This code will Oops when it tries to i915_gem_object_free(obj) because "obj" is an error pointer. Fixes: 97d553963250 ("drm/i915/region: convert object_create into object_init") Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> --- drivers/gpu/drm/i915/gem/i915_gem_stolen.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/drivers/gpu/drm/i915/gem/i915_gem_stolen.c b/drivers/gpu/drm/i915/gem/i915_gem_stolen.c index 551935348ad8..a1e197a6e999 100644 --- a/drivers/gpu/drm/i915/gem/i915_gem_stolen.c +++ b/drivers/gpu/drm/i915/gem/i915_gem_stolen.c @@ -753,22 +753,18 @@ i915_gem_object_create_stolen_for_preallocated(struct drm_i915_private *i915, mutex_lock(&i915->mm.stolen_lock); ret = drm_mm_reserve_node(&i915->mm.stolen, stolen); mutex_unlock(&i915->mm.stolen_lock); - if (ret) { - obj = ERR_PTR(ret); + if (ret) goto err_free; - } obj = i915_gem_object_alloc(); if (!obj) { - obj = ERR_PTR(-ENOMEM); + ret = -ENOMEM; goto err_stolen; } ret = __i915_gem_object_create_stolen(mem, obj, stolen); - if (ret) { - obj = ERR_PTR(ret); + if (ret) goto err_object_free; - } i915_gem_object_set_cache_coherency(obj, I915_CACHE_NONE); return obj; @@ -779,7 +775,7 @@ i915_gem_object_create_stolen_for_preallocated(struct drm_i915_private *i915, i915_gem_stolen_remove_node(i915, stolen); err_free: kfree(stolen); - return obj; + return ERR_PTR(ret); } bool i915_gem_object_is_stolen(const struct drm_i915_gem_object *obj) -- 2.29.2