video: tegra: nvmap: fix input check in mmap ioctl

nvmap_map_into_caller_ptr takes a memory handle from usermode and adds a memory mapping for the handle. However, the handle is not checked for being allocated. An unallocated handle would cause a kernel panic later on from a NULL dereference. Change-Id: I73987b097a0c843b913660445e8bd1b4755dac61 Signed-off-by: Tuomas Tynkkynen <ttynkkynen@nvidia.com> Reviewed-on: http://git-master/r/119689 Reviewed-by: Simone Willett <swillett@nvidia.com> Tested-by: Simone Willett <swillett@nvidia.com>
author: Tuomas Tynkkynen <ttynkkynen@nvidia.com> 2012-07-31 17:49:49 +0300
committer: Simone Willett <swillett@nvidia.com> 2012-08-16 13:42:43 -0700
commit: 2f4ab5b6a19c1380b0985f914c173af09b802dcf (patch)
tree: a177d4759153cf82ff5edb6c0641e54e6a01c89d /drivers/video/tegra
parent: a6e2dc5aacc56bdbc771cdf0e9e75924c1ea6650 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/video/tegra/nvmap/nvmap_ioctl.c b/drivers/video/tegra/nvmap/nvmap_ioctl.c
index bb15699ad855..e3adc0abc174 100644
--- a/drivers/video/tegra/nvmap/nvmap_ioctl.c
+++ b/drivers/video/tegra/nvmap/nvmap_ioctl.c
@@ -239,6 +239,11 @@ int nvmap_map_into_caller_ptr(struct file *filp, void __user *arg)
 	if (!h)
 		return -EPERM;
 
+	if(!h->alloc) {
+		nvmap_handle_put(h);
+		return -EFAULT;
+	}
+
 	trace_nvmap_map_into_caller_ptr(client, h, op.offset,
 					op.length, op.flags);
 	down_read(&current->mm->mmap_sem);
author	Tuomas Tynkkynen <ttynkkynen@nvidia.com>	2012-07-31 17:49:49 +0300
committer	Simone Willett <swillett@nvidia.com>	2012-08-16 13:42:43 -0700
commit	2f4ab5b6a19c1380b0985f914c173af09b802dcf (patch)
tree	a177d4759153cf82ff5edb6c0641e54e6a01c89d /drivers/video/tegra
parent	a6e2dc5aacc56bdbc771cdf0e9e75924c1ea6650 (diff)