drm/vmwgfx: Fix possible usage of an uninitialized variable

vmw_user_bo_lookup can fail to lookup user buffers, especially because
the buffer handles come from the userspace. The return value has
to be checked before the buffers are put back.

This was spotted by Dan's Smatch statick checker:
    drivers/gpu/drm/vmwgfx/vmwgfx_bo.c:574 vmw_user_bo_synccpu_release()
	error: uninitialized symbol 'vmw_bo'.

Signed-off-by: Zack Rusin <zackr@vmware.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Fixes: 8afa13a0583f ("drm/vmwgfx: Implement DRIVER_GEM")
Reviewed-by: Martin Krastev <krastevm@vmware.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20211215200224.3693345-1-zack@kde.org

diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c
index 15fead85450c3ebd7e0a9bfcd3333501377d6bee..31aecc46624b3fa27fea8e5d3bb29b145e7810e8 100644 (file)
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c
@@ -568,10 +568,12 @@ static int vmw_user_bo_synccpu_release(struct drm_file *filp,
        struct vmw_buffer_object *vmw_bo;
        int ret = vmw_user_bo_lookup(filp, handle, &vmw_bo);
 
-       if (!(flags & drm_vmw_synccpu_allow_cs)) {
-               atomic_dec(&vmw_bo->cpu_writers);
+       if (!ret) {
+               if (!(flags & drm_vmw_synccpu_allow_cs)) {
+                       atomic_dec(&vmw_bo->cpu_writers);
+               }
+               ttm_bo_put(&vmw_bo->base);
        }
-       ttm_bo_put(&vmw_bo->base);
 
        return ret;
 }