drm/vmwgfx: Tighten the security around buffer maps
authorThomas Hellstrom <thellstrom@vmware.com>
Wed, 19 Mar 2014 14:06:21 +0000 (15:06 +0100)
committerThomas Hellstrom <thellstrom@vmware.com>
Fri, 28 Mar 2014 13:19:04 +0000 (14:19 +0100)
Make sure only buffer objects that are referenced by the client can be mapped.

Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
drivers/gpu/drm/vmwgfx/vmwgfx_resource.c

index 30439cbeac2bd8ad166c3bf7eebd9899d865337f..01d68f0a69dca74067b1dab583ab860711d6933a 100644 (file)
@@ -538,8 +538,13 @@ int vmw_user_dmabuf_verify_access(struct ttm_buffer_object *bo,
                return -EPERM;
 
        vmw_user_bo = vmw_user_dma_buffer(bo);
-       return (vmw_user_bo->prime.base.tfile == tfile ||
-               vmw_user_bo->prime.base.shareable) ? 0 : -EPERM;
+
+       /* Check that the caller has opened the object. */
+       if (likely(ttm_ref_object_exists(tfile, &vmw_user_bo->prime.base)))
+               return 0;
+
+       DRM_ERROR("Could not grant buffer access.\n");
+       return -EPERM;
 }
 
 /**