dmaengine: idxd: Fix allowing write() from different address spaces

[ Upstream commit 8dfa57aabff625bf445548257f7711ef294cd30e ]

Check if the process submitting the descriptor belongs to the same
address space as the one that opened the file, reject otherwise.

Fixes: 6827738dc684 ("dmaengine: idxd: add a write() method for applications to submit work")
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Link: https://lore.kernel.org/r/20250421170337.3008875-1-dave.jiang@intel.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/dma/idxd/cdev.c b/drivers/dma/idxd/cdev.c
index c7aa47f01df02357295793d32b7d2c0a9e475c37..186f005bfa8fd67aeb844a8f37c1d2d2729962ba 100644 (file)
--- a/drivers/dma/idxd/cdev.c
+++ b/drivers/dma/idxd/cdev.c
@@ -240,6 +240,9 @@ static int idxd_cdev_mmap(struct file *filp, struct vm_area_struct *vma)
        if (!idxd->user_submission_safe && !capable(CAP_SYS_RAWIO))
                return -EPERM;
 
+       if (current->mm != ctx->mm)
+               return -EPERM;
+
        rc = check_vma(wq, vma, __func__);
        if (rc < 0)
                return rc;
@@ -306,6 +309,9 @@ static ssize_t idxd_cdev_write(struct file *filp, const char __user *buf, size_t
        ssize_t written = 0;
        int i;
 
+       if (current->mm != ctx->mm)
+               return -EPERM;
+
        for (i = 0; i < len/sizeof(struct dsa_hw_desc); i++) {
                int rc = idxd_submit_user_descriptor(ctx, udesc + i);
 
@@ -326,6 +332,9 @@ static __poll_t idxd_cdev_poll(struct file *filp,
        struct idxd_device *idxd = wq->idxd;
        __poll_t out = 0;
 
+       if (current->mm != ctx->mm)
+               return -EPERM;
+
        poll_wait(filp, &wq->err_queue, wait);
        spin_lock(&idxd->dev_lock);
        if (idxd->sw_err.valid)