From patchwork Tue Aug 13 19:38:30 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: David Herrmann <dh.herrmann@gmail.com>
X-Patchwork-Id: 2843982
Return-Path: 
 <dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org>
X-Original-To: patchwork-dri-devel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id 662F5BF546
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Tue, 13 Aug 2013 19:52:17 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 46CFE204B5
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Tue, 13 Aug 2013 19:52:16 +0000 (UTC)
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	by mail.kernel.org (Postfix) with ESMTP id 54CE1204AE
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Tue, 13 Aug 2013 19:52:15 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 4D31FE7C6D
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Tue, 13 Aug 2013 12:52:15 -0700 (PDT)
X-Original-To: dri-devel@lists.freedesktop.org
Delivered-To: dri-devel@lists.freedesktop.org
Received: from mail-ee0-f50.google.com (mail-ee0-f50.google.com
	[74.125.83.50])
	by gabe.freedesktop.org (Postfix) with ESMTP id 5E03EE7C59
	for <dri-devel@lists.freedesktop.org>;
	Tue, 13 Aug 2013 12:40:08 -0700 (PDT)
Received: by mail-ee0-f50.google.com with SMTP id d51so4340013eek.23
	for <dri-devel@lists.freedesktop.org>;
	Tue, 13 Aug 2013 12:40:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=/wVNiwiQP0MFy/MmeEcH67IDEm/kGImswqgYAQnYux8=;
	b=f8fYa20Urbu1Pf3u9YM+sCPkUYW1oLq8R/LxnmnxTedN8EorBCdgn3ryJGck12D6V2
	6EvqKE3qghquJGER4RpbJPFNLwmSPPF2igmIzZQsynF2MQZkog1lJ9auZc2fW5DzmDfX
	2N4OmQacSjkpLfOM5JWRVvChxBlSJ7h9n3dyOvKxHRZUj3IJSJXhmfBwKg3gmijI/kVe
	E4D6Ugg3OnaLaGZNwyCCsfgwqIW3xC2WRYRITVcC+gJ6J/4jWyDHT4MaRwnNZnt/V+bz
	KaL1VQaZGLxsfxKpNUrEIWDHXHTHdFzNLHKK6Lwg/89l0kNJA2TYAo78EB8/k0LFOw/m
	wClg==
X-Received: by 10.14.184.4 with SMTP id r4mr654740eem.100.1376422807421;
	Tue, 13 Aug 2013 12:40:07 -0700 (PDT)
Received: from localhost.localdomain (stgt-5f71b8eb.pool.mediaWays.net.
	[95.113.184.235]) by mx.google.com with ESMTPSA id
	a1sm68812938eem.1.2013.08.13.12.40.05 for <multiple recipients>
	(version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
	Tue, 13 Aug 2013 12:40:06 -0700 (PDT)
From: David Herrmann <dh.herrmann@gmail.com>
To: dri-devel@lists.freedesktop.org
Subject: [PATCH 09/16] drm/ttm: prevent mmap access to unauthorized users
Date: Tue, 13 Aug 2013 21:38:30 +0200
Message-Id: <1376422717-12229-10-git-send-email-dh.herrmann@gmail.com>
X-Mailer: git-send-email 1.8.3.4
In-Reply-To: <1376422717-12229-1-git-send-email-dh.herrmann@gmail.com>
References: <1376422717-12229-1-git-send-email-dh.herrmann@gmail.com>
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
	<dri-devel.lists.freedesktop.org>
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
MIME-Version: 1.0
Sender: 
 dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org
Errors-To: 
 dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_MED, RP_MATCHES_RCVD,
	T_DKIM_INVALID,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

If a user does not have access to a given buffer, we must not allow them
to mmap it. Otherwise, users could "guess" the buffer offsets of other
users and get access to the buffer.
Similar to mmap(), we also fix ttm_bo_io() which is the backend for read()
and write() syscalls. It's currently unused, though.

All TTM drivers already use the new VMA offset manager access management
so we can enable TTM mmap access management now.

Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
---
 drivers/gpu/drm/ttm/ttm_bo_vm.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/ttm/ttm_bo_vm.c b/drivers/gpu/drm/ttm/ttm_bo_vm.c
index 8c0e2c0..2c49953 100644
--- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
+++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
@@ -219,7 +219,8 @@ static const struct vm_operations_struct ttm_bo_vm_ops = {
 	.close = ttm_bo_vm_close
 };
 
-static struct ttm_buffer_object *ttm_bo_vm_lookup(struct ttm_bo_device *bdev,
+static struct ttm_buffer_object *ttm_bo_vm_lookup(struct file *filp,
+						  struct ttm_bo_device *bdev,
 						  unsigned long offset,
 						  unsigned long pages)
 {
@@ -229,7 +230,7 @@ static struct ttm_buffer_object *ttm_bo_vm_lookup(struct ttm_bo_device *bdev,
 	drm_vma_offset_lock_lookup(&bdev->vma_manager);
 
 	node = drm_vma_offset_lookup_locked(&bdev->vma_manager, offset, pages);
-	if (likely(node)) {
+	if (likely(node) && drm_vma_node_is_allowed(node, filp)) {
 		bo = container_of(node, struct ttm_buffer_object, vma_node);
 		if (!kref_get_unless_zero(&bo->kref))
 			bo = NULL;
@@ -250,7 +251,7 @@ int ttm_bo_mmap(struct file *filp, struct vm_area_struct *vma,
 	struct ttm_buffer_object *bo;
 	int ret;
 
-	bo = ttm_bo_vm_lookup(bdev, vma->vm_pgoff, vma_pages(vma));
+	bo = ttm_bo_vm_lookup(filp, bdev, vma->vm_pgoff, vma_pages(vma));
 	if (unlikely(!bo))
 		return -EINVAL;
 
@@ -310,7 +311,7 @@ ssize_t ttm_bo_io(struct ttm_bo_device *bdev, struct file *filp,
 	bool no_wait = false;
 	bool dummy;
 
-	bo = ttm_bo_vm_lookup(bdev, dev_offset, 1);
+	bo = ttm_bo_vm_lookup(filp, bdev, dev_offset, 1);
 	if (unlikely(bo == NULL))
 		return -EFAULT;