nvmap: tighten handle validation before pinning

Do not allow pinning handles without local context anymore (this was a
special case and is not needed anymore). Also, added check for handle poison
before pinning. This prevents kernel panic (BUG_ON in
_nvmap_handle_pin_locked) when trying to pin already freed handle.

Change-Id: Iabf408c182aa0907596957233169568abedbbb1f
Reviewed-on: http://git-master/r/1449
Reviewed-by: Antti Rasmus <arasmus@nvidia.com>
Tested-by: Anssi Kalliolahti <akalliolahti@nvidia.com>
Reviewed-by: Gary King <gking@nvidia.com>

1 files changed, 11 insertions, 9 deletions

diff --git a/drivers/char/nvmap.c b/drivers/char/nvmap.c
index 969c2106ca64..bc522abcf3e1 100644
--- a/drivers/char/nvmap.c
+++ b/drivers/char/nvmap.c
@@ -1393,6 +1393,12 @@ struct nvmap_handle_ref *_nvmap_ref_lookup_locked(
 	struct nvmap_file_priv *priv, unsigned long ref)
 {
 	struct rb_node *n = priv->handle_refs.rb_node;
+	struct nvmap_handle *h = (struct nvmap_handle *)ref;
+
+	if (unlikely(h->poison != NVDA_POISON)) {
+		pr_err("%s: handle is poisoned\n", __func__);
+		return NULL;
+	}
 
 	while (n) {
 		struct nvmap_handle_ref *r;
@@ -1572,16 +1578,12 @@ static int _nvmap_do_pin(struct nvmap_file_priv *priv,
 	spin_lock(&priv->ref_lock);
 	for (i=0; i<nr && !ret; i++) {
 		r = _nvmap_ref_lookup_locked(priv, refs[i]);
-		if (!r && (!(priv->su || h[i]->global ||
-		    current->group_leader == h[i]->owner)))
-			ret = -EPERM;
-		else if (r) atomic_inc(&r->pin);
+		if (likely(r)) atomic_inc(&r->pin);
 		else {
-			pr_err("%s: %s pinning %s's %uB handle without "
-				"local context\n", __func__,
-				current->group_leader->comm,
-				h[i]->owner->comm, h[i]->orig_size);
-                }
+			pr_err("%s: %s pinning invalid handle\n", __func__,
+				current->group_leader->comm);
+			ret = -EPERM;
+		}
 	}
 
 	while (ret && i--) {