@@ -781,6 +781,8 @@ int drm_gem_dmabuf_mmap(struct dma_buf *dma_buf, struct vm_area_struct *vma)
struct drm_gem_object *obj = dma_buf->priv;
struct drm_device *dev = obj->dev;
+ dma_resv_assert_held(dma_buf->resv);
+
if (!dev->driver->gem_prime_mmap)
return -ENOSYS;
@@ -97,6 +97,8 @@ static int i915_gem_dmabuf_mmap(struct dma_buf *dma_buf, struct vm_area_struct *
struct drm_i915_private *i915 = to_i915(obj->base.dev);
int ret;
+ dma_resv_assert_held(dma_buf->resv);
+
if (obj->base.size < vma->vm_end - vma->vm_start)
return -EINVAL;
@@ -66,6 +66,8 @@ static int omap_gem_dmabuf_mmap(struct dma_buf *buffer,
struct drm_gem_object *obj = buffer->priv;
int ret = 0;
+ dma_resv_assert_held(buffer->resv);
+
ret = drm_gem_mmap_obj(obj, omap_gem_mmap_size(obj), vma);
if (ret < 0)
return ret;
@@ -694,6 +694,8 @@ static int tegra_gem_prime_mmap(struct dma_buf *buf, struct vm_area_struct *vma)
struct drm_gem_object *gem = buf->priv;
int err;
+ dma_resv_assert_held(buf->resv);
+
err = drm_gem_mmap_obj(gem, gem->size, vma);
if (err < 0)
return err;
When userspace mmaps dma-buf's fd, the dma-buf reservation lock must be held. Add locking sanity checks to the dma-buf mmaping callbacks of DRM drivers to ensure that the locking assumptions won't regress in future. Suggested-by: Daniel Vetter <daniel@ffwll.ch> Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com> --- drivers/gpu/drm/drm_prime.c | 2 ++ drivers/gpu/drm/i915/gem/i915_gem_dmabuf.c | 2 ++ drivers/gpu/drm/omapdrm/omap_gem_dmabuf.c | 2 ++ drivers/gpu/drm/tegra/gem.c | 2 ++ 4 files changed, 8 insertions(+)