video: tegra: nvmap: fix input check in mmap ioctl

nvmap_map_into_caller_ptr takes a memory handle from usermode and adds a memory mapping for the handle. However, the handle is not checked for being allocated. An unallocated handle would cause a kernel panic later on from a NULL dereference. Change-Id: I73987b097a0c843b913660445e8bd1b4755dac61 Signed-off-by: Tuomas Tynkkynen <ttynkkynen@nvidia.com> Reviewed-on: http://git-master/r/119689 Reviewed-by: Simone Willett <swillett@nvidia.com> Tested-by: Simone Willett <swillett@nvidia.com>
author: Tuomas Tynkkynen <ttynkkynen@nvidia.com> 2012-07-31 17:49:49 +0300
committer: Varun Wadekar <vwadekar@nvidia.com> 2012-08-21 15:31:13 +0530
commit: af4044860e3eb9afaec85bf7d4faf50f5f70786d (patch)
tree: 017a5f3254a686772b2f4c4fdbba198227b99555 /drivers/video/tegra/nvmap
parent: b5ef06eaaaf18f336e7dc5f242bf0037bc549ec1 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/video/tegra/nvmap/nvmap_ioctl.c b/drivers/video/tegra/nvmap/nvmap_ioctl.c
index bb15699ad855..e3adc0abc174 100644
--- a/drivers/video/tegra/nvmap/nvmap_ioctl.c
+++ b/drivers/video/tegra/nvmap/nvmap_ioctl.c
@@ -239,6 +239,11 @@ int nvmap_map_into_caller_ptr(struct file *filp, void __user *arg)
 	if (!h)
 		return -EPERM;
 
+	if(!h->alloc) {
+		nvmap_handle_put(h);
+		return -EFAULT;
+	}
+
 	trace_nvmap_map_into_caller_ptr(client, h, op.offset,
 					op.length, op.flags);
 	down_read(&current->mm->mmap_sem);
author	Tuomas Tynkkynen <ttynkkynen@nvidia.com>	2012-07-31 17:49:49 +0300
committer	Varun Wadekar <vwadekar@nvidia.com>	2012-08-21 15:31:13 +0530
commit	af4044860e3eb9afaec85bf7d4faf50f5f70786d (patch)
tree	017a5f3254a686772b2f4c4fdbba198227b99555 /drivers/video/tegra/nvmap
parent	b5ef06eaaaf18f336e7dc5f242bf0037bc549ec1 (diff)