From 5d1a94bb284c8d97b056e8025169609e78b7052f Mon Sep 17 00:00:00 2001
From: Stefan Wahren <stefan.wahren@i2se.com>
Date: Fri, 26 May 2017 00:26:23 +0200
Subject: [PATCH] staging: vchiq_core: Bail out if ref_count is unexpected
Git-commit: 5d1a94bb284c8d97b056e8025169609e78b7052f
Patch-mainline: v4.13-rc1
References: FATE#324827

If the ref counter of service has an unexpected value then we better
bail out.

Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Takashi Iwai <tiwai@suse.de>

---
 drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c |   17 +++++-----
 1 file changed, 10 insertions(+), 7 deletions(-)

--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c
+++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c
@@ -174,7 +174,7 @@ find_service_by_handle(VCHIQ_SERVICE_HAN
 	service = handle_to_service(handle);
 	if (service && (service->srvstate != VCHIQ_SRVSTATE_FREE) &&
 		(service->handle == handle)) {
-		BUG_ON(service->ref_count == 0);
+		WARN_ON(service->ref_count == 0);
 		service->ref_count++;
 	} else
 		service = NULL;
@@ -196,7 +196,7 @@ find_service_by_port(VCHIQ_STATE_T *stat
 		spin_lock(&service_spinlock);
 		service = state->services[localport];
 		if (service && (service->srvstate != VCHIQ_SRVSTATE_FREE)) {
-			BUG_ON(service->ref_count == 0);
+			WARN_ON(service->ref_count == 0);
 			service->ref_count++;
 		} else
 			service = NULL;
@@ -220,7 +220,7 @@ find_service_for_instance(VCHIQ_INSTANCE
 	if (service && (service->srvstate != VCHIQ_SRVSTATE_FREE) &&
 		(service->handle == handle) &&
 		(service->instance == instance)) {
-		BUG_ON(service->ref_count == 0);
+		WARN_ON(service->ref_count == 0);
 		service->ref_count++;
 	} else
 		service = NULL;
@@ -245,7 +245,7 @@ find_closed_service_for_instance(VCHIQ_I
 		 (service->srvstate == VCHIQ_SRVSTATE_CLOSED)) &&
 		(service->handle == handle) &&
 		(service->instance == instance)) {
-		BUG_ON(service->ref_count == 0);
+		WARN_ON(service->ref_count == 0);
 		service->ref_count++;
 	} else
 		service = NULL;
@@ -272,7 +272,7 @@ next_service_by_instance(VCHIQ_STATE_T *
 		if (srv && (srv->srvstate != VCHIQ_SRVSTATE_FREE) &&
 			(srv->instance == instance)) {
 			service = srv;
-			BUG_ON(service->ref_count == 0);
+			WARN_ON(service->ref_count == 0);
 			service->ref_count++;
 			break;
 		}
@@ -290,7 +290,7 @@ lock_service(VCHIQ_SERVICE_T *service)
 	spin_lock(&service_spinlock);
 	WARN_ON(!service);
 	if (service) {
-		BUG_ON(service->ref_count == 0);
+		WARN_ON(service->ref_count == 0);
 		service->ref_count++;
 	}
 	spin_unlock(&service_spinlock);
@@ -304,7 +304,10 @@ unlock_service(VCHIQ_SERVICE_T *service)
 		WARN(1, "%s: service is NULL\n", __func__);
 		goto unlock;
 	}
-	BUG_ON(service->ref_count == 0);
+	if (!service->ref_count) {
+		WARN(1, "%s: ref_count is zero\n", __func__);
+		goto unlock;
+	}
 	service->ref_count--;
 	if (!service->ref_count) {
 		VCHIQ_STATE_T *state = service->state;