video: tegra: nvmap: Fix NULL pointer dereference issues
authorSri Krishna chowdary <schowdary@nvidia.com>
Wed, 14 Dec 2016 06:28:30 +0000 (11:28 +0530)
committermobile promotions <svcmobile_promotions@nvidia.com>
Fri, 3 Mar 2017 23:37:43 +0000 (15:37 -0800)
commit9ae4f6fbb844760b4e6b34a25c4fb8178420dabb
treec82a97e1d5f4972527609918d93c18e1372239b8
parent22168ee3a52622c20ca8480de82102fb08119193
video: tegra: nvmap: Fix NULL pointer dereference issues

Consider the following case:
1. NVMAP_IOC_CREATE on IOVMM gives a valid fd to user space
2. user space does not call NVMAP_IOC_ALLOC.
3. user space calls a client driver IOCTL which calls dma_buf_map_attachment
4. call to dma_buf_map_attachment propagates till__nvmap_sg_table
   which has heap_pgalloc as true and tries to access pages[]
   which has all NULL.
5. Similarly, a dma_buf_kmap() can result in __nvmap_kmap() being called
   which again results in NULL dereference if pages[] is accessed.

A valid __nvmap_sg_table should occur only when h->alloc is true.
So, add check for it.

Bug 1838597

Change-Id: I400d9d8a94ff1003db207fc9c252b9256d796f60
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1270827
(cherry picked from commit 928dc0a9fdc3f2f507dbc08ed4d54d0292fd4d9e)
Reviewed-on: http://git-master/r/1313777
GVS: Gerrit_Virtual_Submit
Reviewed-by: Sri Krishna Chowdary <schowdary@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
drivers/video/tegra/nvmap/nvmap.c