diff mbox

[06/22] drm/tegra: Check syncpoint ID in the 'submit' IOCTL

Message ID f116e4fbab1391ed59a7401f2838e95bcc3025d9.1495498184.git.digetx@gmail.com (mailing list archive)
State New, archived
Headers show

Commit Message

Dmitry Osipenko May 23, 2017, 12:14 a.m. UTC 
In case of invalid syncpoint ID, the host1x_syncpt_get() returns NULL and
none of its users perform a check of the returned pointer later. Let's bail
out until it's too late.

Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
---
 drivers/gpu/drm/tegra/drm.c | 9 +++++++++
 1 file changed, 9 insertions(+)

Comments

Mikko Perttunen May 31, 2017, 6:46 p.m. UTC | #1 
Reviewed-by: Mikko Perttunen <mperttunen@nvidia.com>

On 05/23/2017 03:14 AM, Dmitry Osipenko wrote:
> In case of invalid syncpoint ID, the host1x_syncpt_get() returns NULL and
> none of its users perform a check of the returned pointer later. Let's bail
> out until it's too late.
> 
> Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
> ---
>   drivers/gpu/drm/tegra/drm.c | 9 +++++++++
>   1 file changed, 9 insertions(+)
> 
> diff --git a/drivers/gpu/drm/tegra/drm.c b/drivers/gpu/drm/tegra/drm.c
> index eae0c1512ab0..cdb05d6efde4 100644
> --- a/drivers/gpu/drm/tegra/drm.c
> +++ b/drivers/gpu/drm/tegra/drm.c
> @@ -393,6 +393,8 @@ int tegra_drm_submit(struct tegra_drm_context *context,
>   	struct drm_tegra_waitchk __user *waitchks =
>   		(void __user *)(uintptr_t)args->waitchks;
>   	struct drm_tegra_syncpt syncpt;
> +	struct host1x *host1x = dev_get_drvdata(drm->dev->parent);
> +	struct host1x_syncpt *sp;
>   	struct host1x_job *job;
>   	int err;
>   
> @@ -521,6 +523,13 @@ int tegra_drm_submit(struct tegra_drm_context *context,
>   		goto fail;
>   	}
>   
> +	/* check whether syncpoint ID is valid */
> +	sp = host1x_syncpt_get(host1x, syncpt.id);
> +	if (!sp) {
> +		err = -ENOENT;
> +		goto fail;
> +	}
> +
>   	job->is_addr_reg = context->client->ops->is_addr_reg;
>   	job->syncpt_incrs = syncpt.incrs;
>   	job->syncpt_id = syncpt.id;
>
diff mbox

Patch

diff --git a/drivers/gpu/drm/tegra/drm.c b/drivers/gpu/drm/tegra/drm.c
index eae0c1512ab0..cdb05d6efde4 100644
--- a/drivers/gpu/drm/tegra/drm.c
+++ b/drivers/gpu/drm/tegra/drm.c
@@ -393,6 +393,8 @@  int tegra_drm_submit(struct tegra_drm_context *context,
 	struct drm_tegra_waitchk __user *waitchks =
 		(void __user *)(uintptr_t)args->waitchks;
 	struct drm_tegra_syncpt syncpt;
+	struct host1x *host1x = dev_get_drvdata(drm->dev->parent);
+	struct host1x_syncpt *sp;
 	struct host1x_job *job;
 	int err;
 
@@ -521,6 +523,13 @@  int tegra_drm_submit(struct tegra_drm_context *context,
 		goto fail;
 	}
 
+	/* check whether syncpoint ID is valid */
+	sp = host1x_syncpt_get(host1x, syncpt.id);
+	if (!sp) {
+		err = -ENOENT;
+		goto fail;
+	}
+
 	job->is_addr_reg = context->client->ops->is_addr_reg;
 	job->syncpt_incrs = syncpt.incrs;
 	job->syncpt_id = syncpt.id;