Re: [RFC PATCH] ALSA: core: Add DMA share buffer support

[Baolin Wang <baolin.wang@linaro.org>]

Hi Takashi,
On Fri, 25 Jan 2019 at 18:10, Takashi Iwai <tiwai@suse.de> wrote:
>
> On Fri, 25 Jan 2019 10:25:37 +0100,
> Baolin Wang wrote:
> >
> > Hi Jaroslav,
> > On Thu, 24 Jan 2019 at 21:43, Jaroslav Kysela <perex@perex.cz> wrote:
> > >
> > > Dne 23.1.2019 v 13:46 Leo Yan napsal(a):
> > > > Hi all,
> > > >
> > > > On Wed, Jan 23, 2019 at 12:58:51PM +0100, Takashi Iwai wrote:
> > > >> On Tue, 22 Jan 2019 21:25:35 +0100,
> > > >> Mark Brown wrote:
> > > >>>
> > > >>> On Mon, Jan 21, 2019 at 03:15:43PM +0100, Jaroslav Kysela wrote:
> > > >>>> Dne 21.1.2019 v 13:40 Mark Brown napsal(a):
> > > >>>
> > > >>>>> It was the bit about adding more extended permission control that I was
> > > >>>>> worried about there, not the initial O_APPEND bit.  Indeed the O_APPEND
> > > >>>>> bit sounds like it might also work from the base buffer sharing point of
> > > >>>>> view, I have to confess I'd not heard of that feature before (it didn't
> > > >>>>> come up in the discussion when Eric raised this in Prague).
> > > >>>
> > > >>>> With permissions, I meant to make possible to restrict the file
> > > >>>> descriptor operations (ioctls) for the depending task (like access to
> > > >>>> the DMA buffer, synchronize it for the non-coherent platforms and maybe
> > > >>>> read/write the actual position, delay etc.). It should be relatively
> > > >>>> easy to implement using the snd_pcm_file structure.
> > > >>>
> > > >>> Right, that's what I understood you to mean.  If you want to have a
> > > >>> policy saying "it's OK to export a PCM file descriptor if it's only got
> > > >>> permissions X and Y" the security module is going to need to know about
> > > >>> the mechanism for setting those permissions.  With dma_buf that's all a
> > > >>> bit easier as there's less new stuff, though I've no real idea how much
> > > >>> of a big deal that actually is.
> > > >>
> > > >> There are many ways to implement such a thing, yeah.  If we'd need an
> > > >> implementation that is done solely in the sound driver layer, I can
> > > >> imagine to introduce either a new ioctl or an open flag (like O_EXCL)
> > > >> to specify the restricted sharing.  That is, a kind of master / slave
> > > >> model where only the master is allowed to manipulate the stream while
> > > >> the slave can mmap, read/write and get status.
> > > >
> > > > In order to support EXCLUSIVE mode, it is necessary to convert the
> > > > /dev/snd/ descriptor to an anon_inode:dmabuffer file descriptor.
> > > > SELinux allows that file descriptor to be passed to the client. It can
> > > > also be used by the AAudioService.
> > >
> > > Okay, so this is probably the only point which we should resolve for the
> > > already available DMA buffer sharing in ALSA (the O_APPEND flag).
> > >
> > > I had another glance to your dma-buf implementation and I see many
> > > things which might cause problems:
> > >
> > > - allow to call dma-buf ioctls only when the audio device is in specific
> > > state (stream is not running)
> >
> > Right. Will fix.
> >
> > > - as Takashi mentioned, if we return another file-descriptor (dma-buf
> > > export) to the user space and the server closes the main pcm
> > > file-descriptor (the client does not) - the result will be a crash (dma
> > > buffer will be freed, but referenced through the dma-buf interface)
> >
> > Yes, will fix.
>
> There are a few more overlooked problems.  A part of them was already
> mentioned in my previous reply, but let me repeat:
>
> - The racy ioctls have to be considered; you can perform this export
>   ioctl concurrently, and both of them write and mix up the setup,
>   which is obviously broken.

Yes, I think I missed the snd_pcm_stream_lock, and will add.

>
> - The PCM buffer can be re-allocated on the fly.  If the current
>   buffer is abandoned while exporting, it leads to the UAF.

So I need some validation to check if the buffer is available now when
exporting it.

>
> - Similarly, what if the PCM stream that is attached is closed without
>   detaching itself?  Or, what if the PCM stream attaches itself twice

We will detach it automatically in snd_pcm_free_stream()

>   without detaching?

Sure, need add validation for this case.

>
> - The driver may provide its own mmap method, and you can't hard-code
>   the mmap implementation as currently in snd_pcm_dmabuf_mmap().
>
>   I suppose you can drop of most of the code in snd_pcm_dmabuf_map(),
>   instead, assign PCM substream in obj, and call snd_pcm_mmap_data()
>   with the given VMA.  If this really works, it manages the mmap
>   refcount, so the previous two issues should be covered there.
>   But it needs more consideration...

Ah, I think I missed the snd_pcm_mmap_data() function. Yes, so I can
remove the implementation in snd_pcm_dmabuf_map().

>
> - What happens to the PCM buffer that has been allocated before
>   attaching, if it's not the pre-allocated one?
>   It should be released properly beforehand, otherwise leaks.

I am not sure I understood you correctly. If the PCM buffer has been
allocated, the platform driver should handle it? Since we always use
substream->dma_buffer.

>
> - There is no validation of the attached dma-buf pages; most drivers
>   set coherent DMA mask, and they rely on it.  e.g. if a page over the
>   DMA mask is passed, it will break silently.

Sorry maybe I did not get your point here. We have validate the
dma_map_sg_attr() funtion, in this fucntion it will validate the DMA
mask by dma_capable().

>
> - Some drivers don't use the standard memory pages but keep their own
>   hardware buffer (e.g. rme96 or rm32 driver).  This ioctl would be
>   completely broken on such hardware.
>   That is, we need some sanity check whether the PCM allows the
>   arbitrary dma-buf or not.

Make sense. Need add some validation to make sure if this PCM can export or not.

Very appreciated for your useful comments.

-- 
Baolin Wang
Best Regards