From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Carpenter Date: Mon, 25 Jan 2021 08:47:12 +0000 Subject: [PATCH] drm/i915/gem: Fix oops in error handling code Message-Id: List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Jani Nikula Cc: David Airlie , intel-gfx@lists.freedesktop.org, kernel-janitors@vger.kernel.org, "Gustavo A. R. Silva" , Chris Wilson , Matthew Auld , Wambui Karuga This code will Oops when it tries to i915_gem_object_free(obj) because "obj" is an error pointer. Fixes: 97d553963250 ("drm/i915/region: convert object_create into object_init") Signed-off-by: Dan Carpenter --- drivers/gpu/drm/i915/gem/i915_gem_stolen.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/drivers/gpu/drm/i915/gem/i915_gem_stolen.c b/drivers/gpu/drm/i915/gem/i915_gem_stolen.c index 551935348ad8..a1e197a6e999 100644 --- a/drivers/gpu/drm/i915/gem/i915_gem_stolen.c +++ b/drivers/gpu/drm/i915/gem/i915_gem_stolen.c @@ -753,22 +753,18 @@ i915_gem_object_create_stolen_for_preallocated(struct drm_i915_private *i915, mutex_lock(&i915->mm.stolen_lock); ret = drm_mm_reserve_node(&i915->mm.stolen, stolen); mutex_unlock(&i915->mm.stolen_lock); - if (ret) { - obj = ERR_PTR(ret); + if (ret) goto err_free; - } obj = i915_gem_object_alloc(); if (!obj) { - obj = ERR_PTR(-ENOMEM); + ret = -ENOMEM; goto err_stolen; } ret = __i915_gem_object_create_stolen(mem, obj, stolen); - if (ret) { - obj = ERR_PTR(ret); + if (ret) goto err_object_free; - } i915_gem_object_set_cache_coherency(obj, I915_CACHE_NONE); return obj; @@ -779,7 +775,7 @@ i915_gem_object_create_stolen_for_preallocated(struct drm_i915_private *i915, i915_gem_stolen_remove_node(i915, stolen); err_free: kfree(stolen); - return obj; + return ERR_PTR(ret); } bool i915_gem_object_is_stolen(const struct drm_i915_gem_object *obj) -- 2.29.2