobuf2/videobuf2-core.c   | 14 ++++----
>   drivers/staging/android/ion/ion.c             |  7 +---
>   drivers/tee/tee_core.c                        | 35 ++++++-------------
>   drivers/tee/tee_shm.c                         |  8 +----
>   8 files changed, 36 insertions(+), 66 deletions(-)
> 
> diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
> index d78d5fc173dc..78981928758e 100644
> --- a/drivers/dma-buf/dma-buf.c
> +++ b/drivers/dma-buf/dma-buf.c
> @@ -471,17 +471,21 @@ EXPORT_SYMBOL_GPL(dma_buf_export);
>    */
>   int dma_buf_fd(struct dma_buf *dmabuf, int flags)
>   {
> +	struct file *file;
>   	int fd;
>   
> -	if (!dmabuf || !dmabuf->file)
> +	if (!dmabuf)
>   		return -EINVAL;
>   
> -	fd = get_unused_fd_flags(flags);
> -	if (fd < 0)
> -		return fd;
> -
> -	fd_install(fd, dmabuf->file);
> +	file = dmabuf->file;
> +	if (!file)
> +		return -EINVAL;
>   
> +	fd = get_unused_fd_flags(flags);
> +	if (fd >= 0)
> +		fd_install(fd, file);
> +	else
> +		fput(file);
>   	return fd;
>   }
>   EXPORT_SYMBOL_GPL(dma_buf_fd);
> diff --git a/drivers/gpu/drm/drm_prime.c b/drivers/gpu/drm/drm_prime.c
> index 7856a9b3f8a8..06d1b7d3751a 100644
> --- a/drivers/gpu/drm/drm_prime.c
> +++ b/drivers/gpu/drm/drm_prime.c
> @@ -662,8 +662,10 @@ int drm_gem_prime_handle_to_fd(struct drm_device *dev,
>   	ret = drm_prime_add_buf_handle(&file_priv->prime,
>   				       dmabuf, handle);
>   	mutex_unlock(&dev->object_name_lock);
> -	if (ret)
> -		goto fail_put_dmabuf;
> +	if (unlikely(ret)) {
> +		dma_buf_put(dmabuf);
> +		goto out;
> +	}
>   
>   out_have_handle:
>   	ret = dma_buf_fd(dmabuf, flags);
> @@ -673,17 +675,10 @@ int drm_gem_prime_handle_to_fd(struct drm_device *dev,
>   	 * and that is invariant as long as a userspace gem handle exists.
>   	 * Closing the handle will clean out the cache anyway, so we don't leak.
>   	 */
> -	if (ret < 0) {
> -		goto fail_put_dmabuf;
> -	} else {
> +	if (ret >= 0) {
>   		*prime_fd = ret;
>   		ret = 0;
>   	}
> -
> -	goto out;
> -
> -fail_put_dmabuf:
> -	dma_buf_put(dmabuf);
>   out:
>   	drm_gem_object_put_unlocked(obj);
>   out_unlock:
> diff --git a/drivers/gpu/drm/i915/gvt/dmabuf.c b/drivers/gpu/drm/i915/gvt/dmabuf.c
> index 6f4f8e941fc2..1783c724d96c 100644
> --- a/drivers/gpu/drm/i915/gvt/dmabuf.c
> +++ b/drivers/gpu/drm/i915/gvt/dmabuf.c
> @@ -479,7 +479,7 @@ int intel_vgpu_get_dmabuf(struct intel_vgpu *vgpu, unsigned int dmabuf_id)
>   	ret = dma_buf_fd(dmabuf, DRM_CLOEXEC | DRM_RDWR);
>   	if (ret < 0) {
>   		gvt_vgpu_err("create dma-buf fd failed ret:%d\n", ret);
> -		goto out_free_dmabuf;
> +		goto out_free_gem;
>   	}
>   	dmabuf_fd = ret;
>   
> @@ -502,8 +502,6 @@ int intel_vgpu_get_dmabuf(struct intel_vgpu *vgpu, unsigned int dmabuf_id)
>   
>   	return dmabuf_fd;
>   
> -out_free_dmabuf:
> -	dma_buf_put(dmabuf);
>   out_free_gem:
>   	i915_gem_object_put(obj);
>   out:
> diff --git a/drivers/gpu/drm/ttm/ttm_object.c b/drivers/gpu/drm/ttm/ttm_object.c
> index 1aa2baa83959..30d29d17653f 100644
> --- a/drivers/gpu/drm/ttm/ttm_object.c
> +++ b/drivers/gpu/drm/ttm/ttm_object.c
> @@ -730,8 +730,7 @@ int ttm_prime_handle_to_fd(struct ttm_object_file *tfile,
>   	if (ret >= 0) {
>   		*prime_fd = ret;
>   		ret = 0;
> -	} else
> -		dma_buf_put(dma_buf);
> +	}
>   
>   out_unref:
>   	if (base)
> diff --git a/drivers/media/common/videobuf2/videobuf2-core.c b/drivers/media/common/videobuf2/videobuf2-core.c
> index d3f7bb33a54d..3baf689241cc 100644
> --- a/drivers/media/common/videobuf2/videobuf2-core.c
> +++ b/drivers/media/common/videobuf2/videobuf2-core.c
> @@ -1881,15 +1881,13 @@ int vb2_core_expbuf(struct vb2_queue *q, int *fd, unsigned int type,
>   	if (ret < 0) {
>   		dprintk(3, "buffer %d, plane %d failed to export (%d)\n",
>   			index, plane, ret);
> -		dma_buf_put(dbuf);
> -		return ret;
> +	} else {
> +		dprintk(3, "buffer %d, plane %d exported as %d descriptor\n",
> +			index, plane, ret);
> +		*fd = ret;
> +		ret = 0;
>   	}
> -
> -	dprintk(3, "buffer %d, plane %d exported as %d descriptor\n",
> -		index, plane, ret);
> -	*fd = ret;
> -
> -	return 0;
> +	return ret;
>   }
>   EXPORT_SYMBOL_GPL(vb2_core_expbuf);
>   
> diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c
> index e74db7902549..c9fcb2a2f518 100644
> --- a/drivers/staging/android/ion/ion.c
> +++ b/drivers/staging/android/ion/ion.c
> @@ -381,7 +381,6 @@ int ion_alloc(size_t len, unsigned int heap_id_mask, unsigned int flags)
>   	struct ion_buffer *buffer = NULL;
>   	struct ion_heap *heap;
>   	DEFINE_DMA_BUF_EXPORT_INFO(exp_info);
> -	int fd;
>   	struct dma_buf *dmabuf;
>   
>   	pr_debug("%s: len %zu heap_id_mask %u flags %x\n", __func__,
> @@ -425,11 +424,7 @@ int ion_alloc(size_t len, unsigned int heap_id_mask, unsigned int flags)
>   		return PTR_ERR(dmabuf);
>   	}
>   
> -	fd = dma_buf_fd(dmabuf, O_CLOEXEC);
> -	if (fd < 0)
> -		dma_buf_put(dmabuf);
> -
> -	return fd;
> +	return dma_buf_fd(dmabuf, O_CLOEXEC);
>   }
>   
>   int ion_query_heaps(struct ion_heap_query *query)
> diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c
> index dd46b758852a..1cb54f6f3c6a 100644
> --- a/drivers/tee/tee_core.c
> +++ b/drivers/tee/tee_core.c
> @@ -125,7 +125,6 @@ static int tee_ioctl_version(struct tee_context *ctx,
>   static int tee_ioctl_shm_alloc(struct tee_context *ctx,
>   			       struct tee_ioctl_shm_alloc_data __user *udata)
>   {
> -	long ret;
>   	struct tee_ioctl_shm_alloc_data data;
>   	struct tee_shm *shm;
>   
> @@ -144,25 +143,18 @@ static int tee_ioctl_shm_alloc(struct tee_context *ctx,
>   	data.flags = shm->flags;
>   	data.size = shm->size;
>   
> -	if (copy_to_user(udata, &data, sizeof(data)))
> -		ret = -EFAULT;
> -	else
> -		ret = tee_shm_get_fd(shm);
> +	if (unlikely(copy_to_user(udata, &data, sizeof(data)))) {
> +		tee_shm_put(shm);
> +		return -EFAULT;
> +	}
>   
> -	/*
> -	 * When user space closes the file descriptor the shared memory
> -	 * should be freed or if tee_shm_get_fd() failed then it will
> -	 * be freed immediately.
> -	 */
> -	tee_shm_put(shm);
> -	return ret;
> +	return tee_shm_get_fd(shm);
>   }
>   
>   static int
>   tee_ioctl_shm_register(struct tee_context *ctx,
>   		       struct tee_ioctl_shm_register_data __user *udata)
>   {
> -	long ret;
>   	struct tee_ioctl_shm_register_data data;
>   	struct tee_shm *shm;
>   
> @@ -182,17 +174,12 @@ tee_ioctl_shm_register(struct tee_context *ctx,
>   	data.flags = shm->flags;
>   	data.length = shm->size;
>   
> -	if (copy_to_user(udata, &data, sizeof(data)))
> -		ret = -EFAULT;
> -	else
> -		ret = tee_shm_get_fd(shm);
> -	/*
> -	 * When user space closes the file descriptor the shared memory
> -	 * should be freed or if tee_shm_get_fd() failed then it will
> -	 * be freed immediately.
> -	 */
> -	tee_shm_put(shm);
> -	return ret;
> +	if (unlikely(copy_to_user(udata, &data, sizeof(data)))) {
> +		tee_shm_put(shm);
> +		return -EFAULT;
> +	}
> +
> +	return tee_shm_get_fd(shm);
>   }
>   
>   static int params_from_user(struct tee_context *ctx, struct tee_param *params,
> diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c
> index 07d3be6f0780..53b35b5e5776 100644
> --- a/drivers/tee/tee_shm.c
> +++ b/drivers/tee/tee_shm.c
> @@ -355,16 +355,10 @@ EXPORT_SYMBOL_GPL(tee_shm_register);
>    */
>   int tee_shm_get_fd(struct tee_shm *shm)
>   {
> -	int fd;
> -
>   	if (!(shm->flags & TEE_SHM_DMA_BUF))
>   		return -EINVAL;
>   
> -	get_dma_buf(shm->dmabuf);
> -	fd = dma_buf_fd(shm->dmabuf, O_CLOEXEC);
> -	if (fd < 0)
> -		dma_buf_put(shm->dmabuf);
> -	return fd;
> +	return dma_buf_fd(shm->dmabuf, O_CLOEXEC);
>   }
>   
>   /**
>