video: tegra: nvmap: Fix null error pointer dereference.

In function nvmap_ioctl_get_fd_from_list, the return pointer from nvmap_handle_get_from_id is being dereferenced without checking if it is valid. This is causing a kernel panic crash in syzkaller. Fix this by checking whether the pointer is valid or not before dereferencing it. Bug 4479038 Change-Id: Ia65341e9eb12873e660baae44d28966e71317377 Signed-off-by: Yash Bhatt <ybhatt@nvidia.com> Reviewed-on: https://git-master.nvidia.com/r/c/linux-nv-oot/+/3154940 Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com> Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
2025-12-24 02:01:36 +03:00 · 2024-06-11 06:36:50 +00:00
parent 601fdeaed2
commit 31f41ea186
1 changed files with 2 additions and 2 deletions
--- a/drivers/video/tegra/nvmap/nvmap_ioctl.c
+++ b/drivers/video/tegra/nvmap/nvmap_ioctl.c
@@ -1539,15 +1539,15 @@ int nvmap_ioctl_get_fd_from_list(struct file *filp, void __user *arg)

 	for (i = 0; i < op.num_handles; i++) {
 		hs[i] = nvmap_handle_get_from_id(client, hndls[i]);
-		tot_hs_size += hs[i]->size;
 		if (IS_ERR_OR_NULL(hs[i])) {
 			pr_err("invalid handle_ptr[%d] = %u\n",
 				i, hndls[i]);
-			while (i--)
+			while (--i >= 0)
 				nvmap_handle_put(hs[i]);
 			err = -EINVAL;
 			goto free_mem;
 		}
+		tot_hs_size += hs[i]->size;
 	}

 	/* Add check for sizes of all the handles should be > offs and size */