msm: synx: Check for zero before reducing bind handles

Suppose user has sent invalid external fence to bind API. Now, while binding, if synx signal comes in parallel, it will set number of bound synxs as 0 after signal. Further reduction on that number(num_bound_synxs) (in case of callback registration failure) would make it wrap around. So, now num_bound_synxs is large value and abrupt close on synx fd will lead to synx_util_object_destroy. Here, the for loop on num_bound_synxs would lead to invalid memory access. This change decrements num_bound_synxs only if not zero. Change-Id: I0cfffc90d4164b149c87545818ae4dcf57fc4c46 Signed-off-by: Ram Nagesh <quic_ramnages@quicinc.com>
2023-03-13 16:00:34 +05:30 · 2023-03-13 16:00:34 +05:30 · 529c059a8b
commit 529c059a8b
parent 184d090942
1 changed files with 2 additions and 1 deletions
--- a/drivers/media/platform/msm/synx/synx.c
+++ b/drivers/media/platform/msm/synx/synx.c
@ -870,6 +870,7 @@ int synx_bind(struct synx_session session_id,
 		mutex_lock(&synx_obj->obj_lock);
 		memset(&synx_obj->bound_synxs[bound_idx], 0,
 			sizeof(struct synx_external_desc));
+		if (synx_obj->num_bound_synxs)
 			synx_obj->num_bound_synxs--;
 		goto free;
 	}