video: tegra: nvmap: Check if handle holds a buffer before map

Consider the following case: 1. NVMAP_IOC_CREATE gives a valid fd to user space 2. user space calls NVMAP_IOC_ALLOC and it fails. So, all of the handle's allocation fields are zero. 3. Subsequent dma_buf_vmap, mmap on fd leads to __nvmap_mmap call. 4. handle is valid but h->alloc, h->carveout, h->heap_pgalloc, h->vaddr all are 0. 5. We check for h->heap_pgalloc which is false, so proceed and dereference h->carveout leading to NULL pointer exception. A valid __nvmap_mmap should occur only when h->alloc is true. So, add check for it. bug 1837468 Change-Id: I9be9d94f9b74c25b9b588fb1a16a74e96161ceda Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com> Reviewed-on: http://git-master/r/1253236 (cherry picked from commit c5da78cf3d0c19f1e04501a4b3f64a5acacd0ff3) Reviewed-on: http://git-master/r/1312264 GVS: Gerrit_Virtual_Submit Reviewed-by: Bibek Basu <bbasu@nvidia.com> Tested-by: Bibek Basu <bbasu@nvidia.com>
author: Sri Krishna chowdary <schowdary@nvidia.com> 2016-11-15 11:23:30 +0530
committer: Winnie Hsu <whsu@nvidia.com> 2017-05-05 14:54:34 -0700
commit: 7c7162fbc912dd6c751d929d188b27f71bd2ede3 (patch)
tree: a5639869adca4616e3421488784f6d8cc3de9cf9
parent: 555a69ad03e354d20a7a9bd5eb4d966d5b25c7b5 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/video/tegra/nvmap/nvmap.c b/drivers/video/tegra/nvmap/nvmap.c
index 16eeeb2638d5..09f436102c6b 100644
--- a/drivers/video/tegra/nvmap/nvmap.c
+++ b/drivers/video/tegra/nvmap/nvmap.c
@@ -265,6 +265,9 @@ void *__nvmap_mmap(struct nvmap_handle *h)
 	if (!h)
 		return NULL;
 
+	if (!h->alloc)
+		return NULL;
+
 	prot = nvmap_pgprot(h, PG_PROT_KERNEL);
 
 	if (h->heap_pgalloc) {
author	Sri Krishna chowdary <schowdary@nvidia.com>	2016-11-15 11:23:30 +0530
committer	Winnie Hsu <whsu@nvidia.com>	2017-05-05 14:54:34 -0700
commit	7c7162fbc912dd6c751d929d188b27f71bd2ede3 (patch)
tree	a5639869adca4616e3421488784f6d8cc3de9cf9
parent	555a69ad03e354d20a7a9bd5eb4d966d5b25c7b5 (diff)