From 3b36d6b76f8bf4a7c74f4397e562e86c4b3ad36c Mon Sep 17 00:00:00 2001
From: Mainak Sen <msen@nvidia.com>
Date: Sun, 23 Mar 2025 08:16:43 +0000
Subject: [PATCH] gpu: host1x: Fix NULL pointer dereference in job allocation

Fix NULL pointer dereference when num_unpins is 0,
which causes job->addr_phys to be NULL. In this
case, the code was incorrectly trying to set
job->gather_addr_phys to &job->addr_phys[num_relocs],
which would dereference a NULL pointer.

Add proper NULL checks to prevent this issue
both during allocation and when
using job->gather_addr_phys throughout the code.

Fixes CID 12627383:
- CERT-C Expression (CERT EXP34-C)
Fixes CID 12627953:
- Explicit null dereferenced (FORWARD_NULL)

Jira HOSTX-5971

Change-Id: If417ec5b5431a4f4b716ca73ddf279c9b0336c94
Signed-off-by: Mainak Sen <msen@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/c/linux-nv-oot/+/3324441
Reviewed-by: Raghavendra Vishnu Kumar <rvk@nvidia.com>
GVS: buildbot_gerritrpt <buildbot_gerritrpt@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
Reviewed-by: Vamsee Vardhan Thummala <vthummala@nvidia.com>
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
---
 drivers/gpu/host1x/job.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/host1x/job.c b/drivers/gpu/host1x/job.c
index e992e935..17a2a9ad 100644
--- a/drivers/gpu/host1x/job.c
+++ b/drivers/gpu/host1x/job.c
@@ -71,7 +71,7 @@ struct host1x_job *host1x_job_alloc(struct host1x_channel *ch,
 	job->addr_phys = num_unpins ? mem : NULL;
 
 	job->reloc_addr_phys = job->addr_phys;
-	job->gather_addr_phys = &job->addr_phys[num_relocs];
+	job->gather_addr_phys = num_unpins ? &job->addr_phys[num_relocs] : NULL;
 
 	return job;
 }
@@ -282,7 +282,8 @@ static unsigned int pin_job(struct host1x *host, struct host1x_job *job)
 		job->unpins[job->num_unpins].map = map;
 		job->num_unpins++;
 
-		job->gather_addr_phys[i] = map->phys;
+		if (job->gather_addr_phys)
+			job->gather_addr_phys[i] = map->phys;
 	}
 
 	return 0;
@@ -644,8 +645,12 @@ int host1x_job_pin(struct host1x_job *job, struct device *dev)
 			continue;
 
 		/* copy_gathers() sets gathers base if firewall is enabled */
-		if (!job->enable_firewall)
-			g->base = job->gather_addr_phys[i];
+		if (!job->enable_firewall) {
+			if (job->gather_addr_phys)
+				g->base = job->gather_addr_phys[i];
+			else
+				continue;
+		}
 
 		for (j = i + 1; j < job->num_cmds; j++) {
 			if (job->cmds[i].type == HOST1X_JOB_CMD_GATHER &&