From ae282d2c222cbceae04ada65a4f99e40a41f912b Mon Sep 17 00:00:00 2001
From: Ashish Mhetre <amhetre@nvidia.com>
Date: Thu, 19 Jan 2023 09:16:51 +0000
Subject: [PATCH] video: tegra: nvmap: Fix error pointer dereference

In nvmap_try_duplicate_by_ivmid(), the return pointer from
nvmap_duplicate_handle() is getting dereferenced without checking
whether the pointer is error or valid. This is causing kernel panic.
Fix this by checking if the return pointer is invalid then return error.

Bug 3766497

Change-Id: I010893c9ebda60e313c4f776044a123073399ef2
Signed-off-by: Ashish Mhetre <amhetre@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/c/linux-nvidia/+/2846180
Reviewed-by: svcacv <svcacv@nvidia.com>
Reviewed-by: Ketan Patil <ketanp@nvidia.com>
Reviewed-by: svc-mobile-coverity <svc-mobile-coverity@nvidia.com>
Reviewed-by: svc-mobile-cert <svc-mobile-cert@nvidia.com>
Reviewed-by: svc_kernel_abi <svc_kernel_abi@nvidia.com>
Reviewed-by: Sachin Nikam <snikam@nvidia.com>
GVS: Gerrit_Virtual_Submit <buildbot_gerritrpt@nvidia.com>
---
 drivers/video/tegra/nvmap/nvmap_handle.c | 6 +++++-
 drivers/video/tegra/nvmap/nvmap_ioctl.c  | 4 ++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/drivers/video/tegra/nvmap/nvmap_handle.c b/drivers/video/tegra/nvmap/nvmap_handle.c
index c3daa935..ea877e4b 100644
--- a/drivers/video/tegra/nvmap/nvmap_handle.c
+++ b/drivers/video/tegra/nvmap/nvmap_handle.c
@@ -3,7 +3,7 @@
  *
  * Handle allocation and freeing routines for nvmap
  *
- * Copyright (c) 2009-2022, NVIDIA CORPORATION. All rights reserved.
+ * Copyright (c) 2009-2023, NVIDIA CORPORATION. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms and conditions of the GNU General Public License,
@@ -339,6 +339,10 @@ found:
 
 	/* h->dmabuf can't be NULL anymore. Duplicate the handle. */
 	ref = nvmap_duplicate_handle(client, h, true, false);
+	if (IS_ERR_OR_NULL(ref)) {
+		pr_err("Failed to duplicate handle\n");
+		return ref;
+	}
 	/* put the extra ref taken using get_dma_buf. */
 	dma_buf_put(h->dmabuf);
 finish:
diff --git a/drivers/video/tegra/nvmap/nvmap_ioctl.c b/drivers/video/tegra/nvmap/nvmap_ioctl.c
index b64d46a5..d89c4009 100644
--- a/drivers/video/tegra/nvmap/nvmap_ioctl.c
+++ b/drivers/video/tegra/nvmap/nvmap_ioctl.c
@@ -3,7 +3,7 @@
  *
  * User-space interface to nvmap
  *
- * Copyright (c) 2011-2022, NVIDIA CORPORATION. All rights reserved.
+ * Copyright (c) 2011-2023, NVIDIA CORPORATION. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms and conditions of the GNU General Public License,
@@ -764,7 +764,7 @@ int nvmap_ioctl_create_from_ivc(struct file *filp, void __user *arg)
 		return -ENODEV;
 
 	ref = nvmap_try_duplicate_by_ivmid(client, op.ivm_id, &block);
-	if (!ref) {
+	if (IS_ERR_OR_NULL(ref)) {
 		/*
 		 * See nvmap_heap_alloc() for encoding details.
 		 */