video: tegra: host: Check for allocation failures

Adds checks for memory allocation failures, and proper propagation
of error conditions. Adds clearing of pointers after free or unpin
has been called to catch use after free.

Bug 877551

Signed-off-by: Terje Bergstrom <tbergstrom@nvidia.com>
Reviewed-on: http://git-master/r/54027
Reviewed-by: Antti Miettinen <amiettinen@nvidia.com>
Reviewed-by: Hiroshi Doyu <hdoyu@nvidia.com>
Reviewed-by: Scott Williams <scwilliams@nvidia.com>
Reviewed-by: Krishna Reddy <vdumpa@nvidia.com>
Tested-by: Gerrit_Virtual_Submit
(cherry picked from commit bfbf2766d11a5f85781532ddce3a87b7ae762ba3)
Change-Id: I04171ee5db6a42bb1689221d4f80d5f3d35e7399
Reviewed-on: http://git-master/r/57462

Rebase-Id: Rc9f43312c8b818869d746f4b73700d8b56e4569d

1 files changed, 6 insertions, 1 deletions

diff --git a/drivers/video/tegra/host/nvhost_cdma.c b/drivers/video/tegra/host/nvhost_cdma.c
index 5c04e5838d2a..769dba7c8b99 100644
--- a/drivers/video/tegra/host/nvhost_cdma.c
+++ b/drivers/video/tegra/host/nvhost_cdma.c
@@ -63,6 +63,9 @@
 /* Number of words needed to store an entry containing one handle */
 #define SYNC_QUEUE_MIN_ENTRY (SQ_IDX_HANDLES + (sizeof(void *)/4))
 
+/* Magic to use to fill freed handle slots */
+#define BAD_MAGIC 0xdeadbeef
+
 /**
  * Reset to empty queue.
  */
@@ -412,7 +415,9 @@ static void update_cdma(struct nvhost_cdma *cdma)
 
 		/* Unpin the memory */
 		nvmap_unpin_handles(nvmap, handles, nr_handles);
+		memset(handles, BAD_MAGIC, nr_handles * sizeof(*handles));
 		nvmap_client_put(nvmap);
+		sync[SQ_IDX_NVMAP_CTX] = 0;
 
 		/* Pop push buffer slots */
 		if (nr_slots) {
@@ -634,7 +639,7 @@ void nvhost_cdma_deinit(struct nvhost_cdma *cdma)
 	BUG_ON(!cdma_pb_op(cdma).destroy);
 	BUG_ON(cdma->running);
 	kfree(cdma->sync_queue.buffer);
-	cdma->sync_queue.buffer = 0;
+	cdma->sync_queue.buffer = NULL;
 	cdma_pb_op(cdma).destroy(pb);
 	cdma_op(cdma).timeout_destroy(cdma);
 }