video: tegra: nvmap: Fix NULL pointer dereference
authorSri Krishna chowdary <schowdary@nvidia.com>
Wed, 14 Dec 2016 06:28:30 +0000 (11:28 +0530)
committerWinnie Hsu <whsu@nvidia.com>
Fri, 9 Jun 2017 18:19:46 +0000 (11:19 -0700)
commit244fcb70c61ffdec4c3b2d8511bf6c21d142ea7d
tree3203310d36ce0c899ee77a62625b0039fad07489
parenta56af0990cf79a3af674ca0eba8556c5bf5a5f88
video: tegra: nvmap: Fix NULL pointer dereference

Consider the following case:
1. NVMAP_IOC_CREATE on IOVMM gives a valid fd to user space
2. user space does not call NVMAP_IOC_ALLOC.
3. user space calls a client driver IOCTL which calls dma_buf_map_attachment
4. call to dma_buf_map_attachment propagates till__nvmap_sg_table
   which has heap_pgalloc as true and tries to access pages[]
   which has all NULL.
5. Similarly, a dma_buf_kmap() can result in __nvmap_kmap() being called
   which again results in NULL dereference if pages[] is accessed.

A valid __nvmap_sg_table should occur only when h->alloc is true.
So, add check for it.

bug 1838597
bug 1883708

Change-Id: I400d9d8a94ff1003db207fc9c252b9256d796f60
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Reviewed-on: http://git-master/r/1270827
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
(cherry picked from commit 928dc0a9fdc3f2f507dbc08ed4d54d0292fd4d9e in
rel-24)
Reviewed-on: http://git-master/r/1489493
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
drivers/video/tegra/nvmap/nvmap.c