[PATCH v3 05/20] drm/tegra: Check syncpoint ID in the 'submit' IOCTL
Dmitry Osipenko
digetx at gmail.com
Wed Jun 14 23:18:28 UTC 2017
In case of invalid syncpoint ID, the host1x_syncpt_get() returns NULL and
none of its users perform a check of the returned pointer later. Let's bail
out until it's too late.
Signed-off-by: Dmitry Osipenko <digetx at gmail.com>
Reviewed-by: Mikko Perttunen <mperttunen at nvidia.com>
---
drivers/gpu/drm/tegra/drm.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/gpu/drm/tegra/drm.c b/drivers/gpu/drm/tegra/drm.c
index b90ed2cd32ce..e999391aedc9 100644
--- a/drivers/gpu/drm/tegra/drm.c
+++ b/drivers/gpu/drm/tegra/drm.c
@@ -393,6 +393,8 @@ int tegra_drm_submit(struct tegra_drm_context *context,
struct drm_tegra_waitchk __user *waitchks =
(void __user *)(uintptr_t)args->waitchks;
struct drm_tegra_syncpt syncpt;
+ struct host1x *host1x = dev_get_drvdata(drm->dev->parent);
+ struct host1x_syncpt *sp;
struct host1x_job *job;
int err;
@@ -522,6 +524,13 @@ int tegra_drm_submit(struct tegra_drm_context *context,
goto fail;
}
+ /* check whether syncpoint ID is valid */
+ sp = host1x_syncpt_get(host1x, syncpt.id);
+ if (!sp) {
+ err = -ENOENT;
+ goto fail;
+ }
+
job->is_addr_reg = context->client->ops->is_addr_reg;
job->syncpt_incrs = syncpt.incrs;
job->syncpt_id = syncpt.id;
--
2.13.0
More information about the dri-devel
mailing list