From cbdd2663f4c801ad93f7111f93d9846589a0d530 Mon Sep 17 00:00:00 2001 From: Colin Ian King Date: Sat, 22 Dec 2018 13:00:46 +0000 Subject: [PATCH 1/2] drm: fix null pointer dereference on null state pointer In the case where state cannot be allocated, the current exit path via label 'out' will dereference the null state pointer when calling drm_atomic_state_put. Fix this by adding a new error exit label and jumping to this to avoid the drm_atomic_state_put. Detected by CoverityScan, CID#1476034 ("Dereference after null check") Fixes: b9fc5e01d1ce ("drm: Add helper to implement legacy dirtyfb") Signed-off-by: Colin Ian King Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20181222130046.14083-1-colin.king@canonical.com --- drivers/gpu/drm/drm_damage_helper.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_damage_helper.c b/drivers/gpu/drm/drm_damage_helper.c index d2a1c7372f36..31032407254d 100644 --- a/drivers/gpu/drm/drm_damage_helper.c +++ b/drivers/gpu/drm/drm_damage_helper.c @@ -178,7 +178,7 @@ int drm_atomic_helper_dirtyfb(struct drm_framebuffer *fb, state = drm_atomic_state_alloc(fb->dev); if (!state) { ret = -ENOMEM; - goto out; + goto out_drop_locks; } state->acquire_ctx = &ctx; @@ -238,6 +238,7 @@ out: kfree(rects); drm_atomic_state_put(state); +out_drop_locks: drm_modeset_drop_locks(&ctx); drm_modeset_acquire_fini(&ctx); From c75ff001f4fe21a8c9f15aad799a8949aea109f7 Mon Sep 17 00:00:00 2001 From: Deepak Rawat Date: Fri, 21 Dec 2018 11:35:59 -0800 Subject: [PATCH 2/2] drm: Put damage blob when destroy plane state Somehow the code to put the damage blob on destroy plane state and set the blob to NULL when duplicate plane state was not merged. May be because the files are refactored since the patch was written. With this fix add those. Cc: Daniel Vetter Signed-off-by: Deepak Rawat Reviewed-by: Thomas Hellstrom Fixes: d3b21767821e ("drm: Add a new plane property to send damage during plane update") Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20181221193559.4346-1-drawat@vmware.com --- drivers/gpu/drm/drm_atomic_state_helper.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/drm_atomic_state_helper.c b/drivers/gpu/drm/drm_atomic_state_helper.c index 60bd7d708e35..4985384e51f6 100644 --- a/drivers/gpu/drm/drm_atomic_state_helper.c +++ b/drivers/gpu/drm/drm_atomic_state_helper.c @@ -241,6 +241,7 @@ void __drm_atomic_helper_plane_duplicate_state(struct drm_plane *plane, state->fence = NULL; state->commit = NULL; + state->fb_damage_clips = NULL; } EXPORT_SYMBOL(__drm_atomic_helper_plane_duplicate_state); @@ -285,6 +286,8 @@ void __drm_atomic_helper_plane_destroy_state(struct drm_plane_state *state) if (state->commit) drm_crtc_commit_put(state->commit); + + drm_property_blob_put(state->fb_damage_clips); } EXPORT_SYMBOL(__drm_atomic_helper_plane_destroy_state);