From: Dhabaleshwar Das <dhabal123@gmail.com>
Date: Wed, 28 May 2026 00:00:00 +0530
Subject: [PATCH 2/2] accel/rocket: Fix double-free of tasks array in rocket_copy_tasks()

rocket_copy_tasks() frees rjob->tasks via kvfree() on its error path
but does not set the pointer to NULL. When the caller's error path
later reaches rocket_job_cleanup() via rocket_job_put(),
rocket_job_cleanup() calls kvfree(job->tasks) again, resulting in a
double-free.

Set rjob->tasks to NULL after freeing it in rocket_copy_tasks() so
that the subsequent kvfree() in rocket_job_cleanup() is a safe no-op.

Fixes: 0810d5ad88a1 ("accel/rocket: Add job submission IOCTL")
Signed-off-by: Dhabaleshwar Das <dhabal123@gmail.com>
---
 drivers/accel/rocket/rocket_job.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/accel/rocket/rocket_job.c b/drivers/accel/rocket/rocket_job.c
index abcdef1..1234567 100644
--- a/drivers/accel/rocket/rocket_job.c
+++ b/drivers/accel/rocket/rocket_job.c
@@ -101,6 +101,7 @@ static int rocket_copy_tasks(struct drm_device *dev, struct drm_file *file,

 fail:
 	kvfree(rjob->tasks);
+	rjob->tasks = NULL;
 	return ret;
 }