ANDROID: drm/virtio: Repair error path in virtio_gpu_object_create()android13-5.15

Commit ccf0951 ("CHROMIUM: drm/virtio: implement resource info for
blobs") changed the semantics of the error handling when
virtio_gpu_object_shmem_init() fails, forcing it down through some
additional resource freeing calls which ultimately ends up in
multiple-double-frees.

Move the call to virtio_gpu_array_unlock_resv() back-up into
virtio_gpu_object_shmem_init()'s specific error path and return straight
away as was intended by the original author.

Bug: 324161692
Fixes: ccf0951 ("CHROMIUM: drm/virtio: implement resource info for
blobs")
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I813edc78fc176819822bb6bfa660f9622ebb0a8f

1 files changed, 3 insertions, 4 deletions

diff --git a/virtio_gpu/virtgpu_object.c b/virtio_gpu/virtgpu_object.c
index fc9864e..530d21f 100644
--- a/virtio_gpu/virtgpu_object.c
+++ b/virtio_gpu/virtgpu_object.c
@@ -250,7 +250,9 @@ int virtio_gpu_object_create(struct virtio_gpu_device *vgdev,
 	if (ret != 0) {
 		virtio_gpu_array_put_free(objs);
 		virtio_gpu_free_object(&shmem_obj->base);
-		goto err_unlock_resv;
+		if (fence)
+			virtio_gpu_array_unlock_resv(objs);
+		return ret;
 	}
 
 	if (params->blob) {
@@ -272,9 +274,6 @@ int virtio_gpu_object_create(struct virtio_gpu_device *vgdev,
 	*bo_ptr = bo;
 	return 0;
 
-err_unlock_resv:
-	if (fence)
-		virtio_gpu_array_unlock_resv(objs);
 err_put_objs:
 	virtio_gpu_array_put_free(objs);
 err_put_id: