Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp439581imu; Fri, 25 Jan 2019 05:06:33 -0800 (PST) X-Google-Smtp-Source: ALg8bN48cUFmp4b0mXCq/uts6BkGRv/QcyMBXrY/7wcqMCHCifNeAK/YCAMjR6XIlgAbEEct4XE/ X-Received: by 2002:a63:c051:: with SMTP id z17mr9691892pgi.20.1548421593768; Fri, 25 Jan 2019 05:06:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1548421593; cv=none; d=google.com; s=arc-20160816; b=f4GIT1DnUsQ1lrdPwdS3UApln3zd9kMS77W+Zs2L++MgNhIEC/3GdYSczGQg4otgou +ZA0ZTageFTlHHZ6Qx+hjcB3LPEg4xVopYw3Oxsrq5n5ow01kwBcgJSgiuXwTPVuMIo0 oLnbQuSzlu1oDJTGca0hwuznVro4ttu+RcUY/Z9ycZeXigp+J+MGHZCrvutTup+R0HdG SCFfV2KBlDMh3R689w+ddm+tXMLWSVeqIzaE5MqchePggf8KKbtBvsEFe/kmqjxZU6f2 ham+kOo42kW4vus4ajcbdSDUSmUoYkCv/3a05uVAztiuYdPBw4HCD7tlCAjuu4Rees2W vqfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:subject:cc:to:from:message-id:date; bh=Yj81NRwBVMgRjAhuXOWYSe/wi12Nss74K2X207w2Roc=; b=jA0V3JSja3H2d7ePUyi6MrdspZ84aTIZ6+S0b76BTDcV72HCjIzerAVSABQBjD7MG+ I6SAuQRk19CxTOPLXn6mooYLKAdgLiPhha+qha++1YSWbeqXUYJ7zw0v6NiuEunxWdgw uXXkpHLVAsPXXZoXZOd/aDLKq4576EMKhjah743qJvqB0Grf9NjJclAyWvvnoYIfhGFQ 2hJRV2HMP522JBrxAl15i21H3BS9+w7Nn/q3FQpcVGl0G1a1iYhThV69fcCqWjGLtR9V Z9NuNpsVhDggRvMAwVuCl9Nce2p/GRVi1xEi8jUCLuX4aFM63RhrSUHAz4oQkuwGQKrI 3LEg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z10si25866942pfm.37.2019.01.25.05.06.15; Fri, 25 Jan 2019 05:06:33 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728074AbfAYNE6 (ORCPT + 99 others); Fri, 25 Jan 2019 08:04:58 -0500 Received: from mx2.suse.de ([195.135.220.15]:41966 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726100AbfAYNE5 (ORCPT ); Fri, 25 Jan 2019 08:04:57 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id E60D6AF0D; Fri, 25 Jan 2019 13:04:55 +0000 (UTC) Date: Fri, 25 Jan 2019 14:04:55 +0100 Message-ID: From: Takashi Iwai To: Baolin Wang Cc: Jaroslav Kysela , Leo Yan , Mark Brown , alsa-devel@alsa-project.org, Arnd Bergmann , Kees Cook , bgoswami@codeaurora.org, sr@denx.de, gustavo@embeddedor.com, Phil Burk , Matthew Wilcox , mchehab+samsung@kernel.org, sboyd@kernel.org, Vinod Koul , Daniel Thompson , Mathieu Poirier , Srinivas Kandagatla , anna-maria@linutronix.de, Jon Corbet , Jeffery Miller , Charles Keepax , joe@perches.com, Takashi Sakamoto , colyli@suse.de, LKML Subject: Re: [RFC PATCH] ALSA: core: Add DMA share buffer support In-Reply-To: References: <290f6d3a5fe288b87480cc5fa12c5139728daeca.1547787189.git.baolin.wang@linaro.org> <81e894ba-acad-2fd4-996d-8d35edd8825a@perex.cz> <20190118190805.GF6260@sirena.org.uk> <20190121124053.GA12679@sirena.org.uk> <20190122202535.GK7579@sirena.org.uk> <20190123124658.GE15906@leoy-ThinkPad-X240s> <3962daba-f6ed-d706-c618-b791a1ba6b59@perex.cz> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.3 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 25 Jan 2019 12:24:29 +0100, Baolin Wang wrote: > > On Fri, 25 Jan 2019 at 18:20, Takashi Iwai wrote: > > > > On Fri, 25 Jan 2019 11:10:25 +0100, > > Takashi Iwai wrote: > > > > > > On Fri, 25 Jan 2019 10:25:37 +0100, > > > Baolin Wang wrote: > > > > > > > > Hi Jaroslav, > > > > On Thu, 24 Jan 2019 at 21:43, Jaroslav Kysela wrote: > > > > > > > > > > Dne 23.1.2019 v 13:46 Leo Yan napsal(a): > > > > > > Hi all, > > > > > > > > > > > > On Wed, Jan 23, 2019 at 12:58:51PM +0100, Takashi Iwai wrote: > > > > > >> On Tue, 22 Jan 2019 21:25:35 +0100, > > > > > >> Mark Brown wrote: > > > > > >>> > > > > > >>> On Mon, Jan 21, 2019 at 03:15:43PM +0100, Jaroslav Kysela wrote: > > > > > >>>> Dne 21.1.2019 v 13:40 Mark Brown napsal(a): > > > > > >>> > > > > > >>>>> It was the bit about adding more extended permission control that I was > > > > > >>>>> worried about there, not the initial O_APPEND bit. Indeed the O_APPEND > > > > > >>>>> bit sounds like it might also work from the base buffer sharing point of > > > > > >>>>> view, I have to confess I'd not heard of that feature before (it didn't > > > > > >>>>> come up in the discussion when Eric raised this in Prague). > > > > > >>> > > > > > >>>> With permissions, I meant to make possible to restrict the file > > > > > >>>> descriptor operations (ioctls) for the depending task (like access to > > > > > >>>> the DMA buffer, synchronize it for the non-coherent platforms and maybe > > > > > >>>> read/write the actual position, delay etc.). It should be relatively > > > > > >>>> easy to implement using the snd_pcm_file structure. > > > > > >>> > > > > > >>> Right, that's what I understood you to mean. If you want to have a > > > > > >>> policy saying "it's OK to export a PCM file descriptor if it's only got > > > > > >>> permissions X and Y" the security module is going to need to know about > > > > > >>> the mechanism for setting those permissions. With dma_buf that's all a > > > > > >>> bit easier as there's less new stuff, though I've no real idea how much > > > > > >>> of a big deal that actually is. > > > > > >> > > > > > >> There are many ways to implement such a thing, yeah. If we'd need an > > > > > >> implementation that is done solely in the sound driver layer, I can > > > > > >> imagine to introduce either a new ioctl or an open flag (like O_EXCL) > > > > > >> to specify the restricted sharing. That is, a kind of master / slave > > > > > >> model where only the master is allowed to manipulate the stream while > > > > > >> the slave can mmap, read/write and get status. > > > > > > > > > > > > In order to support EXCLUSIVE mode, it is necessary to convert the > > > > > > /dev/snd/ descriptor to an anon_inode:dmabuffer file descriptor. > > > > > > SELinux allows that file descriptor to be passed to the client. It can > > > > > > also be used by the AAudioService. > > > > > > > > > > Okay, so this is probably the only point which we should resolve for the > > > > > already available DMA buffer sharing in ALSA (the O_APPEND flag). > > > > > > > > > > I had another glance to your dma-buf implementation and I see many > > > > > things which might cause problems: > > > > > > > > > > - allow to call dma-buf ioctls only when the audio device is in specific > > > > > state (stream is not running) > > > > > > > > Right. Will fix. > > > > > > > > > - as Takashi mentioned, if we return another file-descriptor (dma-buf > > > > > export) to the user space and the server closes the main pcm > > > > > file-descriptor (the client does not) - the result will be a crash (dma > > > > > buffer will be freed, but referenced through the dma-buf interface) > > > > > > > > Yes, will fix. > > > > > > There are a few more overlooked problems. A part of them was already > > > mentioned in my previous reply, but let me repeat: > > > > > > - The racy ioctls have to be considered; you can perform this export > > > ioctl concurrently, and both of them write and mix up the setup, > > > which is obviously broken. > > > > > > - The PCM buffer can be re-allocated on the fly. If the current > > > buffer is abandoned while exporting, it leads to the UAF. > > > > > > - Similarly, what if the PCM stream that is attached is closed without > > > detaching itself? Or, what if the PCM stream attaches itself twice > > > without detaching? > > > > > > - The driver may provide its own mmap method, and you can't hard-code > > > the mmap implementation as currently in snd_pcm_dmabuf_mmap(). > > > > > > I suppose you can drop of most of the code in snd_pcm_dmabuf_map(), > > > instead, assign PCM substream in obj, and call snd_pcm_mmap_data() > > > with the given VMA. If this really works, it manages the mmap > > > refcount, so the previous two issues should be covered there. > > > But it needs more consideration... > > > > Erm, obviously it's not enough. Each attach / detach needs to manage > > the refcount, too, for covering the cases above. It can re-use the > > PCM mmap_refount, though. > > But we've used the DMA buffer file's refcounting to manage the DMA > buffer. So is this not enough? Unless you manage the PCM substream refcount (or block the state change), the PCM stream itself can be released (or re-setup) freely. Takashi