From 529c059a8bcb5fd4b1b4fb89cf2e59587df0c669 Mon Sep 17 00:00:00 2001 From: Ram Nagesh Date: Mon, 13 Mar 2023 16:00:34 +0530 Subject: [PATCH] msm: synx: Check for zero before reducing bind handles Suppose user has sent invalid external fence to bind API. Now, while binding, if synx signal comes in parallel, it will set number of bound synxs as 0 after signal. Further reduction on that number(num_bound_synxs) (in case of callback registration failure) would make it wrap around. So, now num_bound_synxs is large value and abrupt close on synx fd will lead to synx_util_object_destroy. Here, the for loop on num_bound_synxs would lead to invalid memory access. This change decrements num_bound_synxs only if not zero. Change-Id: I0cfffc90d4164b149c87545818ae4dcf57fc4c46 Signed-off-by: Ram Nagesh --- drivers/media/platform/msm/synx/synx.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/media/platform/msm/synx/synx.c b/drivers/media/platform/msm/synx/synx.c index 8043cc1489ed..21c9cce7a958 100644 --- a/drivers/media/platform/msm/synx/synx.c +++ b/drivers/media/platform/msm/synx/synx.c @@ -870,7 +870,8 @@ int synx_bind(struct synx_session session_id, mutex_lock(&synx_obj->obj_lock); memset(&synx_obj->bound_synxs[bound_idx], 0, sizeof(struct synx_external_desc)); - synx_obj->num_bound_synxs--; + if (synx_obj->num_bound_synxs) + synx_obj->num_bound_synxs--; goto free; }