In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: avoid a use-after-free when BO init fails nouveauboinit() is backed by ttmboinit() and ferries its return code back to the caller. On failures, ttmboinit() invokes the provided destructor which should de-initialize and free the memory. Thus, when nouveauboinit() returns an error the gem object has already been released and the memory freed by nouveaubodel_ttm().