Fix several issues in the rocket accelerator driver: rocket_gem.c: Add missing error check after drm_mm_insert_node_generic(). The return value was silently overwritten by iommu_map_sgtable(), causing DMA mapping to use an uninitialized IOVA on MM insertion failure.
rocket_job.c: Add missing NULL check after kvmalloc_array() in rocket_job_push(). A large job can trigger allocation failure, leading to NULL pointer dereference in the following memcpy. rocket_job.c: Add missing NULL check after kmalloc_objs() in rocket_job_open(). Also fix memory leak of the scheds array when drm_sched_entity_init() fails. Found by AI-assisted code review (Claude Opus 4.6, Anthropic) in collaboration with Ali Khaledi. Signed-off-by: Ali Khaledi <[email protected]> --- drivers/accel/rocket/rocket_gem.c | 2 ++ drivers/accel/rocket/rocket_job.c | 9 ++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/accel/rocket/rocket_gem.c b/drivers/accel/rocket/rocket_gem.c index b6a385d2e..7212edc3f 100644 --- a/drivers/accel/rocket/rocket_gem.c +++ b/drivers/accel/rocket/rocket_gem.c @@ -95,6 +95,8 @@ int rocket_ioctl_create_bo(struct drm_device *dev, void *data, struct drm_file * rkt_obj->size, PAGE_SIZE, 0, 0); mutex_unlock(&rocket_priv->mm_lock); + if (ret) + goto err; ret = iommu_map_sgtable(rocket_priv->domain->domain, rkt_obj->mm.start, diff --git a/drivers/accel/rocket/rocket_job.c b/drivers/accel/rocket/rocket_job.c index ac51bff39..6502b7148 100644 --- a/drivers/accel/rocket/rocket_job.c +++ b/drivers/accel/rocket/rocket_job.c @@ -192,6 +192,8 @@ static int rocket_job_push(struct rocket_job *job) bos = kvmalloc_array(job->in_bo_count + job->out_bo_count, sizeof(void *), GFP_KERNEL); + if (!bos) + return -ENOMEM; memcpy(bos, job->in_bos, job->in_bo_count * sizeof(void *)); memcpy(&bos[job->in_bo_count], job->out_bos, job->out_bo_count * sizeof(void *)); @@ -501,6 +503,9 @@ int rocket_job_open(struct rocket_file_priv *rocket_priv) unsigned int core; int ret; + if (!scheds) + return -ENOMEM; + for (core = 0; core < rdev->num_cores; core++) scheds[core] = &rdev->cores[core].sched; @@ -508,8 +513,10 @@ int rocket_job_open(struct rocket_file_priv *rocket_priv) DRM_SCHED_PRIORITY_NORMAL, scheds, rdev->num_cores, NULL); - if (WARN_ON(ret)) + if (WARN_ON(ret)) { + kfree(scheds); return ret; + } return 0; } -- 2.53.0
