From 2bf606cd904942782d65bff8de693206689f9961 Mon Sep 17 00:00:00 2001
From: Jiang Liu <gerry@linux.alibaba.com>
Date: Thu, 6 Jun 2024 09:07:21 +0800
Subject: [PATCH] GPU/FIFO: avoid possible invalid memory accesses

1) ensure pKernelFifo->ppChidMgr[i]->pChanGrpTree is successfully
   allocated in function kfifoChidMgrConstruct_IMPL(), otherwise
   it may cause invalid memory access when calling mapFine().
2) only invoke mapDestroy() when pKernelFifo->ppChidMgr[i]->pChanGrpTree
   is not NULL in function kfifoChidMgrDestruct_IMPL(), otherwise
   it may cause invalid memory access.
3) ensure pChidMgr is valid in function kfifoGetChannelGroup_IMPL().

Signed-off-by: Jiang Liu <gerry@linux.alibaba.com>
---
 src/nvidia/src/kernel/gpu/fifo/kernel_fifo.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/nvidia/src/kernel/gpu/fifo/kernel_fifo.c b/src/nvidia/src/kernel/gpu/fifo/kernel_fifo.c
index 15e2498ded..8cb8e30527 100644
--- a/src/nvidia/src/kernel/gpu/fifo/kernel_fifo.c
+++ b/src/nvidia/src/kernel/gpu/fifo/kernel_fifo.c
@@ -179,6 +179,13 @@ kfifoChidMgrConstruct_IMPL
         pKernelFifo->ppChidMgr[i]->runlistId = i;
 
         pKernelFifo->ppChidMgr[i]->pChanGrpTree = portMemAllocNonPaged(sizeof(KernelChannelGroupMap));
+        if (pKernelFifo->ppChidMgr[i]->pChanGrpTree == NULL)
+        {
+            status = NV_ERR_NO_MEMORY;
+            NV_PRINTF(LEVEL_ERROR, "Failed to allocate pFifo->pChidMgr[%d]->pChanGrpTree\n", i);
+            DBG_BREAKPOINT();
+            goto fail;
+        }
         mapInitIntrusive(pKernelFifo->ppChidMgr[i]->pChanGrpTree);
 
         status = _kfifoChidMgrAllocChidHeaps(pGpu, pKernelFifo, pKernelFifo->ppChidMgr[i]);
@@ -216,8 +223,10 @@ kfifoChidMgrDestruct_IMPL
     {
         if (pKernelFifo->ppChidMgr[i] != NULL)
         {
-            mapDestroy(pKernelFifo->ppChidMgr[i]->pChanGrpTree);
-            portMemFree(pKernelFifo->ppChidMgr[i]->pChanGrpTree);
+            if (pKernelFifo->ppChidMgr[i]->pChanGrpTree != NULL) {
+                mapDestroy(pKernelFifo->ppChidMgr[i]->pChanGrpTree);
+                portMemFree(pKernelFifo->ppChidMgr[i]->pChanGrpTree);
+            }
             _kfifoChidMgrDestroyChidHeaps(pKernelFifo->ppChidMgr[i]);
             _kfifoChidMgrDestroyChannelGroupMgr(pKernelFifo->ppChidMgr[i]);
             portMemFree(pKernelFifo->ppChidMgr[i]);
@@ -1550,6 +1559,7 @@ kfifoGetChannelGroup_IMPL
 )
 {
     CHID_MGR *pChidMgr = kfifoGetChidMgr(pGpu, pKernelFifo, runlistID);
+    NV_ASSERT_OR_RETURN(pChidMgr != NULL, NULL);
 
     return kfifoChidMgrGetKernelChannelGroup(pGpu, pKernelFifo, pChidMgr, grpID);
 }