From a793531b751d8c3609e2bf1a5dc2c0f10e003632 Mon Sep 17 00:00:00 2001
From: Utkarsh Saxena <usaxena@codeaurora.org>
Date: Tue, 25 Apr 2017 17:39:41 +0530
Subject: [PATCH] msm: ipa: Fix for missing int overflow check in the refcount
 library

Overflow of reference counter can lead to memory leak.

Before incrementing the reference count, check with
U32_MAX and return for error check.

Bug: 35467471
Change-Id: Ib96d36574ee086ec73c9836110cb2c98e8ae3d66
Acked-by: Mohammed Javid <mjavid@qti.qualcomm.com>
Signed-off-by: Utkarsh Saxena <usaxena@codeaurora.org>
---
 drivers/platform/msm/ipa/ipa_rt.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/platform/msm/ipa/ipa_rt.c b/drivers/platform/msm/ipa/ipa_rt.c
index 47767cdafa70f..81c6331da8a54 100644
--- a/drivers/platform/msm/ipa/ipa_rt.c
+++ b/drivers/platform/msm/ipa/ipa_rt.c
@@ -1289,6 +1289,10 @@ int ipa_get_rt_tbl(struct ipa_ioc_get_rt_tbl *lookup)
 	mutex_lock(&ipa_ctx->lock);
 	entry = __ipa_find_rt_tbl(lookup->ip, lookup->name);
 	if (entry && entry->cookie == IPA_COOKIE) {
+		if (entry->ref_cnt == ((u32)~0U)) {
+			IPAERR("fail: ref count crossed limit\n");
+			goto ret;
+		}
 		entry->ref_cnt++;
 		lookup->hdl = entry->id;
 
@@ -1298,6 +1302,8 @@ int ipa_get_rt_tbl(struct ipa_ioc_get_rt_tbl *lookup)
 
 		result = 0;
 	}
+
+ret:
 	mutex_unlock(&ipa_ctx->lock);
 
 	return result;