Commit d08a9b9c authored by Thomas Hellstrom's avatar Thomas Hellstrom Committed by Dave Airlie

drm/vmwgfx: Tighten the security around buffer maps

Make sure that other DRM clients can't map the contents of
non-shareable buffer objects.
Signed-off-by: default avatarThomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: default avatarBrian Paul <brianp@vmware.com>
Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
parent 219e8153
...@@ -248,13 +248,12 @@ void vmw_evict_flags(struct ttm_buffer_object *bo, ...@@ -248,13 +248,12 @@ void vmw_evict_flags(struct ttm_buffer_object *bo,
*placement = vmw_sys_placement; *placement = vmw_sys_placement;
} }
/**
* FIXME: Proper access checks on buffers.
*/
static int vmw_verify_access(struct ttm_buffer_object *bo, struct file *filp) static int vmw_verify_access(struct ttm_buffer_object *bo, struct file *filp)
{ {
return 0; struct ttm_object_file *tfile =
vmw_fpriv((struct drm_file *)filp->private_data)->tfile;
return vmw_user_dmabuf_verify_access(bo, tfile);
} }
static int vmw_ttm_io_mem_reserve(struct ttm_bo_device *bdev, struct ttm_mem_reg *mem) static int vmw_ttm_io_mem_reserve(struct ttm_bo_device *bdev, struct ttm_mem_reg *mem)
......
...@@ -461,6 +461,8 @@ extern int vmw_dmabuf_init(struct vmw_private *dev_priv, ...@@ -461,6 +461,8 @@ extern int vmw_dmabuf_init(struct vmw_private *dev_priv,
size_t size, struct ttm_placement *placement, size_t size, struct ttm_placement *placement,
bool interuptable, bool interuptable,
void (*bo_free) (struct ttm_buffer_object *bo)); void (*bo_free) (struct ttm_buffer_object *bo));
extern int vmw_user_dmabuf_verify_access(struct ttm_buffer_object *bo,
struct ttm_object_file *tfile);
extern int vmw_dmabuf_alloc_ioctl(struct drm_device *dev, void *data, extern int vmw_dmabuf_alloc_ioctl(struct drm_device *dev, void *data,
struct drm_file *file_priv); struct drm_file *file_priv);
extern int vmw_dmabuf_unref_ioctl(struct drm_device *dev, void *data, extern int vmw_dmabuf_unref_ioctl(struct drm_device *dev, void *data,
......
...@@ -458,6 +458,26 @@ int vmw_user_dmabuf_alloc(struct vmw_private *dev_priv, ...@@ -458,6 +458,26 @@ int vmw_user_dmabuf_alloc(struct vmw_private *dev_priv,
return ret; return ret;
} }
/**
* vmw_user_dmabuf_verify_access - verify access permissions on this
* buffer object.
*
* @bo: Pointer to the buffer object being accessed
* @tfile: Identifying the caller.
*/
int vmw_user_dmabuf_verify_access(struct ttm_buffer_object *bo,
struct ttm_object_file *tfile)
{
struct vmw_user_dma_buffer *vmw_user_bo;
if (unlikely(bo->destroy != vmw_user_dmabuf_destroy))
return -EPERM;
vmw_user_bo = vmw_user_dma_buffer(bo);
return (vmw_user_bo->base.tfile == tfile ||
vmw_user_bo->base.shareable) ? 0 : -EPERM;
}
int vmw_dmabuf_alloc_ioctl(struct drm_device *dev, void *data, int vmw_dmabuf_alloc_ioctl(struct drm_device *dev, void *data,
struct drm_file *file_priv) struct drm_file *file_priv)
{ {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment