drm/qxl: Avoid double free on error

Is we are not able to get source bo object from handle we free
destination bo object and call cleanup code however destination
object was already inserted in reloc_info array (num_relocs was
already incremented) so on cleanup we free destination again.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Reviewed-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c
index 9bf1368bc92c94bf7d68b3ddeccfa0e397247d23..77fcde6f34656863646b09f5bf20c4c9ee3efd48 100644 (file)
--- a/drivers/gpu/drm/qxl/qxl_ioctl.c
+++ b/drivers/gpu/drm/qxl/qxl_ioctl.c
@@ -240,8 +240,6 @@ static int qxl_process_single_command(struct qxl_device *qdev,
                                qxlhw_handle_to_bo(qdev, file_priv,
                                                   reloc.src_handle, release);
                        if (!reloc_info[i].src_bo) {
-                               if (reloc_info[i].dst_bo != cmd_bo)
-                                       drm_gem_object_unreference_unlocked(&reloc_info[i].dst_bo->gem_base);
                                ret = -EINVAL;
                                goto out_free_bos;
                        }