diff mbox series

drm/vmwgfx: Fix possible usage of an uninitialized variable

Message ID 20211215200224.3693345-1-zack@kde.org (mailing list archive)
State New, archived
Headers show
Series drm/vmwgfx: Fix possible usage of an uninitialized variable | expand

Commit Message

Zack Rusin Dec. 15, 2021, 8:02 p.m. UTC 
From: Zack Rusin <zackr@vmware.com>

vmw_user_bo_lookup can fail to lookup user buffers, especially because
the buffer handles come from the userspace. The return value has
to be checked before the buffers are put back.

This was spotted by Dan's Smatch statick checker:
    drivers/gpu/drm/vmwgfx/vmwgfx_bo.c:574 vmw_user_bo_synccpu_release()
	error: uninitialized symbol 'vmw_bo'.

Signed-off-by: Zack Rusin <zackr@vmware.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Fixes: 8afa13a0583f ("drm/vmwgfx: Implement DRIVER_GEM")
---
 drivers/gpu/drm/vmwgfx/vmwgfx_bo.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

Comments

Martin Krastev Dec. 16, 2021, 9:49 a.m. UTC | #1 
On Wed, 2021-12-15 at 15:02 -0500, Zack Rusin wrote:
> From: Zack Rusin <zackr@vmware.com>
> 
> vmw_user_bo_lookup can fail to lookup user buffers, especially because
> the buffer handles come from the userspace. The return value has
> to be checked before the buffers are put back.
> 
> This was spotted by Dan's Smatch statick checker:
>     drivers/gpu/drm/vmwgfx/vmwgfx_bo.c:574 vmw_user_bo_synccpu_release()
> 	error: uninitialized symbol 'vmw_bo'.
> 
> Signed-off-by: Zack Rusin <zackr@vmware.com>
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> Fixes: 8afa13a0583f ("drm/vmwgfx: Implement DRIVER_GEM")
> ---
>  drivers/gpu/drm/vmwgfx/vmwgfx_bo.c | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c
> index 15fead85450c..31aecc46624b 100644
> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c
> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c
> @@ -568,10 +568,12 @@ static int vmw_user_bo_synccpu_release(struct drm_file *filp,
>  	struct vmw_buffer_object *vmw_bo;
>  	int ret = vmw_user_bo_lookup(filp, handle, &vmw_bo);
>  
> -	if (!(flags & drm_vmw_synccpu_allow_cs)) {
> -		atomic_dec(&vmw_bo->cpu_writers);
> +	if (!ret) {
> +		if (!(flags & drm_vmw_synccpu_allow_cs)) {
> +			atomic_dec(&vmw_bo->cpu_writers);
> +		}
> +		ttm_bo_put(&vmw_bo->base);
>  	}
> -	ttm_bo_put(&vmw_bo->base);
>  
>  	return ret;
>  }

Reviewed-by: Martin Krastev <krastevm@vmware.com>
diff mbox series

Patch

diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c
index 15fead85450c..31aecc46624b 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c
@@ -568,10 +568,12 @@  static int vmw_user_bo_synccpu_release(struct drm_file *filp,
 	struct vmw_buffer_object *vmw_bo;
 	int ret = vmw_user_bo_lookup(filp, handle, &vmw_bo);
 
-	if (!(flags & drm_vmw_synccpu_allow_cs)) {
-		atomic_dec(&vmw_bo->cpu_writers);
+	if (!ret) {
+		if (!(flags & drm_vmw_synccpu_allow_cs)) {
+			atomic_dec(&vmw_bo->cpu_writers);
+		}
+		ttm_bo_put(&vmw_bo->base);
 	}
-	ttm_bo_put(&vmw_bo->base);
 
 	return ret;
 }