drm/nouveau/gem: fix "refcount_t: underflow; use-after-free"

[ Upstream commit 925681454d7b557d404b5d28ef4469fac1b2e105 ]

we can't use nouveau_bo_ref here as no ttm object was allocated and
nouveau_bo_ref mainly deals with that. Simply deallocate the object.

Signed-off-by: Karol Herbst <kherbst@redhat.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
index 81f111ad3f4fd8eebd2953dcde9b95077161a1da..124d3dcc5c5900f42ff968c6c351e2fcf3f759b5 100644 (file)
--- a/drivers/gpu/drm/nouveau/nouveau_gem.c
+++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
@@ -198,7 +198,8 @@ nouveau_gem_new(struct nouveau_cli *cli, u64 size, int align, uint32_t domain,
         * to the caller, instead of a normal nouveau_bo ttm reference. */
        ret = drm_gem_object_init(drm->dev, &nvbo->bo.base, size);
        if (ret) {
-               nouveau_bo_ref(NULL, &nvbo);
+               drm_gem_object_release(&nvbo->bo.base);
+               kfree(nvbo);
                return ret;
        }