From 1993b57947db1222bac7268d4589a6c86d752c97 Mon Sep 17 00:00:00 2001
From: Surbhi Singh <surbhis@nvidia.com>
Date: Wed, 27 Nov 2024 09:19:18 +0000
Subject: [PATCH] video: tegra: nvmap:  Fix INT32-C overflow defects

-dupes variable is decremented within the while loop after each call to nvmap_handle_put(ref->handle).

-This prevents an infinite loop scenario where dupes remains greater than 0.

JIRA: TMM-5724
Bug 4479044

Change-Id: Ideea8e05be4d175c5e78895eb5d76fed4b655968
Signed-off-by: Surbhi Singh <surbhis@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/c/linux-nv-oot/+/3258081
Reviewed-by: Ketan Patil <ketanp@nvidia.com>
Reviewed-by: Pritesh Raithatha <praithatha@nvidia.com>
GVS: buildbot_gerritrpt <buildbot_gerritrpt@nvidia.com>
---
 drivers/video/tegra/nvmap/nvmap_dev.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/video/tegra/nvmap/nvmap_dev.c b/drivers/video/tegra/nvmap/nvmap_dev.c
index 0ab9d75f..77e0ecac 100644
--- a/drivers/video/tegra/nvmap/nvmap_dev.c
+++ b/drivers/video/tegra/nvmap/nvmap_dev.c
@@ -276,11 +276,11 @@ static void destroy_client(struct nvmap_client *client)
 			dma_buf_put(ref->handle->dmabuf);
 		rb_erase(&ref->node, &client->handle_refs);
 		atomic_dec(&ref->handle->share_count);
-
 		dupes = atomic_read(&ref->dupes);
-		while (dupes--)
+		while (dupes > 0) {
 			nvmap_handle_put(ref->handle);
-
+			dupes--;
+		}
 		kfree(ref);
 	}