drm/tegra: Check syncpoint ID in the 'submit' IOCTL

In case of invalid syncpoint ID, the host1x_syncpt_get() returns NULL and none of its users perform a check of the returned pointer later. Let's bail out until it's too late. Signed-off-by: Dmitry Osipenko <digetx@gmail.com> Reviewed-by: Mikko Perttunen <mperttunen@nvidia.com> Signed-off-by: Thierry Reding <treding@nvidia.com>

drm/tegra: Check syncpoint ID in the 'submit' IOCTL
In case of invalid syncpoint ID, the host1x_syncpt_get() returns NULL and none of its users perform a check of the returned pointer later. Let's bail out until it's too late. Signed-off-by: Dmitry Osipenko <digetx@gmail.com> Reviewed-by: Mikko Perttunen <mperttunen@nvidia.com> Signed-off-by: Thierry Reding <treding@nvidia.com>
e0b2ce02 · Dmitry Osipenko · Thierry Reding · d0fbbdff · e0b2ce02
Commit e0b2ce02 authored Jun 15, 2017 by Dmitry Osipenko Committed by Thierry Reding Jun 15, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 0 deletions

drivers/gpu/drm/tegra/drm.c drivers/gpu/drm/tegra/drm.c +9 -0

No files found.
--- a/drivers/gpu/drm/tegra/drm.c
+++ b/drivers/gpu/drm/tegra/drm.c
@@ -393,6 +393,8 @@ int tegra_drm_submit(struct tegra_drm_context *context,
 	struct drm_tegra_waitchk __user *waitchks =
 		(void __user *)(uintptr_t)args->waitchks;
 	struct drm_tegra_syncpt syncpt;
+	struct host1x *host1x = dev_get_drvdata(drm->dev->parent);
+	struct host1x_syncpt *sp;
 	struct host1x_job *job;
 	int err;
@@ -522,6 +524,13 @@ int tegra_drm_submit(struct tegra_drm_context *context,
 		goto fail;
 	}
+	/* check whether syncpoint ID is valid */
+	sp = host1x_syncpt_get(host1x, syncpt.id);
+	if (!sp) {
+		err = -ENOENT;
+		goto fail;
+	}
 	job->is_addr_reg = context->client->ops->is_addr_reg;
 	job->syncpt_incrs = syncpt.incrs;
 	job->syncpt_id = syncpt.id;