drm: fix null pointer dereference on null state pointer

In the case where state cannot be allocated, the current exit path via
label 'out' will dereference the null state pointer when calling
drm_atomic_state_put. Fix this by adding a new error exit label and
jumping to this to avoid the drm_atomic_state_put.

Detected by CoverityScan, CID#1476034 ("Dereference after null check")

Fixes: b9fc5e01d1ce ("drm: Add helper to implement legacy dirtyfb")
Signed-off-by: Colin Ian King <[email protected]>
Signed-off-by: Daniel Vetter <[email protected]>
Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]

diff --git a/drivers/gpu/drm/drm_damage_helper.c b/drivers/gpu/drm/drm_damage_helper.c
index d2a1c7372f362c686993b74ce1200010962a9858..31032407254d4dab631fb863f58ee5353dbfeb08 100644 (file)
--- a/drivers/gpu/drm/drm_damage_helper.c
+++ b/drivers/gpu/drm/drm_damage_helper.c
@@ -178,7 +178,7 @@ int drm_atomic_helper_dirtyfb(struct drm_framebuffer *fb,
        state = drm_atomic_state_alloc(fb->dev);
        if (!state) {
                ret = -ENOMEM;
-               goto out;
+               goto out_drop_locks;
        }
        state->acquire_ctx = &ctx;
 
@@ -238,6 +238,7 @@ out:
        kfree(rects);
        drm_atomic_state_put(state);
 
+out_drop_locks:
        drm_modeset_drop_locks(&ctx);
        drm_modeset_acquire_fini(&ctx);