Re: [PATCH 5/7] drm/vgem: prime export support

[Tomasz Stanislawski <t.stanislaws@samsung.com>]

Hi Ben,
Please refer to comments below.

On 02/22/2012 08:29 PM, Ben Widawsky wrote:
> dma-buf export implementation. Heavily influenced by Dave Airlie's proof
> of concept work.
>
> Cc: Daniel Vetter<daniel.vetter@ffwll.ch>
> Cc: Dave Airlie<airlied@redhat.com>
> Signed-off-by: Ben Widawsky<ben@bwidawsk.net>
> ---
>   drivers/gpu/drm/vgem/Makefile       |    2 +-
>   drivers/gpu/drm/vgem/vgem_dma_buf.c |  128 +++++++++++++++++++++++++++++++++++
>   drivers/gpu/drm/vgem/vgem_drv.c     |    6 ++
>   drivers/gpu/drm/vgem/vgem_drv.h     |    7 ++
>   4 files changed, 142 insertions(+), 1 deletions(-)
>   create mode 100644 drivers/gpu/drm/vgem/vgem_dma_buf.c
>
[snip]
> +
> +int vgem_prime_to_fd(struct drm_device *dev, struct drm_file *file,
> +		     uint32_t handle, int *prime_fd)
> +{
> +	struct drm_vgem_file_private *file_priv = file->driver_priv;
> +	struct drm_vgem_gem_object *obj;
> +	int ret;
> +
> +	DRM_DEBUG_PRIME("Request fd for handle %d\n", handle);
> +
> +	obj = to_vgem_bo(drm_gem_object_lookup(dev, file, handle));
> +	if (!obj)
> +		return -EBADF;
> +
> +	/* This means a user has already called get_fd on this */
> +	if (obj->base.prime_fd != -1) {
> +		DRM_DEBUG_PRIME("User requested a previously exported buffer "
> +				"%d %d\n", handle, obj->base.prime_fd);
> +		drm_gem_object_unreference(&obj->base);
> +		goto out_fd;

IMO, it is not safe to cache a number of file descriptor. This number 
may unexpectedly become invalid introducing a bug. Please refer to the 
scenario:
- application possess a GEM buffer called A
- call DRM_IOCTL_PRIME_HANDLE_TO_FD on A to obtain a file descriptor fd_A
- application calls fd_B = dup(fd_A). Now both fd_A and fd_B point to 
the same DMABUF instance.
- application calls close(fd_A), now fd_A is no longer a valid file 
descriptor
- application tries to export the buffer again and calls ioctl 
DRM_IOCTL_PRIME_HANDLE_TO_FD on GEM buffer. The field obj->base.prime_fd 
is already set to fd_A so value fd_A is returned to userspace. Notice 
that this is a bug because fd_A is no longer valid.

I think that field prime_fd should be removed because it is too 
unreliable. The driver should call dma_buf_fd every time when the buffer 
is exported.

> +	}
> +
> +	/* Make a dma buf out of our vgem object */
> +	obj->base.export_dma_buf = dma_buf_export(obj,&vgem_dmabuf_ops,
> +						  obj->base.size,
> +						  VGEM_FD_PERMS);
> +	if (IS_ERR(obj->base.export_dma_buf)) {
> +		DRM_DEBUG_PRIME("export fail\n");
> +		return PTR_ERR(obj->base.export_dma_buf);
> +	} else
> +		obj->base.prime_fd = dma_buf_fd(obj->base.export_dma_buf);
> +
> +	mutex_lock(&dev->prime_mutex);
> +	ret = drm_prime_insert_fd_handle_mapping(&file_priv->prime,
> +						 obj->base.export_dma_buf,
> +						 handle);
> +	WARN_ON(ret);
> +	ret = drm_prime_add_dma_buf(dev,&obj->base);
> +	mutex_unlock(&dev->prime_mutex);
> +	if (ret)
> +		return ret;
> +
> +out_fd:
> +	*prime_fd = obj->base.prime_fd;
> +
> +	return 0;
> +}
> +

Regards,
Tomasz Stanislawski