From 2f4ab5b6a19c1380b0985f914c173af09b802dcf Mon Sep 17 00:00:00 2001
From: Tuomas Tynkkynen <ttynkkynen@nvidia.com>
Date: Tue, 31 Jul 2012 17:49:49 +0300
Subject: video: tegra: nvmap: fix input check in mmap ioctl

nvmap_map_into_caller_ptr takes a memory handle from usermode
and adds a memory mapping for the handle. However, the handle
is not checked for being allocated. An unallocated handle
would cause a kernel panic later on from a NULL dereference.

Change-Id: I73987b097a0c843b913660445e8bd1b4755dac61
Signed-off-by: Tuomas Tynkkynen <ttynkkynen@nvidia.com>
Reviewed-on: http://git-master/r/119689
Reviewed-by: Simone Willett <swillett@nvidia.com>
Tested-by: Simone Willett <swillett@nvidia.com>
---
 drivers/video/tegra/nvmap/nvmap_ioctl.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'drivers/video/tegra')

diff --git a/drivers/video/tegra/nvmap/nvmap_ioctl.c b/drivers/video/tegra/nvmap/nvmap_ioctl.c
index bb15699ad855..e3adc0abc174 100644
--- a/drivers/video/tegra/nvmap/nvmap_ioctl.c
+++ b/drivers/video/tegra/nvmap/nvmap_ioctl.c
@@ -239,6 +239,11 @@ int nvmap_map_into_caller_ptr(struct file *filp, void __user *arg)
 	if (!h)
 		return -EPERM;
 
+	if(!h->alloc) {
+		nvmap_handle_put(h);
+		return -EFAULT;
+	}
+
 	trace_nvmap_map_into_caller_ptr(client, h, op.offset,
 					op.length, op.flags);
 	down_read(&current->mm->mmap_sem);
-- 
cgit v1.2.3