From: Karol Wachowski <karol.wachowski@linux.intel.com>
To: "Christian König" <christian.koenig@amd.com>,
"Ziyi Guo" <guoziyi114@gmail.com>,
maciej.falkowski@linux.intel.com,
jacek.lawrynowicz@linux.intel.com
Cc: ogabbay@kernel.org, sumit.semwal@linaro.org,
dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org,
linux-media@vger.kernel.org, linaro-mm-sig@lists.linaro.org,
Ziyi Guo <n7l8m4@u.northwestern.edu>
Subject: Re: [PATCH] accel/ivpu: Reject PRIME export of userptr BOs
Date: Mon, 11 May 2026 11:04:21 +0200 [thread overview]
Message-ID: <0097f608-dbac-482d-9851-ce306b0c7b78@linux.intel.com> (raw)
In-Reply-To: <14b62cee-c46e-4fb9-91ab-aa09c0962834@amd.com>
On 5/11/2026 9:39 AM, Christian König wrote:
> Hi Zivi,
>
> On 5/8/26 18:28, Ziyi Guo wrote:
>> Userptr BOs wrap pinned user pages in a private dma-buf solely for
>> internal use by the NPU driver. Allowing userspace to re-export such a
>> BO via DRM_IOCTL_PRIME_HANDLE_TO_FD would expose those pages to other
>> drivers through an interface that was never intended to be shared.
>>
>> Override the driver's prime_handle_to_fd callback to detect dma-bufs
>> backed by ivpu_gem_userptr_dmabuf_ops and reject the export with
>> -EINVAL.
>>
>> Signed-off-by: Ziyi Guo <n7l8m4@u.northwestern.edu>
>
Hi Christian
> first of all thanks a lot for pointing that out! The patch which orginally added that somehow slipped through the cracks.
>
> Then @Karol and @Jacek, using DMA-buf like that is a pretty big NO-GO from the DMA-buf side!
>
> Using page which you don't own (especially file system backend ones) in a DMA-buf is absolutely *NOT* something you can do.
>
> I hope that it is not the case here, but if you also allow to mmap() them then you have create a massive security problem which can lead to random file system corruptions.
This is not allowed, ivpu userpointer dma_buf_ops have no .mmap handler,
this results in -EINVAL when invoked.
Regards,
Karol
>
> Regards,
> Christian.
>
>> ---
>> drivers/accel/ivpu/ivpu_drv.c | 1 +
>> drivers/accel/ivpu/ivpu_gem.c | 28 +++++++++++++++++++++++++++
>> drivers/accel/ivpu/ivpu_gem.h | 3 +++
>> drivers/accel/ivpu/ivpu_gem_userptr.c | 5 +++++
>> 4 files changed, 37 insertions(+)
>>
>> diff --git a/drivers/accel/ivpu/ivpu_drv.c b/drivers/accel/ivpu/ivpu_drv.c
>> index 2801378e3e19..086d4c769b33 100644
>> --- a/drivers/accel/ivpu/ivpu_drv.c
>> +++ b/drivers/accel/ivpu/ivpu_drv.c
>> @@ -545,6 +545,7 @@ static const struct drm_driver driver = {
>>
>> .gem_create_object = ivpu_gem_create_object,
>> .gem_prime_import = ivpu_gem_prime_import,
>> + .prime_handle_to_fd = ivpu_gem_prime_handle_to_fd,
>>
>> .ioctls = ivpu_drm_ioctls,
>> .num_ioctls = ARRAY_SIZE(ivpu_drm_ioctls),
>> diff --git a/drivers/accel/ivpu/ivpu_gem.c b/drivers/accel/ivpu/ivpu_gem.c
>> index 4f2005a8d496..82079f372b39 100644
>> --- a/drivers/accel/ivpu/ivpu_gem.c
>> +++ b/drivers/accel/ivpu/ivpu_gem.c
>> @@ -12,6 +12,7 @@
>> #include <drm/drm_cache.h>
>> #include <drm/drm_debugfs.h>
>> #include <drm/drm_file.h>
>> +#include <drm/drm_prime.h>
>> #include <drm/drm_utils.h>
>>
>> #include "ivpu_drv.h"
>> @@ -249,6 +250,33 @@ struct drm_gem_object *ivpu_gem_prime_import(struct drm_device *dev,
>> return ERR_PTR(ret);
>> }
>>
>> +int ivpu_gem_prime_handle_to_fd(struct drm_device *dev, struct drm_file *file_priv,
>> + u32 handle, u32 flags, int *prime_fd)
>> +{
>> + struct ivpu_device *vdev = to_ivpu_device(dev);
>> + struct dma_buf *dmabuf;
>> + int fd;
>> +
>> + dmabuf = drm_gem_prime_handle_to_dmabuf(dev, file_priv, handle, flags);
>> + if (IS_ERR(dmabuf))
>> + return PTR_ERR(dmabuf);
>> +
>> + if (ivpu_gem_is_userptr_dma_buf(dmabuf)) {
>> + ivpu_dbg(vdev, IOCTL, "Exporting userptr BO is not allowed\n");
>> + dma_buf_put(dmabuf);
>> + return -EINVAL;
>> + }
>> +
>> + fd = dma_buf_fd(dmabuf, flags);
>> + if (fd < 0) {
>> + dma_buf_put(dmabuf);
>> + return fd;
>> + }
>> +
>> + *prime_fd = fd;
>> + return 0;
>> +}
>> +
>> static struct ivpu_bo *ivpu_bo_alloc(struct ivpu_device *vdev, u64 size, u32 flags)
>> {
>> struct drm_gem_shmem_object *shmem;
>> diff --git a/drivers/accel/ivpu/ivpu_gem.h b/drivers/accel/ivpu/ivpu_gem.h
>> index 0c3350f22b55..bfd15ce02354 100644
>> --- a/drivers/accel/ivpu/ivpu_gem.h
>> +++ b/drivers/accel/ivpu/ivpu_gem.h
>> @@ -29,6 +29,9 @@ void ivpu_bo_unbind_all_bos_from_context(struct ivpu_device *vdev, struct ivpu_m
>>
>> struct drm_gem_object *ivpu_gem_create_object(struct drm_device *dev, size_t size);
>> struct drm_gem_object *ivpu_gem_prime_import(struct drm_device *dev, struct dma_buf *dma_buf);
>> +int ivpu_gem_prime_handle_to_fd(struct drm_device *dev, struct drm_file *file_priv,
>> + u32 handle, u32 flags, int *prime_fd);
>> +bool ivpu_gem_is_userptr_dma_buf(struct dma_buf *dma_buf);
>> struct ivpu_bo *ivpu_bo_create(struct ivpu_device *vdev, struct ivpu_mmu_context *ctx,
>> struct ivpu_addr_range *range, u64 size, u32 flags);
>> struct ivpu_bo *ivpu_bo_create_runtime(struct ivpu_device *vdev, u64 addr, u64 size, u32 flags);
>> diff --git a/drivers/accel/ivpu/ivpu_gem_userptr.c b/drivers/accel/ivpu/ivpu_gem_userptr.c
>> index 7cbf3a4cdc73..45eabea5961e 100644
>> --- a/drivers/accel/ivpu/ivpu_gem_userptr.c
>> +++ b/drivers/accel/ivpu/ivpu_gem_userptr.c
>> @@ -61,6 +61,11 @@ static const struct dma_buf_ops ivpu_gem_userptr_dmabuf_ops = {
>> .release = ivpu_gem_userptr_dmabuf_release,
>> };
>>
>> +bool ivpu_gem_is_userptr_dma_buf(struct dma_buf *dma_buf)
>> +{
>> + return dma_buf->ops == &ivpu_gem_userptr_dmabuf_ops;
>> +}
>> +
>> static struct dma_buf *
>> ivpu_create_userptr_dmabuf(struct ivpu_device *vdev, void __user *user_ptr,
>> size_t size, uint32_t flags)
>> --
>> 2.34.1
>>
>
prev parent reply other threads:[~2026-05-11 9:04 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-08 16:28 [PATCH] accel/ivpu: Reject PRIME export of userptr BOs Ziyi Guo
2026-05-08 17:30 ` Karol Wachowski
2026-05-11 7:39 ` Christian König
2026-05-11 9:04 ` Karol Wachowski [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0097f608-dbac-482d-9851-ce306b0c7b78@linux.intel.com \
--to=karol.wachowski@linux.intel.com \
--cc=christian.koenig@amd.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=guoziyi114@gmail.com \
--cc=jacek.lawrynowicz@linux.intel.com \
--cc=linaro-mm-sig@lists.linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=maciej.falkowski@linux.intel.com \
--cc=n7l8m4@u.northwestern.edu \
--cc=ogabbay@kernel.org \
--cc=sumit.semwal@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox