video: tegra: nvmap: Add more checks to avoid races

Add more checks in nvmap code so as to avoid any possible races. - Update is_nvmap_id_ro and is_nvmap_dmabuf_fd_ro functions so that they return error value during error conditions and also update their callers to handle those error values. - Move all trace statements from end of the function to before handle refcount or dup count is decremented, this make sure we are not dereferencing any freed handle/reference/dambuf. - Increment ref's dup count wherever we feel data race is possible, and decrement it accordingly towards end of function. Bug 4253911 Change-Id: I50fc7cc98ebbf3c50025bc2f9ca32882138fb272 Signed-off-by: Ketan Patil <ketanp@nvidia.com> Reviewed-on: https://git-master.nvidia.com/r/c/linux-nv-oot/+/2972602 Reviewed-by: Sachin Nikam <snikam@nvidia.com> GVS: Gerrit_Virtual_Submit <buildbot_gerritrpt@nvidia.com>
2025-12-22 09:11:26 +03:00 · 2023-09-01 10:50:17 +00:00
parent 7a01b01e88
commit ebf51c43ae
6 changed files with 165 additions and 52 deletions
--- a/drivers/video/tegra/nvmap/nvmap_dmabuf.c
+++ b/drivers/video/tegra/nvmap/nvmap_dmabuf.c
@@ -738,21 +738,35 @@ struct nvmap_handle *nvmap_handle_get_from_dmabuf_fd(
 	return handle;
 }

-bool is_nvmap_dmabuf_fd_ro(int fd)
+int is_nvmap_dmabuf_fd_ro(int fd, bool *is_ro)
 {
 	struct dma_buf *dmabuf;
 	struct nvmap_handle_info *info = NULL;

 	dmabuf = dma_buf_get(fd);
 	if (IS_ERR(dmabuf)) {
-		return false;
+		goto fail;
 	}
-	if (dmabuf_is_nvmap(dmabuf)) {
-		info = dmabuf->priv;
-	}
-	dma_buf_put(dmabuf);

-	return (info != NULL) ? info->is_ro : false;
+	if (dmabuf_is_nvmap(dmabuf))
+		info = dmabuf->priv;
+
+	if (!info) {
+		dma_buf_put(dmabuf);
+		/*
+		 * Ideally, we should return error from here,
+		 * but this is done intentionally to handle foreign buffers.
+		 */
+		return 0;
+	}
+
+	*is_ro = info->is_ro;
+	dma_buf_put(dmabuf);
+	return 0;
+
+fail:
+	pr_err("Dmabuf fd RO check failed\n");
+	return -EINVAL;
 }

 /*