The function drm_syncobj_fence_get() may return NULL if the syncobj
has no fence. In eb_fences_add(), this return value is not checked,
leading to a potential NULL pointer dereference in
i915_request_await_dma_fence().
This patch adds a check for the return value of drm_syncobj_fence_get
and returns an error if it is NULL, preventing the NULL pointer
dereference.
Fixes: 544460c33821 ("drm/i915: Multi-BB execbuf")
Cc: stable@xxxxxxxxxxxxxxx # 5.16+
Signed-off-by: Wentao Liang <vulab@xxxxxxxxxxx>
---
drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
index f151640c1d13..7da65535feb9 100644
--- a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
@@ -3252,6 +3252,12 @@ eb_fences_add(struct i915_execbuffer *eb, struct i915_request *rq,
struct dma_fence *fence;
fence = drm_syncobj_fence_get(eb->gem_context->syncobj);
+ if (!fence) {
+ drm_dbg(&eb->i915->drm,
+ "Syncobj handle has no fence\n");
+ return ERR_PTR(-EINVAL);
+ }
+
err = i915_request_await_dma_fence(rq, fence);
dma_fence_put(fence);
if (err)
--
2.42.0.windows.2
