|
|
@@ -319,6 +319,24 @@ Miscellaneous notes
|
|
|
- Any exporters or users of the dma-buf buffer sharing framework must have
|
|
|
a 'select DMA_SHARED_BUFFER' in their respective Kconfigs.
|
|
|
|
|
|
+- In order to avoid fd leaks on exec, the FD_CLOEXEC flag must be set
|
|
|
+ on the file descriptor. This is not just a resource leak, but a
|
|
|
+ potential security hole. It could give the newly exec'd application
|
|
|
+ access to buffers, via the leaked fd, to which it should otherwise
|
|
|
+ not be permitted access.
|
|
|
+
|
|
|
+ The problem with doing this via a separate fcntl() call, versus doing it
|
|
|
+ atomically when the fd is created, is that this is inherently racy in a
|
|
|
+ multi-threaded app[3]. The issue is made worse when it is library code
|
|
|
+ opening/creating the file descriptor, as the application may not even be
|
|
|
+ aware of the fd's.
|
|
|
+
|
|
|
+ To avoid this problem, userspace must have a way to request O_CLOEXEC
|
|
|
+ flag be set when the dma-buf fd is created. So any API provided by
|
|
|
+ the exporting driver to create a dmabuf fd must provide a way to let
|
|
|
+ userspace control setting of O_CLOEXEC flag passed in to dma_buf_fd().
|
|
|
+
|
|
|
References:
|
|
|
[1] struct dma_buf_ops in include/linux/dma-buf.h
|
|
|
[2] All interfaces mentioned above defined in include/linux/dma-buf.h
|
|
|
+[3] https://lwn.net/Articles/236486/
|
Rob Clark