[PATCH 0/2] accel/rocket: Fix NULL deref and double-free in job submit error path

Next message: Wadim Mueller: "Re: [RFC PATCH v1 3/4] iio: flow: add Sensirion SLF3x liquid flow sensor driver"
Previous message: Wadim Mueller: "Re: [RFC PATCH v1 3/4] iio: flow: add Sensirion SLF3x liquid flow sensor driver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: D D

Date: Wed May 27 2026 - 10:37:21 EST

Hi Tomeu,

Two bugs in the job submission error path in rocket_job.c:

1) rocket_job_cleanup() unconditionally calls
rocket_iommu_domain_put(job->domain), but job->domain is only
assigned after all fallible operations in
rocket_ioctl_submit_job(). On early failure, job->domain is NULL,
causing a NULL pointer dereference.

2) rocket_copy_tasks() frees rjob->tasks on its error path but does
not NULL the pointer. rocket_job_cleanup() frees it again,
resulting in a double-free.

Patch 1 adds a NULL check for job->domain in rocket_job_cleanup().
Patch 2 sets rjob->tasks to NULL after freeing in rocket_copy_tasks().

Dhabaleshwar Das (2):
accel/rocket: Add NULL check for domain in rocket_job_cleanup()
accel/rocket: Fix double-free of tasks array in rocket_copy_tasks()

drivers/accel/rocket/rocket_job.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

Thanks,
Dhabaleshwar Das

Attachment: Bug2_patch2_double_free.patch
Description: Binary data

Attachment: Bug2_patch1_null_deref.patch
Description: Binary data