Add an early parameter check in amdgpu_cs_wait_fences_ioctl() to reject a zero fence_count with -EINVAL.
dma_fence_wait_any_timeout() requires count > 0. When userspace passes fence_count == 0, the call propagates down to dma_fence core which does not expect a zero-length array and triggers a WARN_ON. Return -EINVAL immediately so the caller gets a clear error instead of hitting an unexpected warning in the DMA fence subsystem. No functional change for well-formed userspace callers. v2: - Reworked commit message to clarify the parameter validation rationale - Removed verbose crash log from commit description - Simplified inline code comment Signed-off-by: Jesse Zhang <[email protected]> Reviewed-by: Vitaly Prosyak <[email protected]> --- drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c index b8d23a9f6dd3..22aafa969b3d 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c @@ -1743,6 +1743,13 @@ int amdgpu_cs_wait_fences_ioctl(struct drm_device *dev, void *data, struct drm_amdgpu_fence *fences; int r; + /* + * fence_count must be non-zero; dma_fence_wait_any_timeout() + * does not accept an empty fence array. + */ + if (!wait->in.fence_count) + return -EINVAL; + /* Get the fences from userspace */ fences = memdup_array_user(u64_to_user_ptr(wait->in.fences), wait->in.fence_count, -- 2.49.0
