[PATCH] accel/ivpu: Reject PRIME export of userptr BOs

[Ziyi Guo]

  Userptr BOs wrap pinned user pages in a private dma-buf solely for
  internal use by the NPU driver. Allowing userspace to re-export such a
  BO via DRM_IOCTL_PRIME_HANDLE_TO_FD would expose those pages to other
  drivers through an interface that was never intended to be shared.

  Override the driver's prime_handle_to_fd callback to detect dma-bufs
  backed by ivpu_gem_userptr_dmabuf_ops and reject the export with
  -EINVAL.

Signed-off-by: Ziyi Guo <n7l8m4@xxxxxxxxxxxxxxxxxx>
---
 drivers/accel/ivpu/ivpu_drv.c         |  1 +
 drivers/accel/ivpu/ivpu_gem.c         | 28 +++++++++++++++++++++++++++
 drivers/accel/ivpu/ivpu_gem.h         |  3 +++
 drivers/accel/ivpu/ivpu_gem_userptr.c |  5 +++++
 4 files changed, 37 insertions(+)

diff --git a/drivers/accel/ivpu/ivpu_drv.c b/drivers/accel/ivpu/ivpu_drv.c
index 2801378e3e19..086d4c769b33 100644
--- a/drivers/accel/ivpu/ivpu_drv.c
+++ b/drivers/accel/ivpu/ivpu_drv.c
@@ -545,6 +545,7 @@ static const struct drm_driver driver = {
 
 	.gem_create_object = ivpu_gem_create_object,
 	.gem_prime_import = ivpu_gem_prime_import,
+	.prime_handle_to_fd = ivpu_gem_prime_handle_to_fd,
 
 	.ioctls = ivpu_drm_ioctls,
 	.num_ioctls = ARRAY_SIZE(ivpu_drm_ioctls),
diff --git a/drivers/accel/ivpu/ivpu_gem.c b/drivers/accel/ivpu/ivpu_gem.c
index 4f2005a8d496..82079f372b39 100644
--- a/drivers/accel/ivpu/ivpu_gem.c
+++ b/drivers/accel/ivpu/ivpu_gem.c
@@ -12,6 +12,7 @@
 #include <drm/drm_cache.h>
 #include <drm/drm_debugfs.h>
 #include <drm/drm_file.h>
+#include <drm/drm_prime.h>
 #include <drm/drm_utils.h>
 
 #include "ivpu_drv.h"
@@ -249,6 +250,33 @@ struct drm_gem_object *ivpu_gem_prime_import(struct drm_device *dev,
 	return ERR_PTR(ret);
 }
 
+int ivpu_gem_prime_handle_to_fd(struct drm_device *dev, struct drm_file *file_priv,
+				u32 handle, u32 flags, int *prime_fd)
+{
+	struct ivpu_device *vdev = to_ivpu_device(dev);
+	struct dma_buf *dmabuf;
+	int fd;
+
+	dmabuf = drm_gem_prime_handle_to_dmabuf(dev, file_priv, handle, flags);
+	if (IS_ERR(dmabuf))
+		return PTR_ERR(dmabuf);
+
+	if (ivpu_gem_is_userptr_dma_buf(dmabuf)) {
+		ivpu_dbg(vdev, IOCTL, "Exporting userptr BO is not allowed\n");
+		dma_buf_put(dmabuf);
+		return -EINVAL;
+	}
+
+	fd = dma_buf_fd(dmabuf, flags);
+	if (fd < 0) {
+		dma_buf_put(dmabuf);
+		return fd;
+	}
+
+	*prime_fd = fd;
+	return 0;
+}
+
 static struct ivpu_bo *ivpu_bo_alloc(struct ivpu_device *vdev, u64 size, u32 flags)
 {
 	struct drm_gem_shmem_object *shmem;
diff --git a/drivers/accel/ivpu/ivpu_gem.h b/drivers/accel/ivpu/ivpu_gem.h
index 0c3350f22b55..bfd15ce02354 100644
--- a/drivers/accel/ivpu/ivpu_gem.h
+++ b/drivers/accel/ivpu/ivpu_gem.h
@@ -29,6 +29,9 @@ void ivpu_bo_unbind_all_bos_from_context(struct ivpu_device *vdev, struct ivpu_m
 
 struct drm_gem_object *ivpu_gem_create_object(struct drm_device *dev, size_t size);
 struct drm_gem_object *ivpu_gem_prime_import(struct drm_device *dev, struct dma_buf *dma_buf);
+int ivpu_gem_prime_handle_to_fd(struct drm_device *dev, struct drm_file *file_priv,
+				u32 handle, u32 flags, int *prime_fd);
+bool ivpu_gem_is_userptr_dma_buf(struct dma_buf *dma_buf);
 struct ivpu_bo *ivpu_bo_create(struct ivpu_device *vdev, struct ivpu_mmu_context *ctx,
 			       struct ivpu_addr_range *range, u64 size, u32 flags);
 struct ivpu_bo *ivpu_bo_create_runtime(struct ivpu_device *vdev, u64 addr, u64 size, u32 flags);
diff --git a/drivers/accel/ivpu/ivpu_gem_userptr.c b/drivers/accel/ivpu/ivpu_gem_userptr.c
index 7cbf3a4cdc73..45eabea5961e 100644
--- a/drivers/accel/ivpu/ivpu_gem_userptr.c
+++ b/drivers/accel/ivpu/ivpu_gem_userptr.c
@@ -61,6 +61,11 @@ static const struct dma_buf_ops ivpu_gem_userptr_dmabuf_ops = {
 	.release = ivpu_gem_userptr_dmabuf_release,
 };
 
+bool ivpu_gem_is_userptr_dma_buf(struct dma_buf *dma_buf)
+{
+	return dma_buf->ops == &ivpu_gem_userptr_dmabuf_ops;
+}
+
 static struct dma_buf *
 ivpu_create_userptr_dmabuf(struct ivpu_device *vdev, void __user *user_ptr,
 			   size_t size, uint32_t flags)
-- 
2.34.1