From fab8f054af1ba6f5026e3807d4fefb009436698e Mon Sep 17 00:00:00 2001
From: c_mtharu <mtharu@codeaurora.org>
Date: Tue, 17 Sep 2019 12:52:12 +0530
Subject: [PATCH] msm: adsprpc: Fix integer overflow in refcount of map

Integer overflow in refcount of map is leading to use after free. Error
out if refcount reaches INT_MAX.

Change-Id: I21e88361a8e70ef8c5c9593f1fc0ddd2b351a55a
Acked-by: Himateja Reddy <hmreddy@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
---
 drivers/char/adsprpc.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
index 0e7befd4a146..fd351b921d7d 100644
--- a/drivers/char/adsprpc.c
+++ b/drivers/char/adsprpc.c
@@ -479,6 +479,10 @@ static int fastrpc_mmap_find(struct fastrpc_file *fl, int fd, uintptr_t va,
 			if (va >= map->va &&
 				va + len <= map->va + map->len &&
 				map->fd == fd) {
+				if (map->refs + 1 == INT_MAX) {
+					spin_unlock(&me->hlock);
+					return -ETOOMANYREFS;
+				}
 				map->refs++;
 				match = map;
 				break;
@@ -491,6 +495,10 @@ static int fastrpc_mmap_find(struct fastrpc_file *fl, int fd, uintptr_t va,
 			if (va >= map->va &&
 				va + len <= map->va + map->len &&
 				map->fd == fd) {
+				if (map->refs + 1 == INT_MAX) {
+					spin_unlock(&fl->hlock);
+					return -ETOOMANYREFS;
+				}
 				map->refs++;
 				match = map;
 				break;