On 2021/2/23 7:50 下午, Xie Yongji wrote:

+
+	switch (cmd) {
+	case VDUSE_IOTLB_GET_FD: {
+		struct vduse_iotlb_entry entry;
+		struct vhost_iotlb_map *map;
+		struct vdpa_map_file *map_file;
+		struct file *f = NULL;
+
+		ret = -EFAULT;
+		if (copy_from_user(&entry, argp, sizeof(entry)))
+			break;
+
+		spin_lock(&dev->iommu_lock);
+		map = vhost_iotlb_itree_first(dev->iommu, entry.start,
+					      entry.last);
+		if (map) {
+			map_file = (struct vdpa_map_file *)map->opaque;
+			f = get_file(map_file->file);
+			entry.offset = map_file->offset;
+			entry.start = map->start;
+			entry.last = map->last;
+			entry.perm = map->perm;
+		}
+		spin_unlock(&dev->iommu_lock);
+		if (!f) {
+			ret = -EINVAL;
+			break;
+		}
+		if (copy_to_user(argp, &entry, sizeof(entry))) {
+			fput(f);
+			ret = -EFAULT;
+			break;
+		}
+		ret = get_unused_fd_flags(perm_to_file_flags(entry.perm));
+		if (ret < 0) {
+			fput(f);
+			break;
+		}
+		fd_install(ret, f);

So at least we need to use receice_fd_user() here to give a chance to be 
hooked into security module.

Consider this is bascially a kind of passing file descriptor implicitly. 
We need to be careful if any security stufss is missed.

(Have a quick glance at scm_send/recv, feel ok but need to double check).

Thanks

+		break;
+	}