Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2818715imu;
        Sun, 23 Dec 2018 08:28:59 -0800 (PST)
X-Google-Smtp-Source: ALg8bN4bfV1CKS6dWt95oddWuDws0CNIRBwEst8wl3cQ7GooP+mc5evnOUrLFON5qZ5o1Uju6EXq
X-Received: by 2002:a17:902:9345:: with SMTP id g5mr9948184plp.148.1545582539829;
        Sun, 23 Dec 2018 08:28:59 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1545582539; cv=none;
        d=google.com; s=arc-20160816;
        b=1ICA2nHiLBNA+tDK2VXazb+VVDICPdci57oJVj6SdBb0kb2GRmoUQ3r9ZHDNH6tChL
         SkVFg0TbiYS+ewJR/f9PxeOm2+kLhaSTrQ6fj8NtQ5DBJqVhvU2lnC95BLa8w7cDKS1G
         4AVmqIuj/PT32/9pOupXxLEiJdq2twWRf450wRhOdtVM++MS0DXUBQ9ho7Pp2AGBM0My
         8elhXXUp0ITV5Hzy5CIDJM8ZKdLUQeZ7rcUxQ6oKF0/SZlNg6g+tzfnaPTDZNer727dS
         oW8FxS6VN4Tjb6KVSKVvS73Hp9QWJFIH4v1jzKDsDDWB+EplG0VQ8wf+9Z1FuhLqnrBK
         2fRg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from;
        bh=XzvfFMaJ9OJWP1KK00CVlwSnqOHfKNp1aG/XrBzeRmI=;
        b=yn8nKce8NZ9q/SNTNTgQcOlOPZY9XGSKHW0ALsn8L6DQ21L5fPKSxoRcKKFS/k6z/5
         WYExUY2XCNMae343mvIcvAIJqurjWt/k8a367ahs09hhmEvBt8tFsxdf9tqVoQmHIASF
         dWpEMYvGRtGSVKa8nIom+8tlnfhQT38gFblvOx/zBF7bEqnsSBvAIC/6NRFDszlV1FUg
         IpITgZNFITtJu1jD6JYeWSRJvr5eLtelm0i1gKfcOMavR4AQKKsuZ3rnQThe3030pobb
         vCW/uEBVxhpIykfOmeuGOy+mn+EmClvQVsgusGpHFmy3ii1ZmEz+TrIFBYuusFWjLJfh
         tYng==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id s4si25871299pfb.190.2018.12.23.08.28.44;
        Sun, 23 Dec 2018 08:28:59 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2392054AbeLVSbU (ORCPT <rfc822;xc.haze2010@gmail.com>
        + 99 others); Sat, 22 Dec 2018 13:31:20 -0500
Received: from youngberry.canonical.com ([91.189.89.112]:42517 "EHLO
        youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2391926AbeLVSbI (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 22 Dec 2018 13:31:08 -0500
Received: from 1.general.cking.uk.vpn ([10.172.193.212] helo=localhost)
        by youngberry.canonical.com with esmtpsa (TLS1.0:RSA_AES_256_CBC_SHA1:32)
        (Exim 4.76)
        (envelope-from <colin.king@canonical.com>)
        id 1gagta-0000Uj-Et; Sat, 22 Dec 2018 13:00:46 +0000
From:   Colin King <colin.king@canonical.com>
To:     Rob Clark <robdclark@gmail.com>,
        Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
        Maxime Ripard <maxime.ripard@bootlin.com>,
        Sean Paul <sean@poorly.run>, David Airlie <airlied@linux.ie>,
        Daniel Vetter <daniel@ffwll.ch>,
        dri-devel@lists.freedesktop.org
Cc:     kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH][next] drm: fix null pointer dereference on null state pointer
Date:   Sat, 22 Dec 2018 13:00:46 +0000
Message-Id: <20181222130046.14083-1-colin.king@canonical.com>
X-Mailer: git-send-email 2.19.1
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Colin Ian King <colin.king@canonical.com>

In the case where state cannot be allocated, the current exit path via
label 'out' will dereference the null state pointer when calling
drm_atomic_state_put. Fix this by adding a new error exit label and
jumping to this to avoid the drm_atomic_state_put.

Detected by CoverityScan, CID#1476034 ("Dereference after null check")

Fixes: b9fc5e01d1ce ("drm: Add helper to implement legacy dirtyfb")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 drivers/gpu/drm/drm_damage_helper.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/drm_damage_helper.c b/drivers/gpu/drm/drm_damage_helper.c
index d2a1c7372f36..31032407254d 100644
--- a/drivers/gpu/drm/drm_damage_helper.c
+++ b/drivers/gpu/drm/drm_damage_helper.c
@@ -178,7 +178,7 @@ int drm_atomic_helper_dirtyfb(struct drm_framebuffer *fb,
 	state = drm_atomic_state_alloc(fb->dev);
 	if (!state) {
 		ret = -ENOMEM;
-		goto out;
+		goto out_drop_locks;
 	}
 	state->acquire_ctx = &ctx;
 
@@ -238,6 +238,7 @@ int drm_atomic_helper_dirtyfb(struct drm_framebuffer *fb,
 	kfree(rects);
 	drm_atomic_state_put(state);
 
+out_drop_locks:
 	drm_modeset_drop_locks(&ctx);
 	drm_modeset_acquire_fini(&ctx);
 
-- 
2.19.1