From c8eb0cd6b2531d21c26cae7979ff0ea2b70892eb Mon Sep 17 00:00:00 2001
From: Thierry Reding <treding@nvidia.com>
Date: Fri, 6 May 2022 15:52:49 +0200
Subject: [PATCH] drm/tegra: gem: Do not try to dereference ERR_PTR()

When mapping the DMA-BUF attachment fails, map->sgt will be an ERR_PTR-
encoded error code and the cleanup code would try to free that memory,
which obviously would fail.

Zero out that pointer after extracting the error code when this happens
so that kfree() can do the right thing.

Bug 3706991

Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
Change-Id: I6870559061cb91fb6ff01bc458a816f56ce8b978
Reviewed-on: https://git-master.nvidia.com/r/c/linux-nvidia/+/2744243
(cherry picked from commit 9d625d7f7fa2f1769c6f7f856b4ca7562ccba1e6)
Reviewed-on: https://git-master.nvidia.com/r/c/linux-nvidia/+/2744600
Reviewed-by: Mikko Perttunen <mperttunen@nvidia.com>
GVS: Gerrit_Virtual_Submit
---
 drivers/gpu/drm/tegra/gem.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/gpu/drm/tegra/gem.c b/drivers/gpu/drm/tegra/gem.c
index 3922424b..e6c13ee2 100644
--- a/drivers/gpu/drm/tegra/gem.c
+++ b/drivers/gpu/drm/tegra/gem.c
@@ -91,6 +91,7 @@ static struct host1x_bo_mapping *tegra_bo_pin(struct device *dev, struct host1x_
 		if (IS_ERR(map->sgt)) {
 			dma_buf_detach(buf, map->attach);
 			err = PTR_ERR(map->sgt);
+			map->sgt = NULL;
 			goto free;
 		}