From patchwork Mon Mar 19 21:42:49 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rob Clark X-Patchwork-Id: 7360 Return-Path: X-Original-To: patchwork@peony.canonical.com Delivered-To: patchwork@peony.canonical.com Received: from fiordland.canonical.com (fiordland.canonical.com [91.189.94.145]) by peony.canonical.com (Postfix) with ESMTP id 5CFF723E2F for ; Mon, 19 Mar 2012 21:42:57 +0000 (UTC) Received: from mail-iy0-f180.google.com (mail-iy0-f180.google.com [209.85.210.180]) by fiordland.canonical.com (Postfix) with ESMTP id F05C4A187A0 for ; Mon, 19 Mar 2012 21:42:56 +0000 (UTC) Received: by iage36 with SMTP id e36so13296077iag.11 for ; Mon, 19 Mar 2012 14:42:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-forwarded-to:x-forwarded-for:delivered-to:received-spf :dkim-signature:sender:from:to:cc:subject:date:message-id:x-mailer :x-gm-message-state; bh=VtPPm6zkp2h2wDVY+uJu6WHLi2+5OKzvL93e4hnMAkQ=; b=fW7OZRHVzQUAnr5Zz89ecMjxB7zvZlZV+lgv4cMGW2eqRnGlFJ+k7dduRolzUEE66G l81V5HTJG9V49R2a3CGSV0CsvLDsaAeM/xs+Cycn3EkUzPIhvi3N73ooZhkyHrRmeb9m lz/wa4UMEGMeYGEdngVafOnoiG+AFjnOhxPlR9ju+gYjAibC5IYqhqANb6azm21gEniN T0CDAwmEHWnxqDrlW4Hz9qPS1OBo7phtjelXKkOoQzp4dw0/yrMttP4reWgW1F4snxEm 0UMZRxMzSii7dXEq0vQLyKeUK+e+508pFlod2x8hjeKaWyuLT2tcc7Guy9HaFU0rn3tv l3nw== Received: by 10.50.214.36 with SMTP id nx4mr7241578igc.2.1332193376259; Mon, 19 Mar 2012 14:42:56 -0700 (PDT) X-Forwarded-To: linaro-patchwork@canonical.com X-Forwarded-For: patch@linaro.org linaro-patchwork@canonical.com Delivered-To: patches@linaro.org Received: by 10.231.203.79 with SMTP id fh15csp854ibb; Mon, 19 Mar 2012 14:42:55 -0700 (PDT) Received: by 10.100.244.33 with SMTP id r33mr4461245anh.54.1332193375356; Mon, 19 Mar 2012 14:42:55 -0700 (PDT) Received: from mail-yw0-f50.google.com (mail-yw0-f50.google.com [209.85.213.50]) by mx.google.com with ESMTPS id d67si13691941yhh.154.2012.03.19.14.42.54 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 19 Mar 2012 14:42:55 -0700 (PDT) Received-SPF: pass (google.com: domain of robdclark@gmail.com designates 209.85.213.50 as permitted sender) client-ip=209.85.213.50; Authentication-Results: mx.google.com; spf=pass (google.com: domain of robdclark@gmail.com designates 209.85.213.50 as permitted sender) smtp.mail=robdclark@gmail.com; dkim=pass header.i=@gmail.com Received: by yhjj63 with SMTP id j63so7219610yhj.37 for ; Mon, 19 Mar 2012 14:42:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:from:to:cc:subject:date:message-id:x-mailer; bh=VtPPm6zkp2h2wDVY+uJu6WHLi2+5OKzvL93e4hnMAkQ=; b=rmaAA4hgeeAaQ00Z/QzJlcsjXHLZ4fAEE1AGHWPdGIabI042b/X3JLYn8zQaNHav6b KCy7rK61zLxxgC3ZlFNLYRyMBhHwmkoPrmzMAv3/QeVG78URIiCcsHqTmRtW/q5pGsdy PIZBXZLATbqY7bD3sqQkvbOWrci076v9LbQXi0AJ05PpOZPvtshbN7yLI7cBWxtcsREg NxB01e/ORB7FgmsSptUysiTIUhkosZ0ZUXJfveJhqh6hQNHkbTY4RIOkBq2mngrenlfh ZTjByGGjdJcSlx2JKTCeAsDc+/qIi3ZhBAVC4rheokjEcvCXuGkftc4ViKS+TTNLYicR GCPA== Received: by 10.60.0.196 with SMTP id 4mr2428601oeg.0.1332193374036; Mon, 19 Mar 2012 14:42:54 -0700 (PDT) Received: from localhost (ppp-70-129-134-19.dsl.rcsntx.swbell.net. [70.129.134.19]) by mx.google.com with ESMTPS id yw3sm8411861obb.7.2012.03.19.14.42.52 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 19 Mar 2012 14:42:52 -0700 (PDT) Sender: Rob Clark From: Rob Clark To: linaro-mm-sig@lists.linaro.org, linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-media@vger.kernel.org Cc: patches@linaro.org, daniel.vetter@ffwll.ch, sumit.semwal@linaro.org, Rob Clark Subject: [PATCH] dma-buf: document fd flags and O_CLOEXEC requirement Date: Mon, 19 Mar 2012 16:42:49 -0500 Message-Id: <1332193370-27820-1-git-send-email-rob.clark@linaro.org> X-Mailer: git-send-email 1.7.5.4 X-Gm-Message-State: ALoCoQmYx77vvaIsVI3DGMV7rD2PIqdCEnkq5uhVj8j1/98YHETfmFD/EmQNWWKN72Z6Ve2K6uMG From: Rob Clark Otherwise subsystems will get this wrong and end up with a second export ioctl with the flag and O_CLOEXEC support added. Signed-off-by: Rob Clark Reviewed-by: Daniel Vetter --- Updated version of Daniel's original documentation patch with (hopefully) improved wording, and a better description of the motivation. Documentation/dma-buf-sharing.txt | 18 ++++++++++++++++++ 1 files changed, 18 insertions(+), 0 deletions(-) diff --git a/Documentation/dma-buf-sharing.txt b/Documentation/dma-buf-sharing.txt index 225f96d..3b51134 100644 --- a/Documentation/dma-buf-sharing.txt +++ b/Documentation/dma-buf-sharing.txt @@ -223,6 +223,24 @@ Miscellaneous notes: - Any exporters or users of the dma-buf buffer sharing framework must have a 'select DMA_SHARED_BUFFER' in their respective Kconfigs. +- In order to avoid fd leaks on exec, the FD_CLOEXEC flag must be set + on the file descriptor. This is not just a resource leak, but a + potential security hole. It could give the newly exec'd application + access to buffers, via the leaked fd, to which it should otherwise + not be permitted access. + + The problem with doing this via a separate fcntl() call, versus doing it + atomically when the fd is created, is that this is inherently racy in a + multi-threaded app[3]. The issue is made worse when it is library code + opening/creating the file descriptor, as the application may not even be + aware of the fd's. + + To avoid this problem, userspace must have a way to request O_CLOEXEC + flag be set when the dma-buf fd is created. So any API provided by + the exporting driver to create a dmabuf fd must provide a way to let + userspace control setting of O_CLOEXEC flag passed in to dma_buf_fd(). + References: [1] struct dma_buf_ops in include/linux/dma-buf.h [2] All interfaces mentioned above defined in include/linux/dma-buf.h +[3] https://lwn.net/Articles/236486/