msm: ipa: Fix for missing int overflow check in the refcount library

Overflow of reference counter can lead to memory leak. Before incrementing the reference count, check with U32_MAX and return for error check. Bug: 35467471 Change-Id: Ib96d36574ee086ec73c9836110cb2c98e8ae3d66 Acked-by: Mohammed Javid <mjavid@qti.qualcomm.com> Signed-off-by: Utkarsh Saxena <usaxena@codeaurora.org>

msm: ipa: Fix for missing int overflow check in the refcount library
a793531b · Utkarsh Saxena · Stuart Scott · c7942134 · a793531b
Commit a793531b authored 8 years ago by Utkarsh Saxena Committed by Stuart Scott 8 years ago
--- a/drivers/platform/msm/ipa/ipa_rt.c
+++ b/drivers/platform/msm/ipa/ipa_rt.c
@@ -1289,6 +1289,10 @@ int ipa_get_rt_tbl(struct ipa_ioc_get_rt_tbl *lookup)
 	mutex_lock(&ipa_ctx->lock);
 	entry = __ipa_find_rt_tbl(lookup->ip, lookup->name);
 	if (entry && entry->cookie == IPA_COOKIE) {
+		if (entry->ref_cnt == ((u32)~0U)) {
+			IPAERR("fail: ref count crossed limit\n");
+			goto ret;
+		}
 		entry->ref_cnt++;
 		lookup->hdl = entry->id;
@@ -1298,6 +1302,8 @@ int ipa_get_rt_tbl(struct ipa_ioc_get_rt_tbl *lookup)
 		result = 0;
 	}
+ret:
 	mutex_unlock(&ipa_ctx->lock);
 	return result;