On 5/11/2026 9:39 AM, Christian König wrote:
> Hi Zivi,
>
> On 5/8/26 18:28, Ziyi Guo wrote:
>> Userptr BOs wrap pinned user pages in a private dma-buf solely for
>> internal use by the NPU driver. Allowing userspace to re-export such a
>> BO via DRM_IOCTL_PRIME_HANDLE_TO_FD would expose those pages to other
>> drivers through an interface that was never intended to be shared.
>>
>> Override the driver's prime_handle_to_fd callback to detect dma-bufs
>> backed by ivpu_gem_userptr_dmabuf_ops and reject the export with
>> -EINVAL.
>>
>> Signed-off-by: Ziyi Guo <[email protected]>
>
Hi Christian
> first of all thanks a lot for pointing that out! The patch which orginally
> added that somehow slipped through the cracks.
>
> Then @Karol and @Jacek, using DMA-buf like that is a pretty big NO-GO from
> the DMA-buf side!
>
> Using page which you don't own (especially file system backend ones) in a
> DMA-buf is absolutely *NOT* something you can do.
>
> I hope that it is not the case here, but if you also allow to mmap() them
> then you have create a massive security problem which can lead to random file
> system corruptions.
This is not allowed, ivpu userpointer dma_buf_ops have no .mmap handler,
this results in -EINVAL when invoked.
Regards,
Karol
>
> Regards,
> Christian.
>
>> ---
>> drivers/accel/ivpu/ivpu_drv.c | 1 +
>> drivers/accel/ivpu/ivpu_gem.c | 28 +++++++++++++++++++++++++++
>> drivers/accel/ivpu/ivpu_gem.h | 3 +++
>> drivers/accel/ivpu/ivpu_gem_userptr.c | 5 +++++
>> 4 files changed, 37 insertions(+)
>>
>> diff --git a/drivers/accel/ivpu/ivpu_drv.c b/drivers/accel/ivpu/ivpu_drv.c
>> index 2801378e3e19..086d4c769b33 100644
>> --- a/drivers/accel/ivpu/ivpu_drv.c
>> +++ b/drivers/accel/ivpu/ivpu_drv.c
>> @@ -545,6 +545,7 @@ static const struct drm_driver driver = {
>>
>> .gem_create_object = ivpu_gem_create_object,
>> .gem_prime_import = ivpu_gem_prime_import,
>> + .prime_handle_to_fd = ivpu_gem_prime_handle_to_fd,
>>
>> .ioctls = ivpu_drm_ioctls,
>> .num_ioctls = ARRAY_SIZE(ivpu_drm_ioctls),
>> diff --git a/drivers/accel/ivpu/ivpu_gem.c b/drivers/accel/ivpu/ivpu_gem.c
>> index 4f2005a8d496..82079f372b39 100644
>> --- a/drivers/accel/ivpu/ivpu_gem.c
>> +++ b/drivers/accel/ivpu/ivpu_gem.c
>> @@ -12,6 +12,7 @@
>> #include <drm/drm_cache.h>
>> #include <drm/drm_debugfs.h>
>> #include <drm/drm_file.h>
>> +#include <drm/drm_prime.h>
>> #include <drm/drm_utils.h>
>>
>> #include "ivpu_drv.h"
>> @@ -249,6 +250,33 @@ struct drm_gem_object *ivpu_gem_prime_import(struct
>> drm_device *dev,
>> return ERR_PTR(ret);
>> }
>>
>> +int ivpu_gem_prime_handle_to_fd(struct drm_device *dev, struct drm_file
>> *file_priv,
>> + u32 handle, u32 flags, int *prime_fd)
>> +{
>> + struct ivpu_device *vdev = to_ivpu_device(dev);
>> + struct dma_buf *dmabuf;
>> + int fd;
>> +
>> + dmabuf = drm_gem_prime_handle_to_dmabuf(dev, file_priv, handle,
>> flags);
>> + if (IS_ERR(dmabuf))
>> + return PTR_ERR(dmabuf);
>> +
>> + if (ivpu_gem_is_userptr_dma_buf(dmabuf)) {
>> + ivpu_dbg(vdev, IOCTL, "Exporting userptr BO is not
>> allowed\n");
>> + dma_buf_put(dmabuf);
>> + return -EINVAL;
>> + }
>> +
>> + fd = dma_buf_fd(dmabuf, flags);
>> + if (fd < 0) {
>> + dma_buf_put(dmabuf);
>> + return fd;
>> + }
>> +
>> + *prime_fd = fd;
>> + return 0;
>> +}
>> +
>> static struct ivpu_bo *ivpu_bo_alloc(struct ivpu_device *vdev, u64 size,
>> u32 flags)
>> {
>> struct drm_gem_shmem_object *shmem;
>> diff --git a/drivers/accel/ivpu/ivpu_gem.h b/drivers/accel/ivpu/ivpu_gem.h
>> index 0c3350f22b55..bfd15ce02354 100644
>> --- a/drivers/accel/ivpu/ivpu_gem.h
>> +++ b/drivers/accel/ivpu/ivpu_gem.h
>> @@ -29,6 +29,9 @@ void ivpu_bo_unbind_all_bos_from_context(struct
>> ivpu_device *vdev, struct ivpu_m
>>
>> struct drm_gem_object *ivpu_gem_create_object(struct drm_device *dev,
>> size_t size);
>> struct drm_gem_object *ivpu_gem_prime_import(struct drm_device *dev, struct
>> dma_buf *dma_buf);
>> +int ivpu_gem_prime_handle_to_fd(struct drm_device *dev, struct drm_file
>> *file_priv,
>> + u32 handle, u32 flags, int *prime_fd);
>> +bool ivpu_gem_is_userptr_dma_buf(struct dma_buf *dma_buf);
>> struct ivpu_bo *ivpu_bo_create(struct ivpu_device *vdev, struct
>> ivpu_mmu_context *ctx,
>> struct ivpu_addr_range *range, u64 size, u32
>> flags);
>> struct ivpu_bo *ivpu_bo_create_runtime(struct ivpu_device *vdev, u64 addr,
>> u64 size, u32 flags);
>> diff --git a/drivers/accel/ivpu/ivpu_gem_userptr.c
>> b/drivers/accel/ivpu/ivpu_gem_userptr.c
>> index 7cbf3a4cdc73..45eabea5961e 100644
>> --- a/drivers/accel/ivpu/ivpu_gem_userptr.c
>> +++ b/drivers/accel/ivpu/ivpu_gem_userptr.c
>> @@ -61,6 +61,11 @@ static const struct dma_buf_ops
>> ivpu_gem_userptr_dmabuf_ops = {
>> .release = ivpu_gem_userptr_dmabuf_release,
>> };
>>
>> +bool ivpu_gem_is_userptr_dma_buf(struct dma_buf *dma_buf)
>> +{
>> + return dma_buf->ops == &ivpu_gem_userptr_dmabuf_ops;
>> +}
>> +
>> static struct dma_buf *
>> ivpu_create_userptr_dmabuf(struct ivpu_device *vdev, void __user *user_ptr,
>> size_t size, uint32_t flags)
>> --
>> 2.34.1
>>
>
