accel/rocket: Fix NULL deref and double-free in job submit error path

[PATCH 0/2] accel/rocket: Fix NULL deref and double-free in job submit error path
Posted by D D 1 week, 5 days ago
Hi Tomeu,

Two bugs in the job submission error path in rocket_job.c:

1) rocket_job_cleanup() unconditionally calls
   rocket_iommu_domain_put(job->domain), but job->domain is only
   assigned after all fallible operations in
   rocket_ioctl_submit_job(). On early failure, job->domain is NULL,
   causing a NULL pointer dereference.

2) rocket_copy_tasks() frees rjob->tasks on its error path but does
   not NULL the pointer. rocket_job_cleanup() frees it again,
   resulting in a double-free.

Patch 1 adds a NULL check for job->domain in rocket_job_cleanup().
Patch 2 sets rjob->tasks to NULL after freeing in rocket_copy_tasks().

Dhabaleshwar Das (2):
  accel/rocket: Add NULL check for domain in rocket_job_cleanup()
  accel/rocket: Fix double-free of tasks array in rocket_copy_tasks()

 drivers/accel/rocket/rocket_job.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Thanks,
Dhabaleshwar Das
From: Dhabaleshwar Das <dhabal123@gmail.com>
Date: Wed, 28 May 2026 00:00:00 +0530
Subject: [PATCH 2/2] accel/rocket: Fix double-free of tasks array in rocket_copy_tasks()

rocket_copy_tasks() frees rjob->tasks via kvfree() on its error path
but does not set the pointer to NULL. When the caller's error path
later reaches rocket_job_cleanup() via rocket_job_put(),
rocket_job_cleanup() calls kvfree(job->tasks) again, resulting in a
double-free.

Set rjob->tasks to NULL after freeing it in rocket_copy_tasks() so
that the subsequent kvfree() in rocket_job_cleanup() is a safe no-op.

Fixes: 0810d5ad88a1 ("accel/rocket: Add job submission IOCTL")
Signed-off-by: Dhabaleshwar Das <dhabal123@gmail.com>
---
 drivers/accel/rocket/rocket_job.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/accel/rocket/rocket_job.c b/drivers/accel/rocket/rocket_job.c
index abcdef1..1234567 100644
--- a/drivers/accel/rocket/rocket_job.c
+++ b/drivers/accel/rocket/rocket_job.c
@@ -101,6 +101,7 @@ static int rocket_copy_tasks(struct drm_device *dev, struct drm_file *file,

 fail:
 	kvfree(rjob->tasks);
+	rjob->tasks = NULL;
 	return ret;
 }
From: Dhabaleshwar Das <dhabal123@gmail.com>
Date: Wed, 28 May 2026 00:00:00 +0530
Subject: [PATCH 1/2] accel/rocket: Add NULL check for domain in rocket_job_cleanup()

In rocket_ioctl_submit_job(), if rocket_copy_tasks() or
drm_gem_objects_lookup() fails, the error path reaches
rocket_job_cleanup() via rocket_job_put(). rocket_job_cleanup()
unconditionally calls rocket_iommu_domain_put(job->domain), but
job->domain is only assigned after all the fallible operations. Since
the job struct is zeroed by kzalloc, job->domain is NULL on early
failure, causing a NULL pointer dereference in
rocket_iommu_domain_put() which calls kref_put() on a NULL pointer.

Add a NULL check before calling rocket_iommu_domain_put().

Fixes: 0810d5ad88a1 ("accel/rocket: Add job submission IOCTL")
Signed-off-by: Dhabaleshwar Das <dhabal123@gmail.com>
---
 drivers/accel/rocket/rocket_job.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/accel/rocket/rocket_job.c b/drivers/accel/rocket/rocket_job.c
index abcdef1..1234567 100644
--- a/drivers/accel/rocket/rocket_job.c
+++ b/drivers/accel/rocket/rocket_job.c
@@ -233,7 +233,8 @@ static void rocket_job_cleanup(struct kref *ref)
 	struct rocket_job *job = container_of(ref, struct rocket_job,
 						refcount);
 	unsigned int i;

-	rocket_iommu_domain_put(job->domain);
+	if (job->domain)
+		rocket_iommu_domain_put(job->domain);

 	dma_fence_put(job->done_fence);
 	dma_fence_put(job->inference_done_fence);