msm: ipa: Fix for missing int overflow check in the refcount library (632931bf) · Commits · e / devices / android_kernel_xiaomi_markw

drivers/platform/msm/ipa/ipa_v2/ipa_rt.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -1353,6 +1353,10 @@ int ipa2_get_rt_tbl(struct ipa_ioc_get_rt_tbl *lookup)
		mutex_lock(&ipa_ctx->lock);
		entry = __ipa_find_rt_tbl(lookup->ip, lookup->name);
		if (entry && entry->cookie == IPA_COOKIE) {
		if (entry->ref_cnt == U32_MAX) {
		IPAERR("fail: ref count crossed limit\n");
		goto ret;
		}
		entry->ref_cnt++;
		lookup->hdl = entry->id;

		@@ -1362,6 +1366,8 @@ int ipa2_get_rt_tbl(struct ipa_ioc_get_rt_tbl *lookup)

		result = 0;
		}

		ret:
		mutex_unlock(&ipa_ctx->lock);

		return result;

+7 −1

Original line number	Diff line number	Diff line
		/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
		/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
		*
		* This program is free software; you can redistribute it and/or modify
		* it under the terms of the GNU General Public License version 2 and
		@@ -1612,6 +1612,10 @@ int ipa3_get_rt_tbl(struct ipa_ioc_get_rt_tbl *lookup)
		mutex_lock(&ipa3_ctx->lock);
		entry = __ipa3_find_rt_tbl(lookup->ip, lookup->name);
		if (entry && entry->cookie == IPA_COOKIE) {
		if (entry->ref_cnt == U32_MAX) {
		IPAERR("fail: ref count crossed limit\n");
		goto ret;
		}
		entry->ref_cnt++;
		lookup->hdl = entry->id;

		@@ -1621,6 +1625,8 @@ int ipa3_get_rt_tbl(struct ipa_ioc_get_rt_tbl *lookup)

		result = 0;
		}

		ret:
		mutex_unlock(&ipa3_ctx->lock);

		return result;