drm/tegra: Check syncpoint ID in the 'submit' IOCTL

In case of invalid syncpoint ID, the host1x_syncpt_get() returns NULL and
none of its users perform a check of the returned pointer later. Let's bail
out until it's too late.

Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Reviewed-by: Mikko Perttunen <mperttunen@nvidia.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>

diff --git a/drivers/gpu/drm/tegra/drm.c b/drivers/gpu/drm/tegra/drm.c
index 0928f2b..b44f1ed 100644 (file)
--- a/drivers/gpu/drm/tegra/drm.c
+++ b/drivers/gpu/drm/tegra/drm.c
@@ -393,6 +393,8 @@ int tegra_drm_submit(struct tegra_drm_context *context,
        struct drm_tegra_waitchk __user *waitchks =
                (void __user *)(uintptr_t)args->waitchks;
        struct drm_tegra_syncpt syncpt;
+       struct host1x *host1x = dev_get_drvdata(drm->dev->parent);
+       struct host1x_syncpt *sp;
        struct host1x_job *job;
        int err;
 
@@ -522,6 +524,13 @@ int tegra_drm_submit(struct tegra_drm_context *context,
                goto fail;
        }
 
+       /* check whether syncpoint ID is valid */
+       sp = host1x_syncpt_get(host1x, syncpt.id);
+       if (!sp) {
+               err = -ENOENT;
+               goto fail;
+       }
+
        job->is_addr_reg = context->client->ops->is_addr_reg;
        job->syncpt_incrs = syncpt.incrs;
        job->syncpt_id = syncpt.id;