video: tegra: nvmap: Fix error pointer dereference

In nvmap_try_duplicate_by_ivmid(), the return pointer from nvmap_duplicate_handle() is getting dereferenced without checking whether the pointer is error or valid. This is causing kernel panic. Fix this by checking if the return pointer is invalid then return error. Bug 3766497 Change-Id: I010893c9ebda60e313c4f776044a123073399ef2 Signed-off-by: Ashish Mhetre <amhetre@nvidia.com> Reviewed-on: https://git-master.nvidia.com/r/c/linux-nvidia/+/2846180 Reviewed-by: svcacv <svcacv@nvidia.com> Reviewed-by: Ketan Patil <ketanp@nvidia.com> Reviewed-by: svc-mobile-coverity <svc-mobile-coverity@nvidia.com> Reviewed-by: svc-mobile-cert <svc-mobile-cert@nvidia.com> Reviewed-by: svc_kernel_abi <svc_kernel_abi@nvidia.com> Reviewed-by: Sachin Nikam <snikam@nvidia.com> GVS: Gerrit_Virtual_Submit <buildbot_gerritrpt@nvidia.com>
2025-12-22 09:11:26 +03:00 · 2023-01-19 09:16:51 +00:00
parent afb7cce70c
commit ae282d2c22
2 changed files with 7 additions and 3 deletions
--- a/drivers/video/tegra/nvmap/nvmap_handle.c
+++ b/drivers/video/tegra/nvmap/nvmap_handle.c
@@ -3,7 +3,7 @@
 *
 * Handle allocation and freeing routines for nvmap
 *
- * Copyright (c) 2009-2022, NVIDIA CORPORATION. All rights reserved.
+ * Copyright (c) 2009-2023, NVIDIA CORPORATION. All rights reserved.
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms and conditions of the GNU General Public License,
@@ -339,6 +339,10 @@ found:

 	/* h->dmabuf can't be NULL anymore. Duplicate the handle. */
 	ref = nvmap_duplicate_handle(client, h, true, false);
+	if (IS_ERR_OR_NULL(ref)) {
+		pr_err("Failed to duplicate handle\n");
+		return ref;
+	}
 	/* put the extra ref taken using get_dma_buf. */
 	dma_buf_put(h->dmabuf);
 finish: