Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
MIME-Version: 1.0
References: <290f6d3a5fe288b87480cc5fa12c5139728daeca.1547787189.git.baolin.wang@linaro.org>
 <81e894ba-acad-2fd4-996d-8d35edd8825a@perex.cz> <20190118190805.GF6260@sirena.org.uk>
 <s5hzhrxzrez.wl-tiwai@suse.de> <20190121124053.GA12679@sirena.org.uk>
 <f278bb69-7df0-4d14-5e4f-9bcb57d7f2b6@perex.cz> <20190122202535.GK7579@sirena.org.uk>
 <s5h4l9z4mbo.wl-tiwai@suse.de> <20190123124658.GE15906@leoy-ThinkPad-X240s>
 <3962daba-f6ed-d706-c618-b791a1ba6b59@perex.cz> <CAMz4kuK5JgfZF7uXa83xC3eVCrZ8+wkZRdKq2s71o_QjT=OhGg@mail.gmail.com>
 <s5h1s51120e.wl-tiwai@suse.de>
In-Reply-To: <s5h1s51120e.wl-tiwai@suse.de>
From:   Baolin Wang <baolin.wang@linaro.org>
Date:   Fri, 25 Jan 2019 19:11:43 +0800
Message-ID: <CAMz4ku+h0HM4zmdb_a83gkW5EfVo24z74d7NQBSD8u8zdzaRUQ@mail.gmail.com>
Subject: Re: [RFC PATCH] ALSA: core: Add DMA share buffer support
To:     Takashi Iwai <tiwai@suse.de>
Cc:     Jaroslav Kysela <perex@perex.cz>, Leo Yan <leo.yan@linaro.org>,
        Mark Brown <broonie@kernel.org>, alsa-devel@alsa-project.org,
        Arnd Bergmann <arnd@arndb.de>,
        Kees Cook <keescook@chromium.org>, bgoswami@codeaurora.org,
        sr@denx.de, gustavo@embeddedor.com,
        Phil Burk <philburk@google.com>,
        Matthew Wilcox <willy@infradead.org>,
        mchehab+samsung@kernel.org, sboyd@kernel.org,
        Vinod Koul <vkoul@kernel.org>,
        Daniel Thompson <daniel.thompson@linaro.org>,
        Mathieu Poirier <mathieu.poirier@linaro.org>,
        Srinivas Kandagatla <srinivas.kandagatla@linaro.org>,
        anna-maria@linutronix.de, Jon Corbet <corbet@lwn.net>,
        Jeffery Miller <jmiller@neverware.com>,
        Charles Keepax <ckeepax@opensource.wolfsonmicro.com>,
        joe@perches.com, Takashi Sakamoto <o-takashi@sakamocchi.jp>,
        colyli@suse.de, LKML <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

Hi Takashi,
On Fri, 25 Jan 2019 at 18:10, Takashi Iwai <tiwai@suse.de> wrote:
>
> On Fri, 25 Jan 2019 10:25:37 +0100,
> Baolin Wang wrote:
> >
> > Hi Jaroslav,
> > On Thu, 24 Jan 2019 at 21:43, Jaroslav Kysela <perex@perex.cz> wrote:
> > >
> > > Dne 23.1.2019 v 13:46 Leo Yan napsal(a):
> > > > Hi all,
> > > >
> > > > On Wed, Jan 23, 2019 at 12:58:51PM +0100, Takashi Iwai wrote:
> > > >> On Tue, 22 Jan 2019 21:25:35 +0100,
> > > >> Mark Brown wrote:
> > > >>>
> > > >>> On Mon, Jan 21, 2019 at 03:15:43PM +0100, Jaroslav Kysela wrote:
> > > >>>> Dne 21.1.2019 v 13:40 Mark Brown napsal(a):
> > > >>>
> > > >>>>> It was the bit about adding more extended permission control that I was
> > > >>>>> worried about there, not the initial O_APPEND bit.  Indeed the O_APPEND
> > > >>>>> bit sounds like it might also work from the base buffer sharing point of
> > > >>>>> view, I have to confess I'd not heard of that feature before (it didn't
> > > >>>>> come up in the discussion when Eric raised this in Prague).
> > > >>>
> > > >>>> With permissions, I meant to make possible to restrict the file
> > > >>>> descriptor operations (ioctls) for the depending task (like access to
> > > >>>> the DMA buffer, synchronize it for the non-coherent platforms and maybe
> > > >>>> read/write the actual position, delay etc.). It should be relatively
> > > >>>> easy to implement using the snd_pcm_file structure.
> > > >>>
> > > >>> Right, that's what I understood you to mean.  If you want to have a
> > > >>> policy saying "it's OK to export a PCM file descriptor if it's only got
> > > >>> permissions X and Y" the security module is going to need to know about
> > > >>> the mechanism for setting those permissions.  With dma_buf that's all a
> > > >>> bit easier as there's less new stuff, though I've no real idea how much
> > > >>> of a big deal that actually is.
> > > >>
> > > >> There are many ways to implement such a thing, yeah.  If we'd need an
> > > >> implementation that is done solely in the sound driver layer, I can
> > > >> imagine to introduce either a new ioctl or an open flag (like O_EXCL)
> > > >> to specify the restricted sharing.  That is, a kind of master / slave
> > > >> model where only the master is allowed to manipulate the stream while
> > > >> the slave can mmap, read/write and get status.
> > > >
> > > > In order to support EXCLUSIVE mode, it is necessary to convert the
> > > > /dev/snd/ descriptor to an anon_inode:dmabuffer file descriptor.
> > > > SELinux allows that file descriptor to be passed to the client. It can
> > > > also be used by the AAudioService.
> > >
> > > Okay, so this is probably the only point which we should resolve for the
> > > already available DMA buffer sharing in ALSA (the O_APPEND flag).
> > >
> > > I had another glance to your dma-buf implementation and I see many
> > > things which might cause problems:
> > >
> > > - allow to call dma-buf ioctls only when the audio device is in specific
> > > state (stream is not running)
> >
> > Right. Will fix.
> >
> > > - as Takashi mentioned, if we return another file-descriptor (dma-buf
> > > export) to the user space and the server closes the main pcm
> > > file-descriptor (the client does not) - the result will be a crash (dma
> > > buffer will be freed, but referenced through the dma-buf interface)
> >
> > Yes, will fix.
>
> There are a few more overlooked problems.  A part of them was already
> mentioned in my previous reply, but let me repeat:
>
> - The racy ioctls have to be considered; you can perform this export
>   ioctl concurrently, and both of them write and mix up the setup,
>   which is obviously broken.

Yes, I think I missed the snd_pcm_stream_lock, and will add.

>
> - The PCM buffer can be re-allocated on the fly.  If the current
>   buffer is abandoned while exporting, it leads to the UAF.

So I need some validation to check if the buffer is available now when
exporting it.

>
> - Similarly, what if the PCM stream that is attached is closed without
>   detaching itself?  Or, what if the PCM stream attaches itself twice

We will detach it automatically in snd_pcm_free_stream()

>   without detaching?

Sure, need add validation for this case.

>
> - The driver may provide its own mmap method, and you can't hard-code
>   the mmap implementation as currently in snd_pcm_dmabuf_mmap().
>
>   I suppose you can drop of most of the code in snd_pcm_dmabuf_map(),
>   instead, assign PCM substream in obj, and call snd_pcm_mmap_data()
>   with the given VMA.  If this really works, it manages the mmap
>   refcount, so the previous two issues should be covered there.
>   But it needs more consideration...

Ah, I think I missed the snd_pcm_mmap_data() function. Yes, so I can
remove the implementation in snd_pcm_dmabuf_map().

>
> - What happens to the PCM buffer that has been allocated before
>   attaching, if it's not the pre-allocated one?
>   It should be released properly beforehand, otherwise leaks.

I am not sure I understood you correctly. If the PCM buffer has been
allocated, the platform driver should handle it? Since we always use
substream->dma_buffer.

>
> - There is no validation of the attached dma-buf pages; most drivers
>   set coherent DMA mask, and they rely on it.  e.g. if a page over the
>   DMA mask is passed, it will break silently.

Sorry maybe I did not get your point here. We have validate the
dma_map_sg_attr() funtion, in this fucntion it will validate the DMA
mask by dma_capable().

>
> - Some drivers don't use the standard memory pages but keep their own
>   hardware buffer (e.g. rme96 or rm32 driver).  This ioctl would be
>   completely broken on such hardware.
>   That is, we need some sanity check whether the PCM allows the
>   arbitrary dma-buf or not.

Make sense. Need add some validation to make sure if this PCM can export or not.

Very appreciated for your useful comments.

-- 
Baolin Wang
Best Regards