The __dma_fence_unwrap_merge() function is supposed to return NULL on error. But the dma_fence_allocate_private_stub() returns error pointers so check for that and covert the error pointers to NULL returns. Otherwise, the callers do not expect error pointers and it leads to an Oops. Fixes: f781f661e8c9 ("dma-buf: keep the signaling time of merged fences v3") Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> --- drivers/dma-buf/dma-fence-unwrap.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/dma-buf/dma-fence-unwrap.c b/drivers/dma-buf/dma-fence-unwrap.c index c625bb2b5d56..d183eda0db89 100644 --- a/drivers/dma-buf/dma-fence-unwrap.c +++ b/drivers/dma-buf/dma-fence-unwrap.c @@ -94,8 +94,12 @@ struct dma_fence *__dma_fence_unwrap_merge(unsigned int num_fences, * If we couldn't find a pending fence just return a private signaled * fence with the timestamp of the last signaled one. */ - if (count == 0) - return dma_fence_allocate_private_stub(timestamp); + if (count == 0) { + tmp = dma_fence_allocate_private_stub(timestamp); + if (IS_ERR(tmp)) + return NULL; + return tmp; + } array = kmalloc_array(count, sizeof(*array), GFP_KERNEL); if (!array) @@ -176,6 +180,8 @@ struct dma_fence *__dma_fence_unwrap_merge(unsigned int num_fences, return_tmp: kfree(array); + if (IS_ERR(tmp)) + return NULL; return tmp; } EXPORT_SYMBOL_GPL(__dma_fence_unwrap_merge); -- 2.39.2