From 05efb1abecce6e36457ae1a7be29ded7ac52292a Mon Sep 17 00:00:00 2001 From: Thomas Hellstrom Date: Wed, 18 Dec 2013 14:13:29 +0100 Subject: drm/ttm: ttm object security fixes for render nodes When a client looks up a ttm object, don't look it up through the device hash table, but rather from the file hash table. That makes sure that the client has indeed put a reference on the object, or in gem terms, has opened the object; either using prime or using the global "name". To avoid a performance loss, make sure the file hash table entries can be looked up from under an RCU lock, and as a consequence, replace the rwlock with a spinlock, since we never need to take it in read mode only anymore. Finally add a ttm object lookup function for the device hash table, that is intended to be used when we put a ref object on a base object or, in gem terms, when we open the object. Signed-off-by: Thomas Hellstrom Reviewed-by: Brian Paul --- include/drm/ttm/ttm_object.h | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) (limited to 'include/drm') diff --git a/include/drm/ttm/ttm_object.h b/include/drm/ttm/ttm_object.h index 58b029894eb3..0097cc03034e 100644 --- a/include/drm/ttm/ttm_object.h +++ b/include/drm/ttm/ttm_object.h @@ -190,13 +190,25 @@ extern int ttm_base_object_init(struct ttm_object_file *tfile, * @key: Hash key * * Looks up a struct ttm_base_object with the key @key. - * Also verifies that the object is visible to the application, by - * comparing the @tfile argument and checking the object shareable flag. */ extern struct ttm_base_object *ttm_base_object_lookup(struct ttm_object_file *tfile, uint32_t key); +/** + * ttm_base_object_lookup_for_ref + * + * @tdev: Pointer to a struct ttm_object_device. + * @key: Hash key + * + * Looks up a struct ttm_base_object with the key @key. + * This function should only be used when the struct tfile associated with the + * caller doesn't yet have a reference to the base object. + */ + +extern struct ttm_base_object * +ttm_base_object_lookup_for_ref(struct ttm_object_device *tdev, uint32_t key); + /** * ttm_base_object_unref * @@ -218,6 +230,8 @@ extern void ttm_base_object_unref(struct ttm_base_object **p_base); * @existed: Upon completion, indicates that an identical reference object * already existed, and the refcount was upped on that object instead. * + * Checks that the base object is shareable and adds a ref object to it. + * * Adding a ref object to a base object is basically like referencing the * base object, but a user-space application holds the reference. When the * file corresponding to @tfile is closed, all its reference objects are -- cgit v1.2.3