From 06d8f135d0ec9d291ffb8a3049308a853edb4000 Mon Sep 17 00:00:00 2001
From: Ashish Mhetre <amhetre@nvidia.com>
Date: Mon, 10 Jan 2022 17:01:01 +0530
Subject: video: tegra: nvmap: Fix race between write and free

When NvRmMemWrite() and NvRmMemFree() are called simultaneously on same
handle then it could lead to race where dmabuf freed from NvRmMemFree()
call could get used by nvmap_get_cachebility() and cause kernel crash.
When dmabuf is freed, its exported functions such as get_drvdata() won't
be valid anymore and will give error value or NULL.
Fix this by checking if get_drvdata() returns error value or NULL and act
accordingly.

Bug 3457360

Change-Id: Ibcd238bfde8775347a9f8c6266ed3ab3825d945d
Signed-off-by: Ashish Mhetre <amhetre@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/c/linux-nvidia/+/2651952
Reviewed-by: Ketan Patil <ketanp@nvidia.com>
Reviewed-by: Puneet Saxena <puneets@nvidia.com>
Reviewed-by: Sachin Nikam <snikam@nvidia.com>
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
GVS: Gerrit_Virtual_Submit
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
---
 drivers/video/tegra/nvmap/nvmap_cache_t19x.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/video/tegra/nvmap/nvmap_cache_t19x.c b/drivers/video/tegra/nvmap/nvmap_cache_t19x.c
index 09a56c38d..975327752 100644
--- a/drivers/video/tegra/nvmap/nvmap_cache_t19x.c
+++ b/drivers/video/tegra/nvmap/nvmap_cache_t19x.c
@@ -1,7 +1,7 @@
 /*
  * drivers/video/tegra/nvmap/nvmap_cache_t19x.c
  *
- * Copyright (c) 2016-2021, NVIDIA CORPORATION.  All rights reserved.
+ * Copyright (c) 2016-2022, NVIDIA CORPORATION.  All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms and conditions of the GNU General Public License,
@@ -25,11 +25,11 @@ struct static_key nvmap_updated_cache_config;
 static void nvmap_handle_get_cacheability(struct nvmap_handle *h,
 		bool *inner, bool *outer)
 {
-	struct nvmap_handle_t19x *handle_t19x;
+	struct nvmap_handle_t19x *handle_t19x = NULL;
 	struct device *dev = nvmap_dev->dev_user.parent;
 
 	handle_t19x = dma_buf_get_drvdata(h->dmabuf, dev);
-	if (handle_t19x && atomic_read(&handle_t19x->nc_pin)) {
+	if (!IS_ERR_OR_NULL(handle_t19x) && atomic_read(&handle_t19x->nc_pin)) {
 		*inner = *outer = false;
 		return;
 	}
-- 
cgit v1.2.2