Hi Tomeu, Two bugs in the job submission error path in rocket_job.c:
1) rocket_job_cleanup() unconditionally calls rocket_iommu_domain_put(job->domain), but job->domain is only assigned after all fallible operations in rocket_ioctl_submit_job(). On early failure, job->domain is NULL, causing a NULL pointer dereference. 2) rocket_copy_tasks() frees rjob->tasks on its error path but does not NULL the pointer. rocket_job_cleanup() frees it again, resulting in a double-free. Patch 1 adds a NULL check for job->domain in rocket_job_cleanup(). Patch 2 sets rjob->tasks to NULL after freeing in rocket_copy_tasks(). Dhabaleshwar Das (2): accel/rocket: Add NULL check for domain in rocket_job_cleanup() accel/rocket: Fix double-free of tasks array in rocket_copy_tasks() drivers/accel/rocket/rocket_job.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) Thanks, Dhabaleshwar Das
Bug2_patch2_double_free.patch
Description: Binary data
Bug2_patch1_null_deref.patch
Description: Binary data
