Skip to content
Snippets Groups Projects
Commit a793531b authored by Utkarsh Saxena's avatar Utkarsh Saxena Committed by Stuart Scott
Browse files

msm: ipa: Fix for missing int overflow check in the refcount library


Overflow of reference counter can lead to memory leak.

Before incrementing the reference count, check with
U32_MAX and return for error check.

Bug: 35467471
Change-Id: Ib96d36574ee086ec73c9836110cb2c98e8ae3d66
Acked-by: default avatarMohammed Javid <mjavid@qti.qualcomm.com>
Signed-off-by: default avatarUtkarsh Saxena <usaxena@codeaurora.org>
parent c7942134
No related branches found
No related tags found
No related merge requests found
...@@ -1289,6 +1289,10 @@ int ipa_get_rt_tbl(struct ipa_ioc_get_rt_tbl *lookup) ...@@ -1289,6 +1289,10 @@ int ipa_get_rt_tbl(struct ipa_ioc_get_rt_tbl *lookup)
mutex_lock(&ipa_ctx->lock); mutex_lock(&ipa_ctx->lock);
entry = __ipa_find_rt_tbl(lookup->ip, lookup->name); entry = __ipa_find_rt_tbl(lookup->ip, lookup->name);
if (entry && entry->cookie == IPA_COOKIE) { if (entry && entry->cookie == IPA_COOKIE) {
if (entry->ref_cnt == ((u32)~0U)) {
IPAERR("fail: ref count crossed limit\n");
goto ret;
}
entry->ref_cnt++; entry->ref_cnt++;
lookup->hdl = entry->id; lookup->hdl = entry->id;
...@@ -1298,6 +1302,8 @@ int ipa_get_rt_tbl(struct ipa_ioc_get_rt_tbl *lookup) ...@@ -1298,6 +1302,8 @@ int ipa_get_rt_tbl(struct ipa_ioc_get_rt_tbl *lookup)
result = 0; result = 0;
} }
ret:
mutex_unlock(&ipa_ctx->lock); mutex_unlock(&ipa_ctx->lock);
return result; return result;
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment