@@ -753,22 +753,18 @@ i915_gem_object_create_stolen_for_preallocated(struct drm_i915_private *i915,
mutex_lock(&i915->mm.stolen_lock);
ret = drm_mm_reserve_node(&i915->mm.stolen, stolen);
mutex_unlock(&i915->mm.stolen_lock);
- if (ret) {
- obj = ERR_PTR(ret);
+ if (ret)
goto err_free;
- }
obj = i915_gem_object_alloc();
if (!obj) {
- obj = ERR_PTR(-ENOMEM);
+ ret = -ENOMEM;
goto err_stolen;
}
ret = __i915_gem_object_create_stolen(mem, obj, stolen);
- if (ret) {
- obj = ERR_PTR(ret);
+ if (ret)
goto err_object_free;
- }
i915_gem_object_set_cache_coherency(obj, I915_CACHE_NONE);
return obj;
@@ -779,7 +775,7 @@ i915_gem_object_create_stolen_for_preallocated(struct drm_i915_private *i915,
i915_gem_stolen_remove_node(i915, stolen);
err_free:
kfree(stolen);
- return obj;
+ return ERR_PTR(ret);
}
bool i915_gem_object_is_stolen(const struct drm_i915_gem_object *obj)
This code will Oops when it tries to i915_gem_object_free(obj) because "obj" is an error pointer. Fixes: 97d553963250 ("drm/i915/region: convert object_create into object_init") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- drivers/gpu/drm/i915/gem/i915_gem_stolen.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-)