1 files changed, 6 insertions, 1 deletions

diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
index ea789376de0f..45de21c210c1 100644
--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
+++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
@@ -1795,6 +1795,7 @@ vchiq_compat_ioctl_await_completion(struct file *file,
         struct vchiq_await_completion32 args32;
         struct vchiq_completion_data32 completion32;
         unsigned int *msgbufcount32;
+        unsigned int msgbufcount_native;
         compat_uptr_t msgbuf32;
         void *msgbuf;
         void **msgbufptr;
@@ -1906,7 +1907,11 @@ vchiq_compat_ioctl_await_completion(struct file *file,
                          sizeof(completion32)))
                 return -EFAULT;
 
-        args32.msgbufcount--;
+        if (get_user(msgbufcount_native, &args->msgbufcount))
+                return -EFAULT;
+
+        if (!msgbufcount_native)
+                args32.msgbufcount--;
 
         msgbufcount32 =
                 &((struct vchiq_await_completion32 __user *)arg)->msgbufcount;