Received: by 2002:ab2:6a05:0:b0:1f8:1780:a4ed with SMTP id w5csp1900385lqo; Mon, 13 May 2024 01:34:42 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWxhjIjC/UHl4csJhS+0bB2taN+mBABmiiZXZJfHjX4pkYjwvPXdnBOrodsKKBnDom1RLKPt40l/7grH+nzKkj9sGEh24gyK7GOxX9mfA== X-Google-Smtp-Source: AGHT+IF1qo4+hCbt7S5EWlWy6tAi3SOG1PHLYCxBgfDndJ5368Q2tAg5QrPgQTbMQCzXLoEBb4R5 X-Received: by 2002:a17:906:ecb4:b0:a5a:2d30:b8c5 with SMTP id a640c23a62f3a-a5a2d5356f5mr654360766b.16.1715589282519; Mon, 13 May 2024 01:34:42 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715589282; cv=pass; d=google.com; s=arc-20160816; b=KbILM4UO2et4I03FW6C8W9wntPOP5iGpOk8u/xLjZjGZuPPju8HHjW5HESQYBWhXKe TvzDnj/fy4ESLe28GZhTPdub+ICinF0vhk/d4riwIhJtPeVBSODx9D7HcT35mBLxONzn LAMAxYrtF0iWJ+ZB5uv1ulsN5UgdxJxsWKQ9jVg9RFE8mfvHZz/yoZSv1Ii8lBLmgzDT 1O43OABcf5tQ7qb/p4wgNMiqnTy+EysQ1N5sxHfSWZne9ymqsw5pW7hnKXARjm+GcD9v AG7V6zkbgA8RXdl7q6FwV5EBu/CQKLQA27coF4EqUo/ddhhlEQSoLrlPi4rSatM5ltx5 Cl1Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date:dkim-signature; bh=QzCKO+xP9tbUpLXelfmyuEW6GTjkaRZfTsZc2pQfGVw=; fh=mZxK19WRxx5vFiQLVC+MEb6bb2JPcIlQOlDl64YLbs0=; b=ZemDIbUSQNZSEHMTczr/4tqTSkGYu6BfQ1schykc9MwueIW57GTzryWRujDpunzqT5 Ee8iykk4uQTu7oyJhDqJirSQS4/RQPaeQSS6bWB2UAvCFtBldjKqA2hZKPKMKxnEsmFe yVkFRDg06tDOPr+QAEqaIGEfXSj7Y6Yt+4Vr2rXYOau29y8GtN23H4rX8SWlehbOAQey 2ORQfpa5J4HgY8blx99G4q3wiq1mZ94ieT+OWGsPRakyAyz5OIT0+HpXCqPTy2FvkAcu +Eoz/N2Yms1Z10tq83zUStbXvVlFX7e/utz04viXefxBtxVckOJ1Ksss7aqpkwD9q2hO IYsw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass (test mode) header.i=@ideasonboard.com header.s=mail header.b=XVgit3Hi; arc=pass (i=1 spf=pass spfdomain=ideasonboard.com dkim=pass dkdomain=ideasonboard.com); spf=pass (google.com: domain of linux-kernel+bounces-177349-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-177349-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id a640c23a62f3a-a5a3a14065bsi349515066b.157.2024.05.13.01.34.42 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 May 2024 01:34:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-177349-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass (test mode) header.i=@ideasonboard.com header.s=mail header.b=XVgit3Hi; arc=pass (i=1 spf=pass spfdomain=ideasonboard.com dkim=pass dkdomain=ideasonboard.com); spf=pass (google.com: domain of linux-kernel+bounces-177349-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-177349-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 1B4061F21FA0 for ; Mon, 13 May 2024 08:34:42 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id C52EB147C8F; Mon, 13 May 2024 08:34:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=ideasonboard.com header.i=@ideasonboard.com header.b="XVgit3Hi" Received: from perceval.ideasonboard.com (perceval.ideasonboard.com [213.167.242.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8DB3A4D9F2; Mon, 13 May 2024 08:34:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=213.167.242.64 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715589272; cv=none; b=uyirEzqgzRl7Xwezfr1kFjd37IQp27vmuD0zdMI1jzkZO8Bb4FGR+tXIUcAqBeC9JrjiGJsMt/ZlaFBwEHJK7UnKEnlOejrKvQi4QUnvh9EOeIOXVCMEM4Zhs+l/8EUT8LXCbTZ44Ef/BAgXMfJor27PmeuZnDwIMtk9BzqDCLI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715589272; c=relaxed/simple; bh=3+JpsjijNwVfhIgxFFClxLN3MWbkLfvCjawwwkKMzyc=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=fnXT7jBgCFKHrebcHnNA5ZOUKqFEIv6nXSV3aeweNABMa0Q8ZAN04yhUkd7y+BApkQWixQPG3IUCONMfa1SCQfLBjFEme9RXlkRIxHnQuceY14vxj/xlr+krLTjdkCCF5oUd6xFiFH6oEeB/aMQG0XBQFLd/6Ew1g962msbKD3E= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=ideasonboard.com; spf=pass smtp.mailfrom=ideasonboard.com; dkim=pass (1024-bit key) header.d=ideasonboard.com header.i=@ideasonboard.com header.b=XVgit3Hi; arc=none smtp.client-ip=213.167.242.64 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=ideasonboard.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=ideasonboard.com Received: from pendragon.ideasonboard.com (81-175-209-231.bb.dnainternet.fi [81.175.209.231]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id C0B7A25B; Mon, 13 May 2024 10:34:19 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1715589260; bh=3+JpsjijNwVfhIgxFFClxLN3MWbkLfvCjawwwkKMzyc=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=XVgit3HiXv0r/DEgZjewkKpcLVKH45rkn4krxw+Z/vm6ly+fsEJ+xG45xgXw3E8Fr dEcilM+p9aGwMzSv3GMRBLs+RS0wiKQf+P5ekg6WNiLW7Z3gh/BZePedompb19Xf1d kLq4vYcQp/hxlWdEeRkBzSdKbJYZms20li2q9TiU= Date: Mon, 13 May 2024 11:34:17 +0300 From: Laurent Pinchart To: Maxime Ripard Cc: Nicolas Dufresne , Bryan O'Donoghue , Dmitry Baryshkov , Hans de Goede , Sumit Semwal , Benjamin Gaignard , Brian Starkey , John Stultz , "T.J. Mercier" , Christian =?utf-8?B?S8O2bmln?= , Lennart Poettering , Robert Mader , Sebastien Bacher , Linux Media Mailing List , "dri-devel@lists.freedesktop.org" , linaro-mm-sig@lists.linaro.org, Linux Kernel Mailing List , Milan Zamazal , Andrey Konovalov Subject: Re: Safety of opening up /dev/dma_heap/* to physically present users (udev uaccess tag) ? Message-ID: <20240513083417.GA18630@pendragon.ideasonboard.com> References: <3c0c7e7e-1530-411b-b7a4-9f13e0ff1f9e@redhat.com> <20240507183613.GB20390@pendragon.ideasonboard.com> <4f59a9d78662831123cc7e560218fa422e1c5eca.camel@collabora.com> <20240513-heretic-didactic-newt-1d6daf@penduick> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20240513-heretic-didactic-newt-1d6daf@penduick> On Mon, May 13, 2024 at 10:29:22AM +0200, Maxime Ripard wrote: > On Wed, May 08, 2024 at 10:36:08AM +0200, Daniel Vetter wrote: > > On Tue, May 07, 2024 at 04:07:39PM -0400, Nicolas Dufresne wrote: > > > Hi, > > > > > > Le mardi 07 mai 2024 à 21:36 +0300, Laurent Pinchart a écrit : > > > > Shorter term, we have a problem to solve, and the best option we have > > > > found so far is to rely on dma-buf heaps as a backend for the frame > > > > buffer allocatro helper in libcamera for the use case described above. > > > > This won't work in 100% of the cases, clearly. It's a stop-gap measure > > > > until we can do better. > > > > > > Considering the security concerned raised on this thread with dmabuf heap > > > allocation not be restricted by quotas, you'd get what you want quickly with > > > memfd + udmabuf instead (which is accounted already). > > > > > > It was raised that distro don't enable udmabuf, but as stated there by Hans, in > > > any cases distro needs to take action to make the softISP works. This > > > alternative is easy and does not interfere in anyway with your future plan or > > > the libcamera API. You could even have both dmabuf heap (for Raspbian) and the > > > safer memfd+udmabuf for the distro with security concerns. > > > > > > And for the long term plan, we can certainly get closer by fixing that issue > > > with accounting. This issue also applied to v4l2 io-ops, so it would be nice to > > > find common set of helpers to fix these exporters. > > > > Yeah if this is just for softisp, then memfd + udmabuf is also what I was > > about to suggest. Not just as a stopgap, but as the real official thing. > > > > udmabuf does kinda allow you to pin memory, but we can easily fix that by > > adding the right accounting and then either let mlock rlimits or cgroups > > kernel memory limits enforce good behavior. > > I think the main drawback with memfd is that it'll be broken for devices > without an IOMMU, and while you said that it's uncommon for GPUs, it's > definitely not for codecs and display engines. If the application wants to share buffers between the camera and a display engine or codec, it should arguably not use the libcamera FrameBufferAllocator, but allocate the buffers from the display or the encoder. memfd wouldn't be used in that case. We need to eat our own dogfood though. If we want to push the responsibility for buffer allocation in the buffer sharing case to the application, we need to modify the cam application to do so when using the KMS backend. -- Regards, Laurent Pinchart