intel: Add handle to hashtable before freeing along an error path

drm_intel_gem_bo_free() unconditionally attempts to remove the handle
from the hashtable. This goes horribly wrong if we haven't already added
the bo to the hashtable.

Reported-by: Michael Thayer <michael.thayer@oracle.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>

diff --git a/intel/intel_bufmgr_gem.c b/intel/intel_bufmgr_gem.c
index b1e6907..e260f2d 100644 (file)
--- a/intel/intel_bufmgr_gem.c
+++ b/intel/intel_bufmgr_gem.c
@@ -815,6 +815,10 @@ retry:
                }
 
                bo_gem->gem_handle = create.handle;
+               HASH_ADD(handle_hh, bufmgr_gem->handle_table,
+                        gem_handle, sizeof(bo_gem->gem_handle),
+                        bo_gem);
+
                bo_gem->bo.handle = bo_gem->gem_handle;
                bo_gem->bo.bufmgr = bufmgr;
                bo_gem->bo.align = alignment;
@@ -827,10 +831,6 @@ retry:
                                                         tiling_mode,
                                                         stride))
                        goto err_free;
-
-               HASH_ADD(handle_hh, bufmgr_gem->handle_table,
-                        gem_handle, sizeof(bo_gem->gem_handle),
-                        bo_gem);
        }
 
        bo_gem->name = name;