msm: adsprpc: Fix integer overflow in refcount of map

Integer overflow in refcount of map is leading to use after free. Error out if refcount reaches INT_MAX. Change-Id: I21e88361a8e70ef8c5c9593f1fc0ddd2b351a55a Acked-by: Himateja Reddy <hmreddy@qti.qualcomm.com> Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
author: c_mtharu <mtharu@codeaurora.org> 2019-09-17 12:52:12 +0530
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2019-09-20 05:45:26 -0700
commit: cbc9a41bff6ef49da199f8c84db2485f072a45ee (patch)
tree: 7aad23ab5b8f4d650d31a58d040106108aa3fa1d /drivers/char
parent: 07d0e296e566d2c45df86a3418cf3f11e55d017b (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
index b898007c63d9..23b48dc6981b 100644
--- a/drivers/char/adsprpc.c
+++ b/drivers/char/adsprpc.c
@@ -479,6 +479,10 @@ static int fastrpc_mmap_find(struct fastrpc_file *fl, int fd, uintptr_t va,
 			if (va >= map->va &&
 				va + len <= map->va + map->len &&
 				map->fd == fd) {
+				if (map->refs + 1 == INT_MAX) {
+					spin_unlock(&me->hlock);
+					return -ETOOMANYREFS;
+				}
 				map->refs++;
 				match = map;
 				break;
@@ -491,6 +495,10 @@ static int fastrpc_mmap_find(struct fastrpc_file *fl, int fd, uintptr_t va,
 			if (va >= map->va &&
 				va + len <= map->va + map->len &&
 				map->fd == fd) {
+				if (map->refs + 1 == INT_MAX) {
+					spin_unlock(&fl->hlock);
+					return -ETOOMANYREFS;
+				}
 				map->refs++;
 				match = map;
 				break;
author	c_mtharu <mtharu@codeaurora.org>	2019-09-17 12:52:12 +0530
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2019-09-20 05:45:26 -0700
commit	cbc9a41bff6ef49da199f8c84db2485f072a45ee (patch)
tree	7aad23ab5b8f4d650d31a58d040106108aa3fa1d /drivers/char
parent	07d0e296e566d2c45df86a3418cf3f11e55d017b (diff)