Commit cbdd2663 authored Dec 22, 2018 by Colin Ian King Committed by Daniel Vetter Dec 24, 2018

drm: fix null pointer dereference on null state pointer

In the case where state cannot be allocated, the current exit path via
label 'out' will dereference the null state pointer when calling
drm_atomic_state_put. Fix this by adding a new error exit label and
jumping to this to avoid the drm_atomic_state_put.

Detected by CoverityScan, CID#1476034 ("Dereference after null check")

Fixes: b9fc5e01 ("drm: Add helper to implement legacy dirtyfb")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20181222130046.14083-1-colin.king@canonical.com

parent 221b35fe

drivers/gpu/drm/drm_damage_helper.c

+2 −1

Original line number	Original line	Diff line number	Diff line
	@@ -178,7 +178,7 @@ int drm_atomic_helper_dirtyfb(struct drm_framebuffer *fb,
	state = drm_atomic_state_alloc(fb->dev);		state = drm_atomic_state_alloc(fb->dev);
	if (!state) {		if (!state) {
	ret = -ENOMEM;		ret = -ENOMEM;
	goto out;		goto out_drop_locks;
	}		}
	state->acquire_ctx = &ctx;		state->acquire_ctx = &ctx;

	@@ -238,6 +238,7 @@ out:
	kfree(rects);		kfree(rects);
	drm_atomic_state_put(state);		drm_atomic_state_put(state);

			out_drop_locks:
	drm_modeset_drop_locks(&ctx);		drm_modeset_drop_locks(&ctx);
	drm_modeset_acquire_fini(&ctx);		drm_modeset_acquire_fini(&ctx);