@@ -219,7 +219,8 @@ static const struct vm_operations_struct ttm_bo_vm_ops = {
.close = ttm_bo_vm_close
};
-static struct ttm_buffer_object *ttm_bo_vm_lookup(struct ttm_bo_device *bdev,
+static struct ttm_buffer_object *ttm_bo_vm_lookup(struct file *filp,
+ struct ttm_bo_device *bdev,
unsigned long offset,
unsigned long pages)
{
@@ -229,7 +230,7 @@ static struct ttm_buffer_object *ttm_bo_vm_lookup(struct ttm_bo_device *bdev,
read_lock(&bdev->vm_lock);
node = drm_vma_offset_lookup(&bdev->vma_manager, offset, pages);
- if (likely(node)) {
+ if (likely(node) && drm_vma_node_is_allowed(node, filp)) {
bo = container_of(node, struct ttm_buffer_object, vma_node);
if (!kref_get_unless_zero(&bo->kref))
bo = NULL;
@@ -250,7 +251,7 @@ int ttm_bo_mmap(struct file *filp, struct vm_area_struct *vma,
struct ttm_buffer_object *bo;
int ret;
- bo = ttm_bo_vm_lookup(bdev, vma->vm_pgoff, vma_pages(vma));
+ bo = ttm_bo_vm_lookup(filp, bdev, vma->vm_pgoff, vma_pages(vma));
if (unlikely(!bo))
return -EINVAL;
@@ -310,7 +311,7 @@ ssize_t ttm_bo_io(struct ttm_bo_device *bdev, struct file *filp,
bool no_wait = false;
bool dummy;
- bo = ttm_bo_vm_lookup(bdev, dev_offset, 1);
+ bo = ttm_bo_vm_lookup(filp, bdev, dev_offset, 1);
if (unlikely(bo == NULL))
return -EFAULT;
If a user does not have access to a given buffer, we must not allow them to mmap it. Otherwise, users could "guess" the buffer offsets of other users and get access to the buffer. All TTM drivers already use the new VMA offset manager access management so we can enable TTM mmap access management now. Signed-off-by: David Herrmann <dh.herrmann@gmail.com> --- drivers/gpu/drm/ttm/ttm_bo_vm.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-)