msm: synx: Check for zero before reducing bind handles
Suppose user has sent invalid external fence to bind API. Now, while binding, if synx signal comes in parallel, it will set number of bound synxs as 0 after signal. Further reduction on that number(num_bound_synxs) (in case of callback registration failure) would make it wrap around. So, now num_bound_synxs is large value and abrupt close on synx fd will lead to synx_util_object_destroy. Here, the for loop on num_bound_synxs would lead to invalid memory access. This change decrements num_bound_synxs only if not zero. Change-Id: I0cfffc90d4164b149c87545818ae4dcf57fc4c46 Signed-off-by: Ram Nagesh <quic_ramnages@quicinc.com>
This commit is contained in:
parent
184d090942
commit
529c059a8b
@ -870,7 +870,8 @@ int synx_bind(struct synx_session session_id,
|
|||||||
mutex_lock(&synx_obj->obj_lock);
|
mutex_lock(&synx_obj->obj_lock);
|
||||||
memset(&synx_obj->bound_synxs[bound_idx], 0,
|
memset(&synx_obj->bound_synxs[bound_idx], 0,
|
||||||
sizeof(struct synx_external_desc));
|
sizeof(struct synx_external_desc));
|
||||||
synx_obj->num_bound_synxs--;
|
if (synx_obj->num_bound_synxs)
|
||||||
|
synx_obj->num_bound_synxs--;
|
||||||
goto free;
|
goto free;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user