On 3/17/26 02:17, Jesse.Zhang wrote: > Add an early parameter check in amdgpu_cs_wait_fences_ioctl() to reject > a zero fence_count with -EINVAL. > > dma_fence_wait_any_timeout() requires count > 0. When userspace passes > fence_count == 0, the call propagates down to dma_fence core which does > not expect a zero-length array and triggers a WARN_ON. > > Return -EINVAL immediately so the caller gets a clear error instead of > hitting an unexpected warning in the DMA fence subsystem. > > No functional change for well-formed userspace callers. > > v2: > - Reworked commit message to clarify the parameter validation rationale > - Removed verbose crash log from commit description > - Simplified inline code comment > > Signed-off-by: Jesse Zhang <[email protected]> > Reviewed-by: Vitaly Prosyak <[email protected]>
Good catch, Reviewed-by: Christian König <[email protected]> > --- > drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c > b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c > index b8d23a9f6dd3..22aafa969b3d 100644 > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c > @@ -1743,6 +1743,13 @@ int amdgpu_cs_wait_fences_ioctl(struct drm_device > *dev, void *data, > struct drm_amdgpu_fence *fences; > int r; > > + /* > + * fence_count must be non-zero; dma_fence_wait_any_timeout() > + * does not accept an empty fence array. > + */ > + if (!wait->in.fence_count) > + return -EINVAL; > + > /* Get the fences from userspace */ > fences = memdup_array_user(u64_to_user_ptr(wait->in.fences), > wait->in.fence_count,
