nv-tegra-mirror/linux-nv-oot
1
0
Fork 0
mirror of git://nv-tegra.nvidia.com/linux-nv-oot.git synced 2025-12-23 09:42:19 +03:00
Code Issues Packages Projects Releases Wiki Activity

gpu: host1x: Fix NULL pointer dereference in job allocation

Browse Source 
Fix NULL pointer dereference when num_unpins is 0,
which causes job->addr_phys to be NULL. In this
case, the code was incorrectly trying to set
job->gather_addr_phys to &job->addr_phys[num_relocs],
which would dereference a NULL pointer.

Add proper NULL checks to prevent this issue
both during allocation and when
using job->gather_addr_phys throughout the code.

Fixes CID 12627383:
- CERT-C Expression (CERT EXP34-C)
Fixes CID 12627953:
- Explicit null dereferenced (FORWARD_NULL)

Jira HOSTX-5971

Change-Id: If417ec5b5431a4f4b716ca73ddf279c9b0336c94
Signed-off-by: Mainak Sen <msen@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/c/linux-nv-oot/+/3324441
Reviewed-by: Raghavendra Vishnu Kumar <rvk@nvidia.com>
GVS: buildbot_gerritrpt <buildbot_gerritrpt@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
Reviewed-by: Vamsee Vardhan Thummala <vthummala@nvidia.com>
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
This commit is contained in:
Mainak Sen
2025-03-23 08:16:43 +00:00
committed by Jon Hunter
parent 8759302687
commit 3b36d6b76f
1 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
drivers/gpu/host1x/job.c
View File

@@ -71,7 +71,7 @@ struct host1x_job *host1x_job_alloc(struct host1x_channel *ch,
job->addr_phys = num_unpins ? mem : NULL; job->addr_phys = num_unpins ? mem : NULL;
job->reloc_addr_phys = job->addr_phys; job->reloc_addr_phys = job->addr_phys;
job->gather_addr_phys = &job->addr_phys[num_relocs]; job->gather_addr_phys = num_unpins ? &job->addr_phys[num_relocs] : NULL;
return job; return job;
} }
@@ -282,6 +282,7 @@ static unsigned int pin_job(struct host1x *host, struct host1x_job *job)
job->unpins[job->num_unpins].map = map; job->unpins[job->num_unpins].map = map;
job->num_unpins++; job->num_unpins++;
if (job->gather_addr_phys)
job->gather_addr_phys[i] = map->phys; job->gather_addr_phys[i] = map->phys;
} }
@@ -644,8 +645,12 @@ int host1x_job_pin(struct host1x_job *job, struct device *dev)
continue; continue;
/* copy_gathers() sets gathers base if firewall is enabled */ /* copy_gathers() sets gathers base if firewall is enabled */
if (!job->enable_firewall) if (!job->enable_firewall) {
if (job->gather_addr_phys)
g->base = job->gather_addr_phys[i]; g->base = job->gather_addr_phys[i];
else
continue;
}
for (j = i + 1; j < job->num_cmds; j++) { for (j = i + 1; j < job->num_cmds; j++) {
if (job->cmds[i].type == HOST1X_JOB_CMD_GATHER && if (job->cmds[i].type == HOST1X_JOB_CMD_GATHER &&