video: tegra: nvmap: fix input check in mmap ioctl
Tuomas Tynkkynen [Tue, 31 Jul 2012 14:49:49 +0000 (17:49 +0300)]
nvmap_map_into_caller_ptr takes a memory handle from usermode
and adds a memory mapping for the handle. However, the handle
is not checked for being allocated. An unallocated handle
would cause a kernel panic later on from a NULL dereference.

Change-Id: I73987b097a0c843b913660445e8bd1b4755dac61
Signed-off-by: Tuomas Tynkkynen <ttynkkynen@nvidia.com>
Reviewed-on: http://git-master/r/119689
Reviewed-by: Simone Willett <swillett@nvidia.com>
Tested-by: Simone Willett <swillett@nvidia.com>

drivers/video/tegra/nvmap/nvmap_ioctl.c

index bb15699..e3adc0a 100644 (file)
@@ -239,6 +239,11 @@ int nvmap_map_into_caller_ptr(struct file *filp, void __user *arg)
        if (!h)
                return -EPERM;
 
+       if(!h->alloc) {
+               nvmap_handle_put(h);
+               return -EFAULT;
+       }
+
        trace_nvmap_map_into_caller_ptr(client, h, op.offset,
                                        op.length, op.flags);
        down_read(&current->mm->mmap_sem);