dma_fence_dedup_array() returns 1 when called with num_fences == 0: the for-loop body never executes, j stays at 0, and the final `return ++j` yields 1. This contradicts both the kernel-doc ("Return: Number of unique fences remaining in the array") and the natural expectation that 0 input gives 0 output.

All in-tree callers currently filter num_fences == 0 before invoking this helper (__dma_fence_unwrap_merge() bails out via the `if (count == 0 || count == 1)` fast path; amdgpu_userq_wait_*() cannot reach the dedup call with a zero local count because the amdgpu_userq_wait_add_fence() helper guarantees num_fences stays in [0, wait_info->num_fences], and wait_info->num_fences > 0 is enforced at the ioctl entry).

However, dma_fence_dedup_array() is EXPORT_SYMBOL_GPL, so any future caller that forgets to pre-filter the zero case will get a misleading return value of 1. Depending on how that caller uses the result, it could dereference an uninitialized fence slot in the array, since the caller's array may have been allocated but not yet populated.

Make the contract match the documentation by returning 0 early. This also skips an unnecessary sort() call on an empty array.

Signed-off-by: Baineng Shou shoubaineng@gmail.com --- drivers/dma-buf/dma-fence-unwrap.c | 3 +++ 1 file changed, 3 insertions(+)

diff --git a/drivers/dma-buf/dma-fence-unwrap.c b/drivers/dma-buf/dma-fence-unwrap.c index 53bb40e70b27..364cbf79ad73 100644 --- a/drivers/dma-buf/dma-fence-unwrap.c +++ b/drivers/dma-buf/dma-fence-unwrap.c @@ -97,6 +97,9 @@ int dma_fence_dedup_array(struct dma_fence **fences, int num_fences) { int i, j;

+ if (!num_fences) + return 0; + sort(fences, num_fences, sizeof(*fences), fence_cmp, NULL);

/*