[PATCH] dma-buf: fix an error pointer vs NULL bug

[Dan Carpenter]

The __dma_fence_unwrap_merge() function is supposed to return NULL on
error.  But the dma_fence_allocate_private_stub() returns error pointers
so check for that and covert the error pointers to NULL returns.
Otherwise, the callers do not expect error pointers and it leads to an
Oops.

Fixes: f781f661e8c9 ("dma-buf: keep the signaling time of merged fences v3")
Signed-off-by: Dan Carpenter <dan.carpenter at linaro.org>
---
 drivers/dma-buf/dma-fence-unwrap.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/drivers/dma-buf/dma-fence-unwrap.c b/drivers/dma-buf/dma-fence-unwrap.c
index c625bb2b5d56..d183eda0db89 100644
--- a/drivers/dma-buf/dma-fence-unwrap.c
+++ b/drivers/dma-buf/dma-fence-unwrap.c
@@ -94,8 +94,12 @@ struct dma_fence *__dma_fence_unwrap_merge(unsigned int num_fences,
 	 * If we couldn't find a pending fence just return a private signaled
 	 * fence with the timestamp of the last signaled one.
 	 */
-	if (count == 0)
-		return dma_fence_allocate_private_stub(timestamp);
+	if (count == 0) {
+		tmp = dma_fence_allocate_private_stub(timestamp);
+		if (IS_ERR(tmp))
+			return NULL;
+		return tmp;
+	}
 
 	array = kmalloc_array(count, sizeof(*array), GFP_KERNEL);
 	if (!array)
@@ -176,6 +180,8 @@ struct dma_fence *__dma_fence_unwrap_merge(unsigned int num_fences,
 
 return_tmp:
 	kfree(array);
+	if (IS_ERR(tmp))
+		return NULL;
 	return tmp;
 }
 EXPORT_SYMBOL_GPL(__dma_fence_unwrap_merge);
-- 
2.39.2