From patchwork Wed Nov 21 15:04:18 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Thomas Hellstrom <thellstrom@vmware.com>
X-Patchwork-Id: 1781311
Return-Path: 
 <dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org>
X-Original-To: patchwork-dri-devel@patchwork.kernel.org
Delivered-To: patchwork-process-083081@patchwork1.kernel.org
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	by patchwork1.kernel.org (Postfix) with ESMTP id D5F693FC5A
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Wed, 21 Nov 2012 15:09:42 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id D1F66E5CDA
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Wed, 21 Nov 2012 07:09:42 -0800 (PST)
X-Original-To: dri-devel@lists.freedesktop.org
Delivered-To: dri-devel@lists.freedesktop.org
Received: from smtp-outbound-1.vmware.com (smtp-outbound-1.vmware.com
	[208.91.2.12])
	by gabe.freedesktop.org (Postfix) with ESMTP id BF287E5CB5
	for <dri-devel@lists.freedesktop.org>;
	Wed, 21 Nov 2012 07:04:29 -0800 (PST)
Received: from sc9-mailhost2.vmware.com (sc9-mailhost2.vmware.com
	[10.113.161.72])
	by smtp-outbound-1.vmware.com (Postfix) with ESMTP id 776752840A;
	Wed, 21 Nov 2012 07:04:29 -0800 (PST)
Received: from zcs-prod-mta-2.vmware.com (zcs-prod-mta-2.vmware.com
	[10.113.163.64])
	by sc9-mailhost2.vmware.com (Postfix) with ESMTP id 73DC8B0679;
	Wed, 21 Nov 2012 07:04:29 -0800 (PST)
Received: from localhost (localhost.localdomain [127.0.0.1])
	by zcs-prod-mta-2.vmware.com (Postfix) with ESMTP id 6D406E05DE;
	Wed, 21 Nov 2012 07:04:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at zcs-prod-mta-2.vmware.com
Received: from zcs-prod-mta-2.vmware.com ([127.0.0.1])
	by localhost (zcs-prod-mta-2.vmware.com [127.0.0.1]) (amavisd-new,
	port 10026)
	with ESMTP id sKGpMbOwZRcL; Wed, 21 Nov 2012 07:04:26 -0800 (PST)
Received: from sc9-mailhost1.vmware.com (unknown [10.113.160.14])
	by zcs-prod-mta-2.vmware.com (Postfix) with ESMTPSA id EC94CE05E8;
	Wed, 21 Nov 2012 07:04:24 -0800 (PST)
From: Thomas Hellstrom <thellstrom@vmware.com>
To: airlied@gmail.com,
	airlied@redhat.com
Subject: [PATCH -next] drm/vmwgfx: Tighten the security around buffer maps
Date: Wed, 21 Nov 2012 16:04:18 +0100
Message-Id: <1353510258-3166-1-git-send-email-thellstrom@vmware.com>
X-Mailer: git-send-email 1.7.4.4
Cc: Thomas Hellstrom <thellstrom@vmware.com>, dri-devel@lists.freedesktop.org
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
	<dri-devel.lists.freedesktop.org>
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
MIME-Version: 1.0
Sender: 
 dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org
Errors-To: 
 dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org

Make sure that other DRM clients can't map the contents of
non-shareable buffer objects.

Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
---
 drivers/gpu/drm/vmwgfx/vmwgfx_buffer.c   |    9 ++++-----
 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h      |    2 ++
 drivers/gpu/drm/vmwgfx/vmwgfx_resource.c |   20 ++++++++++++++++++++
 3 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_buffer.c b/drivers/gpu/drm/vmwgfx/vmwgfx_buffer.c
index ef1109c..96dc84d 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_buffer.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_buffer.c
@@ -248,13 +248,12 @@ void vmw_evict_flags(struct ttm_buffer_object *bo,
 	*placement = vmw_sys_placement;
 }
 
-/**
- * FIXME: Proper access checks on buffers.
- */
-
 static int vmw_verify_access(struct ttm_buffer_object *bo, struct file *filp)
 {
-	return 0;
+	struct ttm_object_file *tfile =
+		vmw_fpriv((struct drm_file *)filp->private_data)->tfile;
+
+	return vmw_user_dmabuf_verify_access(bo, tfile);
 }
 
 static int vmw_ttm_io_mem_reserve(struct ttm_bo_device *bdev, struct ttm_mem_reg *mem)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
index 34dce9e..13aeda7 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
@@ -461,6 +461,8 @@ extern int vmw_dmabuf_init(struct vmw_private *dev_priv,
 			   size_t size, struct ttm_placement *placement,
 			   bool interuptable,
 			   void (*bo_free) (struct ttm_buffer_object *bo));
+extern int vmw_user_dmabuf_verify_access(struct ttm_buffer_object *bo,
+				  struct ttm_object_file *tfile);
 extern int vmw_dmabuf_alloc_ioctl(struct drm_device *dev, void *data,
 				  struct drm_file *file_priv);
 extern int vmw_dmabuf_unref_ioctl(struct drm_device *dev, void *data,
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c b/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c
index 88b6f92..0def4ff 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c
@@ -458,6 +458,26 @@ out_no_base_object:
 	return ret;
 }
 
+/**
+ * vmw_user_dmabuf_verify_access - verify access permissions on this
+ * buffer object.
+ *
+ * @bo: Pointer to the buffer object being accessed
+ * @tfile: Identifying the caller.
+ */
+int vmw_user_dmabuf_verify_access(struct ttm_buffer_object *bo,
+				  struct ttm_object_file *tfile)
+{
+	struct vmw_user_dma_buffer *vmw_user_bo;
+
+	if (unlikely(bo->destroy != vmw_user_dmabuf_destroy))
+		return -EPERM;
+
+	vmw_user_bo = vmw_user_dma_buffer(bo);
+	return (vmw_user_bo->base.tfile == tfile ||
+	vmw_user_bo->base.shareable) ? 0 : -EPERM;
+}
+
 int vmw_dmabuf_alloc_ioctl(struct drm_device *dev, void *data,
 			   struct drm_file *file_priv)
 {