drm/i915: Only destroy a constructed mmap offset

Message ID 1252569184-32748-1-git-send-email-chris@chris-wilson.co.uk (mailing list archive)
State Accepted
Chris Wilson Sept. 10, 2009, 7:53 a.m. UTC
drm_ht_remove_item() does not handle removing an absent item and the hlist
in particular is incorrectly initialised. The easy remedy is simply skip
calling i915_gem_free_mmap_offset() unless we have actually created the
offset and associated ht entry.

This also fixes the mishandling of a partially constructed offset which
leaves pointers initialized after freeing them along the
i915_gem_create_mmap_offset() error paths.

In particular this should fix the oops found here:

Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
 drivers/gpu/drm/i915/i915_gem.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
index be0c5dd..6305ea3 100644
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -3856,7 +3856,8 @@  void i915_gem_free_object(struct drm_gem_object *obj)
-	i915_gem_free_mmap_offset(obj);
+	if (obj_priv->mmap_offset)
+		i915_gem_free_mmap_offset(obj);