On Thu, Sep 16, 2021 at 3:44 PM Oded Gabbay ogabbay@kernel.org wrote:
On Thu, Sep 16, 2021 at 3:31 PM Daniel Vetter daniel@ffwll.ch wrote:
Maybe I got the device security model all wrong, but I thought Guadi is single user, and the only thing it protects is the system against the Gaudi device trhough iommu/device gart. So roughly the following can happen:
User A opens gaudi device, sets up dma-buf export
User A registers that with RDMA, or anything else that doesn't support
revoke.
- User A closes gaudi device
This can not happen without User A closing the FD of the dma-buf it exported. We prevent User A from closing the device because when it exported the dma-buf, the driver's code took a refcnt of the user's private structure. You can see that in export_dmabuf_common() in the 2nd patch. There is a call there to hl_ctx_get. So even if User A calls close(device_fd), the driver won't let any other user open the device until User A closes the fd of the dma-buf object.
Moreover, once User A will close the dma-buf fd and the device is released, the driver will scrub the device memory (this is optional for systems who care about security).
And AFAIK, User A can't close the dma-buf fd once it registered it with RDMA, without doing unregister. This can be seen in ib_umem_dmabuf_get() which calls dma_buf_get() which does fget(fd)
Adding Daniel, I don't know how his email got dropped when I replied to him...