From: Frediano Ziglio Date: Wed, 3 Jun 2015 11:09:12 +0000 (+0100) Subject: drm/qxl: Avoid double free on error X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=fe2af53baec1b3b64ee343d4e7e6a351e52e3b48;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git drm/qxl: Avoid double free on error Is we are not able to get source bo object from handle we free destination bo object and call cleanup code however destination object was already inserted in reloc_info array (num_relocs was already incremented) so on cleanup we free destination again. Signed-off-by: Frediano Ziglio Reviewed-by: Dave Airlie Signed-off-by: Dave Airlie --- diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c index 9bf1368bc92c..77fcde6f3465 100644 --- a/drivers/gpu/drm/qxl/qxl_ioctl.c +++ b/drivers/gpu/drm/qxl/qxl_ioctl.c @@ -240,8 +240,6 @@ static int qxl_process_single_command(struct qxl_device *qdev, qxlhw_handle_to_bo(qdev, file_priv, reloc.src_handle, release); if (!reloc_info[i].src_bo) { - if (reloc_info[i].dst_bo != cmd_bo) - drm_gem_object_unreference_unlocked(&reloc_info[i].dst_bo->gem_base); ret = -EINVAL; goto out_free_bos; }