rocket_ioctl_submit_job() releases rjob through rocket_job_put() on
allocation error paths. rocket_job_cleanup() unconditionally calls
rocket_iommu_domain_put(job->domain), but job->domain is assigned only
after task copying and BO lookups. A failure before that assignment can
therefore clean up a job with a NULL domain pointer.

Take the per-file domain reference before the first error path can release
rjob. Also clear rjob->tasks after freeing it in rocket_copy_tasks(), so
the common cleanup path cannot free the task array again after a task-copy
error.

Fixes: 0810d5ad88a1 ("accel/rocket: Add job submission IOCTL")
Cc: [email protected]
Signed-off-by: Shuvam Pandey <[email protected]>
---
 drivers/accel/rocket/rocket_job.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/accel/rocket/rocket_job.c 
b/drivers/accel/rocket/rocket_job.c
index 2f1861f960cc..2b7222afc197 100644
--- a/drivers/accel/rocket/rocket_job.c
+++ b/drivers/accel/rocket/rocket_job.c
@@ -102,6 +102,7 @@ rocket_copy_tasks(struct drm_device *dev,
 
 fail:
        kvfree(rjob->tasks);
+       rjob->tasks = NULL;
        return ret;
 }
 
@@ -548,6 +549,7 @@ static int rocket_ioctl_submit_job(struct drm_device *dev, 
struct drm_file *file
        kref_init(&rjob->refcount);
 
        rjob->rdev = rdev;
+       rjob->domain = rocket_iommu_domain_get(file_priv);
 
        ret = drm_sched_job_init(&rjob->base,
                                 &file_priv->sched_entity,
@@ -573,8 +575,6 @@ static int rocket_ioctl_submit_job(struct drm_device *dev, 
struct drm_file *file
 
        rjob->out_bo_count = job->out_bo_handle_count;
 
-       rjob->domain = rocket_iommu_domain_get(file_priv);
-
        ret = rocket_job_push(rjob);
        if (ret)
                goto out_cleanup_job;

Reply via email to