Quoting [email protected] (2026-07-01 10:41:36)
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) 
> to consider:
> 
> Pre-existing issues:
> - [Critical] Unchecked NULL pointer dereference of `pe->engine` in 
> `set_proto_ctx_sseu()`.
> --
> 
> commit 65a99ba2c873d452c04e00448f3e025e69552b68
> Author: Joonas Lahtinen <[email protected]>
> 
> drm/i915/gem: Do not leak siblings[] on proto context error
> 
> This commit fixes a memory leak in the context creation error path.
> It ensures the siblings[] array is properly freed if an error happens
> while processing user extensions.
> 
> > diff --git a/drivers/gpu/drm/i915/gem/i915_gem_context.c 
> > b/drivers/gpu/drm/i915/gem/i915_gem_context.c
> > index aeafe1742d308..87fce2adfeefb 100644
> > --- a/drivers/gpu/drm/i915/gem/i915_gem_context.c
> > +++ b/drivers/gpu/drm/i915/gem/i915_gem_context.c
> [ ... ]
> > @@ -800,15 +800,21 @@ static int set_proto_ctx_engines(struct 
> > drm_i915_file_private *fpriv,
> >                                          set_proto_ctx_engines_extensions,
> >                                          
> > ARRAY_SIZE(set_proto_ctx_engines_extensions),
> >                                          &set);
> [ ... ]
> > +err_extensions:
> > +     for (n = 0; n < set.num_engines; n++)
> > +             kfree(set.engines[n].siblings);
> > +err:
> > +     kfree(set.engines);
> > +
> > +     return err;
> >  }
> >  
> >  static int set_proto_ctx_sseu(struct drm_i915_file_private *fpriv,
> 
> [Severity: Critical]
> This is a pre-existing issue, but could this cause a NULL pointer
> dereference later in set_proto_ctx_sseu()?
> 
> If a user creates a proto-context and uses I915_CONTEXT_PARAM_ENGINES to
> set an engine array with an I915_ENGINE_CLASS_INVALID entry,
> set_proto_ctx_engines() initializes the slot to 0 and skips setting
> pe->engine.
> 
> If the user then calls I915_CONTEXT_PARAM_SSEU and specifies the index of
> that invalid engine, set_proto_ctx_sseu() executes this:
> 
>     idx = array_index_nospec(idx, pc->num_user_engines);
>     pe = &pc->user_engines[idx];
> 
>     /* Only render engine supports RPCS configuration. */
>     if (pe->engine->class != RENDER_CLASS)
>         return -EINVAL;
> 
> Does pe->engine need to be checked for NULL before dereferencing it here, to
> prevent a panic?

There is a fix submitted for this already at [1] given the issue was
already taken note of.

Regards, Joonas

[1] 
https://lore.kernel.org/intel-gfx/[email protected]/

> -- 
> Sashiko AI review ยท 
> https://sashiko.dev/#/patchset/[email protected]?part=1

Reply via email to