mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-30 01:46:30 -05:00
44 lines
1.3 KiB
Diff
44 lines
1.3 KiB
Diff
From a793531b751d8c3609e2bf1a5dc2c0f10e003632 Mon Sep 17 00:00:00 2001
|
|
From: Utkarsh Saxena <usaxena@codeaurora.org>
|
|
Date: Tue, 25 Apr 2017 17:39:41 +0530
|
|
Subject: [PATCH] msm: ipa: Fix for missing int overflow check in the refcount
|
|
library
|
|
|
|
Overflow of reference counter can lead to memory leak.
|
|
|
|
Before incrementing the reference count, check with
|
|
U32_MAX and return for error check.
|
|
|
|
Bug: 35467471
|
|
Change-Id: Ib96d36574ee086ec73c9836110cb2c98e8ae3d66
|
|
Acked-by: Mohammed Javid <mjavid@qti.qualcomm.com>
|
|
Signed-off-by: Utkarsh Saxena <usaxena@codeaurora.org>
|
|
---
|
|
drivers/platform/msm/ipa/ipa_rt.c | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/drivers/platform/msm/ipa/ipa_rt.c b/drivers/platform/msm/ipa/ipa_rt.c
|
|
index 47767cdafa70f..81c6331da8a54 100644
|
|
--- a/drivers/platform/msm/ipa/ipa_rt.c
|
|
+++ b/drivers/platform/msm/ipa/ipa_rt.c
|
|
@@ -1289,6 +1289,10 @@ int ipa_get_rt_tbl(struct ipa_ioc_get_rt_tbl *lookup)
|
|
mutex_lock(&ipa_ctx->lock);
|
|
entry = __ipa_find_rt_tbl(lookup->ip, lookup->name);
|
|
if (entry && entry->cookie == IPA_COOKIE) {
|
|
+ if (entry->ref_cnt == ((u32)~0U)) {
|
|
+ IPAERR("fail: ref count crossed limit\n");
|
|
+ goto ret;
|
|
+ }
|
|
entry->ref_cnt++;
|
|
lookup->hdl = entry->id;
|
|
|
|
@@ -1298,6 +1302,8 @@ int ipa_get_rt_tbl(struct ipa_ioc_get_rt_tbl *lookup)
|
|
|
|
result = 0;
|
|
}
|
|
+
|
|
+ret:
|
|
mutex_unlock(&ipa_ctx->lock);
|
|
|
|
return result;
|