rocket_ioctl_submit_job() releases rjob through rocket_job_put() on
allocation error paths. rocket_job_cleanup() unconditionally calls
rocket_iommu_domain_put(job->domain), but job->domain is assigned only
after task copying and BO lookups. A failure before that assignment can
therefore clean up a job with a NULL domain pointer.
Take the per-file domain reference before the first error path can release
rjob. Also clear rjob->tasks after freeing it in rocket_copy_tasks(), so
the common cleanup path cannot free the task array again after a task-copy
error.
Fixes: 0810d5ad88a1 ("accel/rocket: Add job submission IOCTL")
Cc: [email protected]
Signed-off-by: Shuvam Pandey <[email protected]>
---
drivers/accel/rocket/rocket_job.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/accel/rocket/rocket_job.c
b/drivers/accel/rocket/rocket_job.c
index 2f1861f960cc..2b7222afc197 100644
--- a/drivers/accel/rocket/rocket_job.c
+++ b/drivers/accel/rocket/rocket_job.c
@@ -102,6 +102,7 @@ rocket_copy_tasks(struct drm_device *dev,
fail:
kvfree(rjob->tasks);
+ rjob->tasks = NULL;
return ret;
}
@@ -548,6 +549,7 @@ static int rocket_ioctl_submit_job(struct drm_device *dev,
struct drm_file *file
kref_init(&rjob->refcount);
rjob->rdev = rdev;
+ rjob->domain = rocket_iommu_domain_get(file_priv);
ret = drm_sched_job_init(&rjob->base,
&file_priv->sched_entity,
@@ -573,8 +575,6 @@ static int rocket_ioctl_submit_job(struct drm_device *dev,
struct drm_file *file
rjob->out_bo_count = job->out_bo_handle_count;
- rjob->domain = rocket_iommu_domain_get(file_priv);
-
ret = rocket_job_push(rjob);
if (ret)
goto out_cleanup_job;