In the Linux kernel, the following vulnerability has been resolved:
drm/nouveau: avoid a use-after-free when BO init fails
nouveauboinit() is backed by ttmboinit() and ferries its return code back to the caller. On failures, ttmboinit() invokes the provided destructor which should de-initialize and free the memory.
Thus, when nouveauboinit() returns an error the gem object has already been released and the memory freed by nouveaubodel_ttm().