The __dma_fence_unwrap_merge() function is supposed to return NULL on
error. But the dma_fence_allocate_private_stub() returns error pointers
so check for that and covert the error pointers to NULL returns.
Otherwise, the callers do not expect error pointers and it leads to an
Oops.
Fixes: f781f661e8c9 ("dma-buf: keep the signaling time of merged fences v3")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
drivers/dma-buf/dma-fence-unwrap.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/dma-buf/dma-fence-unwrap.c b/drivers/dma-buf/dma-fence-unwrap.c
index c625bb2b5d56..d183eda0db89 100644
--- a/drivers/dma-buf/dma-fence-unwrap.c
+++ b/drivers/dma-buf/dma-fence-unwrap.c
@@ -94,8 +94,12 @@ struct dma_fence *__dma_fence_unwrap_merge(unsigned int num_fences,
* If we couldn't find a pending fence just return a private signaled
* fence with the timestamp of the last signaled one.
*/
- if (count == 0)
- return dma_fence_allocate_private_stub(timestamp);
+ if (count == 0) {
+ tmp = dma_fence_allocate_private_stub(timestamp);
+ if (IS_ERR(tmp))
+ return NULL;
+ return tmp;
+ }
array = kmalloc_array(count, sizeof(*array), GFP_KERNEL);
if (!array)
@@ -176,6 +180,8 @@ struct dma_fence *__dma_fence_unwrap_merge(unsigned int num_fences,
return_tmp:
kfree(array);
+ if (IS_ERR(tmp))
+ return NULL;
return tmp;
}
EXPORT_SYMBOL_GPL(__dma_fence_unwrap_merge);
--
2.39.2
