Hi Zivi,
On 5/8/26 18:28, Ziyi Guo wrote:
Userptr BOs wrap pinned user pages in a private dma-buf solely for internal use by the NPU driver. Allowing userspace to re-export such a BO via DRM_IOCTL_PRIME_HANDLE_TO_FD would expose those pages to other drivers through an interface that was never intended to be shared.
Override the driver's prime_handle_to_fd callback to detect dma-bufs backed by ivpu_gem_userptr_dmabuf_ops and reject the export with -EINVAL.
Signed-off-by: Ziyi Guo n7l8m4@u.northwestern.edu
first of all thanks a lot for pointing that out! The patch which orginally added that somehow slipped through the cracks.
Then @Karol and @Jacek, using DMA-buf like that is a pretty big NO-GO from the DMA-buf side!
Using page which you don't own (especially file system backend ones) in a DMA-buf is absolutely *NOT* something you can do.
I hope that it is not the case here, but if you also allow to mmap() them then you have create a massive security problem which can lead to random file system corruptions.
Regards, Christian.
drivers/accel/ivpu/ivpu_drv.c | 1 + drivers/accel/ivpu/ivpu_gem.c | 28 +++++++++++++++++++++++++++ drivers/accel/ivpu/ivpu_gem.h | 3 +++ drivers/accel/ivpu/ivpu_gem_userptr.c | 5 +++++ 4 files changed, 37 insertions(+)
diff --git a/drivers/accel/ivpu/ivpu_drv.c b/drivers/accel/ivpu/ivpu_drv.c index 2801378e3e19..086d4c769b33 100644 --- a/drivers/accel/ivpu/ivpu_drv.c +++ b/drivers/accel/ivpu/ivpu_drv.c @@ -545,6 +545,7 @@ static const struct drm_driver driver = {
.gem_create_object = ivpu_gem_create_object, .gem_prime_import = ivpu_gem_prime_import,
.prime_handle_to_fd = ivpu_gem_prime_handle_to_fd, .ioctls = ivpu_drm_ioctls, .num_ioctls = ARRAY_SIZE(ivpu_drm_ioctls),diff --git a/drivers/accel/ivpu/ivpu_gem.c b/drivers/accel/ivpu/ivpu_gem.c index 4f2005a8d496..82079f372b39 100644 --- a/drivers/accel/ivpu/ivpu_gem.c +++ b/drivers/accel/ivpu/ivpu_gem.c @@ -12,6 +12,7 @@ #include <drm/drm_cache.h> #include <drm/drm_debugfs.h> #include <drm/drm_file.h> +#include <drm/drm_prime.h> #include <drm/drm_utils.h>
#include "ivpu_drv.h" @@ -249,6 +250,33 @@ struct drm_gem_object *ivpu_gem_prime_import(struct drm_device *dev, return ERR_PTR(ret); }
+int ivpu_gem_prime_handle_to_fd(struct drm_device *dev, struct drm_file *file_priv,
u32 handle, u32 flags, int *prime_fd)+{
struct ivpu_device *vdev = to_ivpu_device(dev);struct dma_buf *dmabuf;int fd;dmabuf = drm_gem_prime_handle_to_dmabuf(dev, file_priv, handle, flags);if (IS_ERR(dmabuf))return PTR_ERR(dmabuf);if (ivpu_gem_is_userptr_dma_buf(dmabuf)) {ivpu_dbg(vdev, IOCTL, "Exporting userptr BO is not allowed\n");dma_buf_put(dmabuf);return -EINVAL;}fd = dma_buf_fd(dmabuf, flags);if (fd < 0) {dma_buf_put(dmabuf);return fd;}*prime_fd = fd;return 0;+}
static struct ivpu_bo *ivpu_bo_alloc(struct ivpu_device *vdev, u64 size, u32 flags) { struct drm_gem_shmem_object *shmem; diff --git a/drivers/accel/ivpu/ivpu_gem.h b/drivers/accel/ivpu/ivpu_gem.h index 0c3350f22b55..bfd15ce02354 100644 --- a/drivers/accel/ivpu/ivpu_gem.h +++ b/drivers/accel/ivpu/ivpu_gem.h @@ -29,6 +29,9 @@ void ivpu_bo_unbind_all_bos_from_context(struct ivpu_device *vdev, struct ivpu_m
struct drm_gem_object *ivpu_gem_create_object(struct drm_device *dev, size_t size); struct drm_gem_object *ivpu_gem_prime_import(struct drm_device *dev, struct dma_buf *dma_buf); +int ivpu_gem_prime_handle_to_fd(struct drm_device *dev, struct drm_file *file_priv,
u32 handle, u32 flags, int *prime_fd);+bool ivpu_gem_is_userptr_dma_buf(struct dma_buf *dma_buf); struct ivpu_bo *ivpu_bo_create(struct ivpu_device *vdev, struct ivpu_mmu_context *ctx, struct ivpu_addr_range *range, u64 size, u32 flags); struct ivpu_bo *ivpu_bo_create_runtime(struct ivpu_device *vdev, u64 addr, u64 size, u32 flags); diff --git a/drivers/accel/ivpu/ivpu_gem_userptr.c b/drivers/accel/ivpu/ivpu_gem_userptr.c index 7cbf3a4cdc73..45eabea5961e 100644 --- a/drivers/accel/ivpu/ivpu_gem_userptr.c +++ b/drivers/accel/ivpu/ivpu_gem_userptr.c @@ -61,6 +61,11 @@ static const struct dma_buf_ops ivpu_gem_userptr_dmabuf_ops = { .release = ivpu_gem_userptr_dmabuf_release, };
+bool ivpu_gem_is_userptr_dma_buf(struct dma_buf *dma_buf) +{
return dma_buf->ops == &ivpu_gem_userptr_dmabuf_ops;+}
static struct dma_buf * ivpu_create_userptr_dmabuf(struct ivpu_device *vdev, void __user *user_ptr, size_t size, uint32_t flags) -- 2.34.1
linaro-mm-sig@lists.linaro.org
-
Christian König