Received: by 2002:ab2:6991:0:b0:1f7:f6c3:9cb1 with SMTP id v17csp416926lqo; Wed, 8 May 2024 04:02:24 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXxi8jkzENAXcH/7qKTTYHml4nypovlDphVX4Z2bjFpsXblzglr+X5UvpkbXptOYD2Fmrm/BV46Ix9M7CvDB7tMcTrBSIuyOquZXbDrSQ== X-Google-Smtp-Source: AGHT+IETcmOM9N3j6C8heBfGMCW19SlU4bXOeyRK5TKSVwHR9yXjinHdjUb5UXFi1rG8bZkBwvob X-Received: by 2002:a50:cdd9:0:b0:572:6aaf:e0d3 with SMTP id 4fb4d7f45d1cf-5731d9b78d4mr1676417a12.7.1715166144807; Wed, 08 May 2024 04:02:24 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715166144; cv=pass; d=google.com; s=arc-20160816; b=TvAX068AU1sCm/zubMFsYfyuWZZrECJDyrJqAMxdDaPCcyBcCKtdzOGbdyHkYaCKdm +2SFrSPs8bBVeOw6ZXLIhh8xPoAUxPT/Fh8hGA3WQD0HBzK/RVolT2ZfiWP31mcrNp/7 GARBOz8F0wFbUADifbw02prUOAII0Y8DWr19rb7e9fS6wz7Pfn/02yoOTPIpl7215boG 0xxFTHWD/3sWlbji2rfKWwFkUBs1S3oiiwbPu0XJ5Jhy/NdFANa7YVFH57bD6KdI4Mpg sKD4mcTcQ8lEL15fC0twcL6Dcyg5KvHavhanNbdwt42S+upR8FOeC6nwnM/PlLZ9j4t7 f6xg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:mail-followup-to:message-id:subject:cc:to:from:date :dkim-signature; bh=J7aS9he7xY72nZNIRe7yyrnZe3tp43pBLnMfxlD1rnU=; fh=3kpVsJ8Fj2XRS+6tF4xH2TLe5hpc7w/h/SBteajadkg=; b=CUkaF717Ks9vTbhIu0QkSc0C+UZ9xb5K8ZfKWDefGgnjS1z2cT0hXcLXFNrALKbnBj xDJV7qt92jX6M36m6n9NoVU9JBzjY1X8xx43u2JFpPVIp30x3q/szK3EuR6g8dmKho5m 0TVC5OqkFYfeva21BFcMyFPTQvyQrlJfOWJX1AKgeDbYne40yLQyiwLJ1oDo+vifJGoh FlfDL5+NlIwPjyJ3Ed4Ijw2XQW/DKkT1Ap+tmYqe3jKQBGLpO9Y1oXuJZ9f5rWmHWAB4 99DLNzeAybje64SpQu73l0pd4fsGdWK/PqUyE678xRqW8Bo5WcS1vZIj7VVsmWD6NcQl V67A==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@ffwll.ch header.s=google header.b=lZRLXFtT; arc=pass (i=1 dkim=pass dkdomain=ffwll.ch); spf=pass (google.com: domain of linux-kernel+bounces-172916-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-172916-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id b18-20020a05640202d200b00572a931e88bsi6765543edx.687.2024.05.08.04.02.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 May 2024 04:02:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-172916-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@ffwll.ch header.s=google header.b=lZRLXFtT; arc=pass (i=1 dkim=pass dkdomain=ffwll.ch); spf=pass (google.com: domain of linux-kernel+bounces-172916-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-172916-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 3FFE51F25543 for ; Wed, 8 May 2024 08:36:26 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 89EFB535D1; Wed, 8 May 2024 08:36:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=ffwll.ch header.i=@ffwll.ch header.b="lZRLXFtT" Received: from mail-ej1-f49.google.com (mail-ej1-f49.google.com [209.85.218.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 45AEF28FF for ; Wed, 8 May 2024 08:36:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.49 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715157373; cv=none; b=ZyTSGf5BPX9Xwyxv0H49c/ABSC63TuIFlRFdDObAzYF2/gUL81Z5aVgn2PVJUvSUaj77iNQ91DkbAoZojcdjnFlLt8kGPqowrZoJ598mRfjNp7D3rVic8NznOPw1nT1Mm1T5abejECTWIVCPwcqMLfHtmhrZYlE+4wNC8hENnSg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715157373; c=relaxed/simple; bh=cD/uGN2qcTWGaaGtNYJBO9NukjIRx0YtregF+2V1VYI=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=i29v7Mxuso67JObaGnq4ROSIBcHSASy3e5VesFs7LFh9PhKONmkC+z1gza+F49cqmobSarVjhX9tV0rU1svJrr5hEcM1ieBwInXvXFb71pfvsrlvEs9RGHcHF+tjNt24E31RfAGEuaQ/bJRP8wbHX/07elS7ZKOVbPTwNE8ufPU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=ffwll.ch; spf=none smtp.mailfrom=ffwll.ch; dkim=pass (1024-bit key) header.d=ffwll.ch header.i=@ffwll.ch header.b=lZRLXFtT; arc=none smtp.client-ip=209.85.218.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=ffwll.ch Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=ffwll.ch Received: by mail-ej1-f49.google.com with SMTP id a640c23a62f3a-a599b74fd49so102014966b.2 for ; Wed, 08 May 2024 01:36:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ffwll.ch; s=google; t=1715157370; x=1715762170; darn=vger.kernel.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:mail-followup-to:message-id:subject:cc:to :from:date:from:to:cc:subject:date:message-id:reply-to; bh=J7aS9he7xY72nZNIRe7yyrnZe3tp43pBLnMfxlD1rnU=; b=lZRLXFtTpf6T/YG9g89aQUatMWTimu0/EG7HKp449+nKqYvIAIDgTZZ8MUhKrXRfzy Ws/pUMT6u2cODkYljc+sNoMMqsN3oMAjvf9+bOkcWOKq3fI4+WSZxVgIYEbXQnWigLIS y+TWDcmrRAdL1AbHwwRpOmwKxwdAUuV9f6klA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715157370; x=1715762170; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:mail-followup-to:message-id:subject:cc:to :from:date:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=J7aS9he7xY72nZNIRe7yyrnZe3tp43pBLnMfxlD1rnU=; b=G6N3uOgTFH2hr7+QRNujpLvbt1xMnV0n2wynx3CUSpjDepW50VKbPjupLVb6L+jurR r5awI7nHy/X33ZeTbvGOCdDfEKJ4OqeXIrPsFzpYMEmti2MFVLxNkoufzhG9RsE2MzAy n1Ha6l31/vZQcwFahaG8GYuz2ZTR4a2D4YNdY8bkhpgTmg3jkvFMIDUVS4C2iBi+UO4z qUDNpP7yf/Qr5NYegP07RCF8ONGh0WRi4clW7N5gfEBRQCQhFI4hZVPIFPhilcIVFcMT acxdy1CRWS7/g6Qc1BJ3Rez5NrLpfnn6wjddA1LVwwX1ees8moPLvpRWvmcR8gz0If0z TNrQ== X-Forwarded-Encrypted: i=1; AJvYcCWMhL3fBABIHgvO6zzDlViieSqE0YPkDchM8oGH2lFTiQJ5+FZ1chJ02P9YQdeRdmNkQRZA7dRQOaUORWO02rSb9VyanGbMEMe5BHTR X-Gm-Message-State: AOJu0YwbB3AkJeGj9jggBo/8jThhnoSxGaJeBG6TMasKpNPNdIBI3y8W o9KceKNZkR0J1vsAkaFHYd69H5ZCFK92i5E+TkvtJyK8On0LBIuypGkobwtWCKM= X-Received: by 2002:a17:906:3113:b0:a59:c46b:c524 with SMTP id a640c23a62f3a-a59fb7107bcmr140268666b.0.1715157370636; Wed, 08 May 2024 01:36:10 -0700 (PDT) Received: from phenom.ffwll.local ([2a02:168:57f4:0:efd0:b9e5:5ae6:c2fa]) by smtp.gmail.com with ESMTPSA id gc21-20020a170906c8d500b00a59a7bac0easm5214354ejb.164.2024.05.08.01.36.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 May 2024 01:36:10 -0700 (PDT) Date: Wed, 8 May 2024 10:36:08 +0200 From: Daniel Vetter To: Nicolas Dufresne Cc: Laurent Pinchart , Daniel Vetter , Bryan O'Donoghue , Dmitry Baryshkov , Hans de Goede , Sumit Semwal , Benjamin Gaignard , Brian Starkey , John Stultz , "T.J. Mercier" , Christian =?iso-8859-1?Q?K=F6nig?= , Lennart Poettering , Robert Mader , Sebastien Bacher , Linux Media Mailing List , "dri-devel@lists.freedesktop.org" , linaro-mm-sig@lists.linaro.org, Linux Kernel Mailing List , Milan Zamazal , Maxime Ripard , Andrey Konovalov Subject: Re: Safety of opening up /dev/dma_heap/* to physically present users (udev uaccess tag) ? Message-ID: Mail-Followup-To: Nicolas Dufresne , Laurent Pinchart , Bryan O'Donoghue , Dmitry Baryshkov , Hans de Goede , Sumit Semwal , Benjamin Gaignard , Brian Starkey , John Stultz , "T.J. Mercier" , Christian =?iso-8859-1?Q?K=F6nig?= , Lennart Poettering , Robert Mader , Sebastien Bacher , Linux Media Mailing List , "dri-devel@lists.freedesktop.org" , linaro-mm-sig@lists.linaro.org, Linux Kernel Mailing List , Milan Zamazal , Maxime Ripard , Andrey Konovalov References: <3c0c7e7e-1530-411b-b7a4-9f13e0ff1f9e@redhat.com> <20240507183613.GB20390@pendragon.ideasonboard.com> <4f59a9d78662831123cc7e560218fa422e1c5eca.camel@collabora.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <4f59a9d78662831123cc7e560218fa422e1c5eca.camel@collabora.com> X-Operating-System: Linux phenom 6.6.15-amd64 On Tue, May 07, 2024 at 04:07:39PM -0400, Nicolas Dufresne wrote: > Hi, > > Le mardi 07 mai 2024 ? 21:36 +0300, Laurent Pinchart a ?crit?: > > Shorter term, we have a problem to solve, and the best option we have > > found so far is to rely on dma-buf heaps as a backend for the frame > > buffer allocatro helper in libcamera for the use case described above. > > This won't work in 100% of the cases, clearly. It's a stop-gap measure > > until we can do better. > > Considering the security concerned raised on this thread with dmabuf heap > allocation not be restricted by quotas, you'd get what you want quickly with > memfd + udmabuf instead (which is accounted already). > > It was raised that distro don't enable udmabuf, but as stated there by Hans, in > any cases distro needs to take action to make the softISP works. This > alternative is easy and does not interfere in anyway with your future plan or > the libcamera API. You could even have both dmabuf heap (for Raspbian) and the > safer memfd+udmabuf for the distro with security concerns. > > And for the long term plan, we can certainly get closer by fixing that issue > with accounting. This issue also applied to v4l2 io-ops, so it would be nice to > find common set of helpers to fix these exporters. Yeah if this is just for softisp, then memfd + udmabuf is also what I was about to suggest. Not just as a stopgap, but as the real official thing. udmabuf does kinda allow you to pin memory, but we can easily fix that by adding the right accounting and then either let mlock rlimits or cgroups kernel memory limits enforce good behavior. -Sima -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch