The function drm_syncobj_fence_get() may return NULL if the syncobj has no fence. In eb_fences_add(), this return value is not checked, leading to a potential NULL pointer dereference in i915_request_await_dma_fence().
This patch adds a check for the return value of drm_syncobj_fence_get and returns an error if it is NULL, preventing the NULL pointer dereference.
Fixes: 544460c33821 ("drm/i915: Multi-BB execbuf") Cc: stable@vger.kernel.org # 5.16+ Signed-off-by: Wentao Liang vulab@iscas.ac.cn --- drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c index f151640c1d13..7da65535feb9 100644 --- a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c +++ b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c @@ -3252,6 +3252,12 @@ eb_fences_add(struct i915_execbuffer *eb, struct i915_request *rq, struct dma_fence *fence;
fence = drm_syncobj_fence_get(eb->gem_context->syncobj); + if (!fence) { + drm_dbg(&eb->i915->drm, + "Syncobj handle has no fence\n"); + return ERR_PTR(-EINVAL); + } + err = i915_request_await_dma_fence(rq, fence); dma_fence_put(fence); if (err)