aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJérôme Glisse <jglisse@redhat.com>2016-04-19 09:07:50 -0400
committerAlex Deucher <alexander.deucher@amd.com>2016-04-21 20:03:46 -0400
commitb5dcec693f87cb8475f2291c0075b2422addd3d6 (patch)
tree25fbbd4667f947c03abb66632dc961d06523e54b
parentdrm/amdgpu: bump the afmt limit for CZ, ST, Polaris (diff)
downloadlinux-dev-b5dcec693f87cb8475f2291c0075b2422addd3d6.tar.xz
linux-dev-b5dcec693f87cb8475f2291c0075b2422addd3d6.zip
drm/radeon: forbid mapping of userptr bo through radeon device file
Allowing userptr bo which are basicly a list of page from some vma (so either anonymous page or file backed page) would lead to serious corruption of kernel structures and counters (because we overwrite the page->mapping field when mapping buffer). This will already block if the buffer was populated before anyone does try to mmap it because then TTM_PAGE_FLAG_SG would be set in in the ttm_tt flags. But that flag is check before ttm_tt_populate in the ttm vm fault handler. So to be safe just add a check to verify_access() callback. Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: Jérôme Glisse <jglisse@redhat.com> Cc: <stable@vger.kernel.org> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
-rw-r--r--drivers/gpu/drm/radeon/radeon_ttm.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/gpu/drm/radeon/radeon_ttm.c b/drivers/gpu/drm/radeon/radeon_ttm.c
index 7dddfdce85e6..90f739478a1b 100644
--- a/drivers/gpu/drm/radeon/radeon_ttm.c
+++ b/drivers/gpu/drm/radeon/radeon_ttm.c
@@ -235,6 +235,8 @@ static int radeon_verify_access(struct ttm_buffer_object *bo, struct file *filp)
{
struct radeon_bo *rbo = container_of(bo, struct radeon_bo, tbo);
+ if (radeon_ttm_tt_has_userptr(bo->ttm))
+ return -EPERM;
return drm_vma_node_verify_access(&rbo->gem_base.vma_node, filp);
}