[PATCH] accel/ivpu: Reject PRIME export of userptr BOs

Sun, 10 May 2026 03:07:24 -0700 

  Userptr BOs wrap pinned user pages in a private dma-buf solely for
  internal use by the NPU driver. Allowing userspace to re-export such a
  BO via DRM_IOCTL_PRIME_HANDLE_TO_FD would expose those pages to other
  drivers through an interface that was never intended to be shared.

  Override the driver's prime_handle_to_fd callback to detect dma-bufs
  backed by ivpu_gem_userptr_dmabuf_ops and reject the export with
  -EINVAL.

Signed-off-by: Ziyi Guo <[email protected]>
---
 drivers/accel/ivpu/ivpu_drv.c         |  1 +
 drivers/accel/ivpu/ivpu_gem.c         | 28 +++++++++++++++++++++++++++
 drivers/accel/ivpu/ivpu_gem.h         |  3 +++
 drivers/accel/ivpu/ivpu_gem_userptr.c |  5 +++++
 4 files changed, 37 insertions(+)

diff --git a/drivers/accel/ivpu/ivpu_drv.c b/drivers/accel/ivpu/ivpu_drv.c
index 2801378e3e19..086d4c769b33 100644
--- a/drivers/accel/ivpu/ivpu_drv.c
+++ b/drivers/accel/ivpu/ivpu_drv.c
@@ -545,6 +545,7 @@ static const struct drm_driver driver = {
 
        .gem_create_object = ivpu_gem_create_object,
        .gem_prime_import = ivpu_gem_prime_import,
+       .prime_handle_to_fd = ivpu_gem_prime_handle_to_fd,
 
        .ioctls = ivpu_drm_ioctls,
        .num_ioctls = ARRAY_SIZE(ivpu_drm_ioctls),
diff --git a/drivers/accel/ivpu/ivpu_gem.c b/drivers/accel/ivpu/ivpu_gem.c
index 4f2005a8d496..82079f372b39 100644
--- a/drivers/accel/ivpu/ivpu_gem.c
+++ b/drivers/accel/ivpu/ivpu_gem.c
@@ -12,6 +12,7 @@
 #include <drm/drm_cache.h>
 #include <drm/drm_debugfs.h>
 #include <drm/drm_file.h>
+#include <drm/drm_prime.h>
 #include <drm/drm_utils.h>
 
 #include "ivpu_drv.h"
@@ -249,6 +250,33 @@ struct drm_gem_object *ivpu_gem_prime_import(struct 
drm_device *dev,
        return ERR_PTR(ret);
 }
 
+int ivpu_gem_prime_handle_to_fd(struct drm_device *dev, struct drm_file 
*file_priv,
+                               u32 handle, u32 flags, int *prime_fd)
+{
+       struct ivpu_device *vdev = to_ivpu_device(dev);
+       struct dma_buf *dmabuf;
+       int fd;
+
+       dmabuf = drm_gem_prime_handle_to_dmabuf(dev, file_priv, handle, flags);
+       if (IS_ERR(dmabuf))
+               return PTR_ERR(dmabuf);
+
+       if (ivpu_gem_is_userptr_dma_buf(dmabuf)) {
+               ivpu_dbg(vdev, IOCTL, "Exporting userptr BO is not allowed\n");
+               dma_buf_put(dmabuf);
+               return -EINVAL;
+       }
+
+       fd = dma_buf_fd(dmabuf, flags);
+       if (fd < 0) {
+               dma_buf_put(dmabuf);
+               return fd;
+       }
+
+       *prime_fd = fd;
+       return 0;
+}
+
 static struct ivpu_bo *ivpu_bo_alloc(struct ivpu_device *vdev, u64 size, u32 
flags)
 {
        struct drm_gem_shmem_object *shmem;
diff --git a/drivers/accel/ivpu/ivpu_gem.h b/drivers/accel/ivpu/ivpu_gem.h
index 0c3350f22b55..bfd15ce02354 100644
--- a/drivers/accel/ivpu/ivpu_gem.h
+++ b/drivers/accel/ivpu/ivpu_gem.h
@@ -29,6 +29,9 @@ void ivpu_bo_unbind_all_bos_from_context(struct ivpu_device 
*vdev, struct ivpu_m
 
 struct drm_gem_object *ivpu_gem_create_object(struct drm_device *dev, size_t 
size);
 struct drm_gem_object *ivpu_gem_prime_import(struct drm_device *dev, struct 
dma_buf *dma_buf);
+int ivpu_gem_prime_handle_to_fd(struct drm_device *dev, struct drm_file 
*file_priv,
+                               u32 handle, u32 flags, int *prime_fd);
+bool ivpu_gem_is_userptr_dma_buf(struct dma_buf *dma_buf);
 struct ivpu_bo *ivpu_bo_create(struct ivpu_device *vdev, struct 
ivpu_mmu_context *ctx,
                               struct ivpu_addr_range *range, u64 size, u32 
flags);
 struct ivpu_bo *ivpu_bo_create_runtime(struct ivpu_device *vdev, u64 addr, u64 
size, u32 flags);
diff --git a/drivers/accel/ivpu/ivpu_gem_userptr.c 
b/drivers/accel/ivpu/ivpu_gem_userptr.c
index 7cbf3a4cdc73..45eabea5961e 100644
--- a/drivers/accel/ivpu/ivpu_gem_userptr.c
+++ b/drivers/accel/ivpu/ivpu_gem_userptr.c
@@ -61,6 +61,11 @@ static const struct dma_buf_ops ivpu_gem_userptr_dmabuf_ops 
= {
        .release = ivpu_gem_userptr_dmabuf_release,
 };
 
+bool ivpu_gem_is_userptr_dma_buf(struct dma_buf *dma_buf)
+{
+       return dma_buf->ops == &ivpu_gem_userptr_dmabuf_ops;
+}
+
 static struct dma_buf *
 ivpu_create_userptr_dmabuf(struct ivpu_device *vdev, void __user *user_ptr,
                           size_t size, uint32_t flags)
-- 
2.34.1

Reply via email to