mm-drivers: hw_fence: add check for invalid client_id param in ioctl

Current implementation allows ioctl to deregister hw-fence client with
client_id that does not match hw_sync_obj. This can cause a double-free
if user-space deregisters the wrong file descriptor by mistake.
Instead, fail the ioctl early if it has these invalid parameters.

Change-Id: Ib781be18d2f71c24d6aa4fc08eeba44649da13da
Signed-off-by: Grace An <[email protected]>

hw_fence/src/hw_fence_ioctl.c

@@ -213,8 +213,13 @@ static long hw_sync_ioctl_unreg_client(struct hw_sync_obj *obj, unsigned long ar
 {
 	int client_id = _get_client_id(obj, arg);
 
-	if (IS_ERR(&client_id))
+	if (IS_ERR(&client_id)) {
 		return client_id;
+	} else if (client_id != obj->client_id) {
+		HWFNC_ERR("deregistering hw-fence client %d with invalid client_id arg:%d\n",
+			obj->client_id, client_id);
+		return -EINVAL;
+	}
 
 	return msm_hw_fence_deregister(obj->client_handle);
 }