From: Nicolas Dufresne <nicolas@ndufresne.ca>
To: Hsia-Jun Li <Randy.Li@synaptics.com>, linux-mm@kvack.org
Cc: dri-devel@lists.freedesktop.org,
Linux Media Mailing List <linux-media@vger.kernel.org>,
hughd@google.com, akpm@linux-foundation.org,
Simon Ser <contact@emersion.fr>,
Hans Verkuil <hverkuil-cisco@xs4all.nl>,
Tomasz Figa <tfiga@chromium.org>,
daniels@collabora.com, ayaka <ayaka@soulik.info>,
linux-kernel@vger.kernel.org
Subject: Re: [RFC]: shmem fd for non-DMA buffer sharing cross drivers
Date: Tue, 22 Aug 2023 15:55:27 -0400 [thread overview]
Message-ID: <9e3c7a11ed1d50c4afdf4f181aae7d4a6a425329.camel@ndufresne.ca> (raw)
In-Reply-To: <029b982f-da62-4fa8-66c4-ab11a515574a@synaptics.com>
Hi,
Le mardi 22 août 2023 à 19:14 +0800, Hsia-Jun Li a écrit :
> Hello
>
> I would like to introduce a usage of SHMEM slimier to DMA-buf, the major
> purpose of that is sharing metadata or just a pure container for cross
> drivers.
>
> We need to exchange some sort of metadata between drivers, likes dynamic
> HDR data between video4linux2 and DRM. Or the graphics frame buffer is
> too complex to be described with plain plane's DMA-buf fd.
> An issue between DRM and V4L2 is that DRM could only support 4 planes
> while it is 8 for V4L2. It would be pretty hard for DRM to expend its
> interface to support that 4 more planes which would lead to revision of
> many standard likes Vulkan, EGL.
>
> Also, there is no reason to consume a device's memory for the content
> that device can't read it, or wasting an entry of IOMMU for such data.
> Usually, such a metadata would be the value should be written to a
> hardware's registers, a 4KiB page would be 1024 items of 32 bits registers.
>
> Still, I have some problems with SHMEM:
> 1. I don't want thhe userspace modify the context of the SHMEM allocated
> by the kernel, is there a way to do so?
> 2. Should I create a helper function for installing the SHMEM file as a fd?
Please have a look at memfd and the seal feature, it does cover the reason why
unsealed shared memory require full trust. For controls, the SEAL_WRITE is even
needed, as with appropriate timing, a malicous process can modify the data in-
between validation and allocation, causing possible memory overflow.
https://man7.org/linux/man-pages/man2/memfd_create.2.html
File sealing
In the absence of file sealing, processes that communicate via
shared memory must either trust each other, or take measures to
deal with the possibility that an untrusted peer may manipulate
the shared memory region in problematic ways. For example, an
untrusted peer might modify the contents of the shared memory at
any time, or shrink the shared memory region. The former
possibility leaves the local process vulnerable to time-of-check-
to-time-of-use race conditions (typically dealt with by copying
data from the shared memory region before checking and using it).
The latter possibility leaves the local process vulnerable to
SIGBUS signals when an attempt is made to access a now-
nonexistent location in the shared memory region. (Dealing with
this possibility necessitates the use of a handler for the SIGBUS
signal.)
Dealing with untrusted peers imposes extra complexity on code
that employs shared memory. Memory sealing enables that extra
complexity to be eliminated, by allowing a process to operate
secure in the knowledge that its peer can't modify the shared
memory in an undesired fashion.
[...]
regards,
Nicolas
next prev parent reply other threads:[~2023-08-22 19:55 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-22 11:14 Hsia-Jun Li
2023-08-22 19:55 ` Nicolas Dufresne [this message]
2023-08-23 3:49 ` Hsia-Jun Li
2023-08-23 4:46 ` Tomasz Figa
2023-08-23 7:11 ` Hsia-Jun Li
2023-08-23 13:15 ` Tomasz Figa
2023-08-25 7:30 ` Hsia-Jun Li
2023-08-25 7:40 ` Pekka Paalanen
2023-08-25 7:56 ` Hsia-Jun Li
2023-08-25 11:41 ` Pekka Paalanen
2023-08-25 12:20 ` Daniel Stone
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9e3c7a11ed1d50c4afdf4f181aae7d4a6a425329.camel@ndufresne.ca \
--to=nicolas@ndufresne.ca \
--cc=Randy.Li@synaptics.com \
--cc=akpm@linux-foundation.org \
--cc=ayaka@soulik.info \
--cc=contact@emersion.fr \
--cc=daniels@collabora.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=hughd@google.com \
--cc=hverkuil-cisco@xs4all.nl \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=tfiga@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox