Merge pull request #1123 from ColinIanKing/rpi-4.1.y

vchiq: fix NULL pointer dereference when closing driver

Author: pelwell

drivers/char/broadcom/vc_sm/vmcs_sm.c

@@ -1368,8 +1368,8 @@ static int vc_sm_mmap(struct file *file, struct vm_area_struct *vma)
 	return 0;
 
 error:
-	vmcs_sm_release_resource(resource, 0);
 	resource->res_stats[MAP_FAIL]++;
+	vmcs_sm_release_resource(resource, 0);
 	return ret;
 }
 

drivers/media/platform/bcm2835/controls.c

@@ -845,6 +845,8 @@ static int ctrl_set_scene_mode(struct bm2835_mmal_dev *dev,
 				break;
 			}
 		}
+		if (!scene)
+			return -EINVAL;
 		if (i >= ARRAY_SIZE(scene_configs))
 			return -EINVAL;
 

drivers/media/platform/bcm2835/mmal-vchiq.c

@@ -851,7 +851,7 @@ static int port_info_set(struct vchiq_mmal_instance *instance,
 	       sizeof(union mmal_es_specific_format));
 
 	m.u.port_info_set.format.extradata_size = port->format.extradata_size;
-	memcpy(rmsg->u.port_info_set.extradata, port->format.extradata,
+	memcpy(&m.u.port_info_set.extradata, port->format.extradata,
 	       port->format.extradata_size);
 
 	ret = send_synchronous_mmal_msg(instance, &m,

drivers/misc/vc04_services/interface/vchiq_arm/vchiq_util.c

@@ -46,6 +46,7 @@ int vchiu_queue_init(VCHIU_QUEUE_T *queue, int size)
 	queue->size = size;
 	queue->read = 0;
 	queue->write = 0;
+	queue->initialized = 1;
 
 	sema_init(&queue->pop, 0);
 	sema_init(&queue->push, 0);
@@ -76,6 +77,9 @@ int vchiu_queue_is_full(VCHIU_QUEUE_T *queue)
 
 void vchiu_queue_push(VCHIU_QUEUE_T *queue, VCHIQ_HEADER_T *header)
 {
+	if (!queue->initialized)
+		return;
+
 	while (queue->write == queue->read + queue->size) {
 		if (down_interruptible(&queue->pop) != 0) {
 			flush_signals(current);

drivers/misc/vc04_services/interface/vchiq_arm/vchiq_util.h

@@ -60,6 +60,7 @@ typedef struct {
 	int size;
 	int read;
 	int write;
+	int initialized;
 
 	struct semaphore pop;
 	struct semaphore push;

drivers/video/fbdev/bcm2708_fb.c

@@ -263,12 +263,6 @@ static int bcm2708_fb_check_var(struct fb_var_screeninfo *var,
 	if (var->yoffset > var->yres_virtual - var->yres)
 		var->yoffset = var->yres_virtual - var->yres - 1;
 
-	yres = var->yres;
-	if (var->vmode & FB_VMODE_DOUBLE)
-		yres *= 2;
-	else if (var->vmode & FB_VMODE_INTERLACED)
-		yres = (yres + 1) / 2;
-
 	return 0;
 }
 
@@ -426,7 +420,7 @@ static int bcm2708_fb_blank(int blank_mode, struct fb_info *info)
 
 static int bcm2708_fb_pan_display(struct fb_var_screeninfo *var, struct fb_info *info)
 {
-	s32 result = -1;
+	s32 result;
 	info->var.xoffset = var->xoffset;
 	info->var.yoffset = var->yoffset;
 	result = bcm2708_fb_set_par(info);