From 5697436b51d1732292155da19a7e349060c52795 Mon Sep 17 00:00:00 2001
From: Mohammed Javid <mjavid@codeaurora.org>
Date: Mon, 7 Aug 2017 16:05:27 +0530
Subject: [PATCH] msm: ipa: Fix to use after free issue

Added to code changes to ref_cnt variable will decrement only
when add_ref_hdr variable is true.

Change-Id: I0bcc3909669f4843c43135e5f047ac28fa62bb63
Acked-by: Ashok Vuyyuru <avuyyuru@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
---
 drivers/platform/msm/ipa/ipa_v2/ipa_hdr.c | 3 ++-
 drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa_hdr.c b/drivers/platform/msm/ipa/ipa_v2/ipa_hdr.c
index 01e761429108..40cfac2e6d37 100644
--- a/drivers/platform/msm/ipa/ipa_v2/ipa_hdr.c
+++ b/drivers/platform/msm/ipa/ipa_v2/ipa_hdr.c
@@ -581,7 +581,8 @@ ipa_insert_failed:
 	htbl->proc_ctx_cnt--;
 
 bad_len:
-	hdr_entry->ref_cnt--;
+	if (add_ref_hdr)
+		hdr_entry->ref_cnt--;
 	entry->cookie = 0;
 	kmem_cache_free(ipa_ctx->hdr_proc_ctx_cache, entry);
 	return -EPERM;
diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c b/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c
index 4bb0d9c7e663..46288ac2cb8c 100644
--- a/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c
+++ b/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c
@@ -462,7 +462,8 @@ ipa_insert_failed:
 	htbl->proc_ctx_cnt--;
 
 bad_len:
-	hdr_entry->ref_cnt--;
+	if (add_ref_hdr)
+		hdr_entry->ref_cnt--;
 	entry->cookie = 0;
 	kmem_cache_free(ipa3_ctx->hdr_proc_ctx_cache, entry);
 	return -EPERM;
-- 
GitLab