drm/qxl: Avoid double free on error

Is we are not able to get source bo object from handle we free destination bo object and call cleanup code however destination object was already inserted in reloc_info array (num_relocs was already incremented) so on cleanup we free destination again. Signed-off-by: Frediano Ziglio <fziglio@redhat.com> Reviewed-by: Dave Airlie <airlied@redhat.com> Signed-off-by: Dave Airlie <airlied@redhat.com>

drm/qxl: Avoid double free on error
Is we are not able to get source bo object from handle we free destination bo object and call cleanup code however destination object was already inserted in reloc_info array (num_relocs was already incremented) so on cleanup we free destination again. Signed-off-by: Frediano Ziglio <fziglio@redhat.com> Reviewed-by: Dave Airlie <airlied@redhat.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
fe2af53b · Frediano Ziglio · Dave Airlie · 55cc3df0 · fe2af53b
Commit fe2af53b authored Jun 03, 2015 by Frediano Ziglio Committed by Dave Airlie Jun 05, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 0 additions and 2 deletions

drivers/gpu/drm/qxl/qxl_ioctl.c drivers/gpu/drm/qxl/qxl_ioctl.c +0 -2

No files found.
--- a/drivers/gpu/drm/qxl/qxl_ioctl.c
+++ b/drivers/gpu/drm/qxl/qxl_ioctl.c
@@ -240,8 +240,6 @@ static int qxl_process_single_command(struct qxl_device *qdev,
 				qxlhw_handle_to_bo(qdev, file_priv,
 						   reloc.src_handle, release);
 			if (!reloc_info[i].src_bo) {
-				if (reloc_info[i].dst_bo != cmd_bo)
-					drm_gem_object_unreference_unlocked(&reloc_info[i].dst_bo->gem_base);
 				ret = -EINVAL;
 				goto out_free_bos;
 			}