accel/rocket: fix unwinding in error path in rocket_probe

When rocket_core_init() fails (as could be the case with EPROBE_DEFER),
we need to properly unwind by decrementing the counter we just
incremented and if this is the first core we failed to probe, remove the
rocket DRM device with rocket_device_fini() as well. This matches the
logic in rocket_remove(). Failing to properly unwind results in
out-of-bounds accesses.

Fixes: 0810d5ad88a1 ("accel/rocket: Add job submission IOCTL")
Cc: stable@vger.kernel.org
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Reviewed-by: Tomeu Vizoso <tomeu@tomeuvizoso.net>
Signed-off-by: Tomeu Vizoso <tomeu@tomeuvizoso.net>
Link: https://patch.msgid.link/20251215-rocket-error-path-v1-2-eec3bf29dc3b@cherry.de

diff --git a/drivers/accel/rocket/rocket_drv.c b/drivers/accel/rocket/rocket_drv.c
index 5c0b63f0a8f00dc71060e7177d0ed1ca15755ec4..f6ef4c7aeef11d2c471fdb0685bd6f8227b51009 100644 (file)
--- a/drivers/accel/rocket/rocket_drv.c
+++ b/drivers/accel/rocket/rocket_drv.c
@@ -13,6 +13,7 @@
 #include <linux/platform_device.h>
 #include <linux/pm_runtime.h>
 
+#include "rocket_device.h"
 #include "rocket_drv.h"
 #include "rocket_gem.h"
 #include "rocket_job.h"
@@ -158,6 +159,8 @@ static const struct drm_driver rocket_drm_driver = {
 
 static int rocket_probe(struct platform_device *pdev)
 {
+       int ret;
+
        if (rdev == NULL) {
                /* First core probing, initialize DRM device. */
                rdev = rocket_device_init(drm_dev, &rocket_drm_driver);
@@ -177,7 +180,17 @@ static int rocket_probe(struct platform_device *pdev)
 
        rdev->num_cores++;
 
-       return rocket_core_init(&rdev->cores[core]);
+       ret = rocket_core_init(&rdev->cores[core]);
+       if (ret) {
+               rdev->num_cores--;
+
+               if (rdev->num_cores == 0) {
+                       rocket_device_fini(rdev);
+                       rdev = NULL;
+               }
+       }
+
+       return ret;
 }
 
 static void rocket_remove(struct platform_device *pdev)