drm/vmwgfx: Tighten the security around buffer maps

Make sure that other DRM clients can't map the contents of non-shareable buffer objects. Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> Reviewed-by: Brian Paul <brianp@vmware.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
author: Thomas Hellstrom <thellstrom@vmware.com> 2012-11-21 10:04:18 -0500
committer: Dave Airlie <airlied@redhat.com> 2012-11-28 05:09:08 -0500
commit: d08a9b9cd82f668a5437c23e59063387ca3ecec5 (patch)
tree: ba4f33c31d5cf530c244b2ec0fa8bf5865677563
parent: 219e81536c8776b30ccf3262c1ceaeaddf7a231a (diff)
3 files changed, 26 insertions, 5 deletions
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_buffer.c b/drivers/gpu/drm/vmwgfx/vmwgfx_buffer.c
index ef1109c8fec8..96dc84dc34d0 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_buffer.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_buffer.c
@@ -248,13 +248,12 @@ void vmw_evict_flags(struct ttm_buffer_object *bo,
        *placement = vmw_sys_placement;
 }
-/**
- * FIXME: Proper access checks on buffers.
- */
 static int vmw_verify_access(struct ttm_buffer_object *bo, struct file *filp)
 {
-        return 0;
+        struct ttm_object_file *tfile =
+                vmw_fpriv((struct drm_file *)filp->private_data)->tfile;
+        return vmw_user_dmabuf_verify_access(bo, tfile);
 }
 static int vmw_ttm_io_mem_reserve(struct ttm_bo_device *bdev, struct ttm_mem_reg *mem)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
index 34dce9e2b6d2..13aeda71280e 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
@@ -461,6 +461,8 @@ extern int vmw_dmabuf_init(struct vmw_private *dev_priv,
                           size_t size, struct ttm_placement *placement,
                           bool interuptable,
                           void (*bo_free) (struct ttm_buffer_object *bo));
+extern int vmw_user_dmabuf_verify_access(struct ttm_buffer_object *bo,
+                                  struct ttm_object_file *tfile);
 extern int vmw_dmabuf_alloc_ioctl(struct drm_device *dev, void *data,
                                  struct drm_file *file_priv);
 extern int vmw_dmabuf_unref_ioctl(struct drm_device *dev, void *data,
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c b/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c
index 88b6f921ee94..0def4ff5b621 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c
@@ -458,6 +458,26 @@ out_no_base_object:
        return ret;
 }
+/**
+ * vmw_user_dmabuf_verify_access - verify access permissions on this
+ * buffer object.
+ *
+ * @bo: Pointer to the buffer object being accessed
+ * @tfile: Identifying the caller.
+ */
+int vmw_user_dmabuf_verify_access(struct ttm_buffer_object *bo,
+                                  struct ttm_object_file *tfile)
+{
+        struct vmw_user_dma_buffer *vmw_user_bo;
+        if (unlikely(bo->destroy != vmw_user_dmabuf_destroy))
+                return -EPERM;
+        vmw_user_bo = vmw_user_dma_buffer(bo);
+        return (vmw_user_bo->base.tfile == tfile ||
+        vmw_user_bo->base.shareable) ? 0 : -EPERM;
+}
 int vmw_dmabuf_alloc_ioctl(struct drm_device *dev, void *data,
                           struct drm_file *file_priv)
 {
author	Thomas Hellstrom <thellstrom@vmware.com>	2012-11-21 10:04:18 -0500
committer	Dave Airlie <airlied@redhat.com>	2012-11-28 05:09:08 -0500
commit	d08a9b9cd82f668a5437c23e59063387ca3ecec5 (patch)
tree	ba4f33c31d5cf530c244b2ec0fa8bf5865677563
parent	219e81536c8776b30ccf3262c1ceaeaddf7a231a (diff)