diff options
| author | Jérôme Glisse <jglisse@redhat.com> | 2016-04-19 09:07:50 -0400 |
|---|---|---|
| committer | Sasha Levin <sasha.levin@oracle.com> | 2016-05-10 12:17:32 -0400 |
| commit | 2719d3c05d4c93054e7c5838cc5b1906f72b465e (patch) | |
| tree | df1154dc5dec96393afc822f3dfea610950a6bde | |
| parent | 8361444613b869bd65386042f5c217469adb0952 (diff) | |
| download | lwn-2719d3c05d4c93054e7c5838cc5b1906f72b465e.tar.gz lwn-2719d3c05d4c93054e7c5838cc5b1906f72b465e.zip | |
drm/radeon: forbid mapping of userptr bo through radeon device file
[ Upstream commit b5dcec693f87cb8475f2291c0075b2422addd3d6 ]
Allowing userptr bo which are basicly a list of page from some vma
(so either anonymous page or file backed page) would lead to serious
corruption of kernel structures and counters (because we overwrite
the page->mapping field when mapping buffer).
This will already block if the buffer was populated before anyone does
try to mmap it because then TTM_PAGE_FLAG_SG would be set in in the
ttm_tt flags. But that flag is check before ttm_tt_populate in the ttm
vm fault handler.
So to be safe just add a check to verify_access() callback.
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Jérôme Glisse <jglisse@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
| -rw-r--r-- | drivers/gpu/drm/radeon/radeon_ttm.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/gpu/drm/radeon/radeon_ttm.c b/drivers/gpu/drm/radeon/radeon_ttm.c index f5c0590bbf73..50ce26a3b314 100644 --- a/drivers/gpu/drm/radeon/radeon_ttm.c +++ b/drivers/gpu/drm/radeon/radeon_ttm.c @@ -235,6 +235,8 @@ static int radeon_verify_access(struct ttm_buffer_object *bo, struct file *filp) { struct radeon_bo *rbo = container_of(bo, struct radeon_bo, tbo); + if (radeon_ttm_tt_has_userptr(bo->ttm)) + return -EPERM; return drm_vma_node_verify_access(&rbo->gem_base.vma_node, filp); } |