diff options
| author | Sri Krishna chowdary <schowdary@nvidia.com> | 2016-11-15 11:23:30 +0530 |
|---|---|---|
| committer | Winnie Hsu <whsu@nvidia.com> | 2017-05-05 14:54:34 -0700 |
| commit | 7c7162fbc912dd6c751d929d188b27f71bd2ede3 (patch) | |
| tree | a5639869adca4616e3421488784f6d8cc3de9cf9 /drivers/video/tegra/host/host1x/host1x.c | |
| parent | 555a69ad03e354d20a7a9bd5eb4d966d5b25c7b5 (diff) | |
video: tegra: nvmap: Check if handle holds a buffer before map
Consider the following case:
1. NVMAP_IOC_CREATE gives a valid fd to user space
2. user space calls NVMAP_IOC_ALLOC and it fails. So, all
of the handle's allocation fields are zero.
3. Subsequent dma_buf_vmap, mmap on fd leads to __nvmap_mmap
call.
4. handle is valid but h->alloc, h->carveout, h->heap_pgalloc,
h->vaddr all are 0.
5. We check for h->heap_pgalloc which is false, so proceed and
dereference h->carveout leading to NULL pointer exception.
A valid __nvmap_mmap should occur only when h->alloc is true.
So, add check for it.
bug 1837468
Change-Id: I9be9d94f9b74c25b9b588fb1a16a74e96161ceda
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Reviewed-on: http://git-master/r/1253236
(cherry picked from commit c5da78cf3d0c19f1e04501a4b3f64a5acacd0ff3)
Reviewed-on: http://git-master/r/1312264
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
Diffstat (limited to 'drivers/video/tegra/host/host1x/host1x.c')
0 files changed, 0 insertions, 0 deletions