Thank you for your contribution! Sashiko AI review found 1 potential issue(s) 
to consider:

Pre-existing issues:
- [Critical] Unchecked NULL pointer dereference of `pe->engine` in 
`set_proto_ctx_sseu()`.
--

commit 65a99ba2c873d452c04e00448f3e025e69552b68
Author: Joonas Lahtinen <[email protected]>

drm/i915/gem: Do not leak siblings[] on proto context error

This commit fixes a memory leak in the context creation error path.
It ensures the siblings[] array is properly freed if an error happens
while processing user extensions.

> diff --git a/drivers/gpu/drm/i915/gem/i915_gem_context.c 
> b/drivers/gpu/drm/i915/gem/i915_gem_context.c
> index aeafe1742d308..87fce2adfeefb 100644
> --- a/drivers/gpu/drm/i915/gem/i915_gem_context.c
> +++ b/drivers/gpu/drm/i915/gem/i915_gem_context.c
[ ... ]
> @@ -800,15 +800,21 @@ static int set_proto_ctx_engines(struct 
> drm_i915_file_private *fpriv,
>                                          set_proto_ctx_engines_extensions,
>                                          
> ARRAY_SIZE(set_proto_ctx_engines_extensions),
>                                          &set);
[ ... ]
> +err_extensions:
> +     for (n = 0; n < set.num_engines; n++)
> +             kfree(set.engines[n].siblings);
> +err:
> +     kfree(set.engines);
> +
> +     return err;
>  }
>  
>  static int set_proto_ctx_sseu(struct drm_i915_file_private *fpriv,

[Severity: Critical]
This is a pre-existing issue, but could this cause a NULL pointer
dereference later in set_proto_ctx_sseu()?

If a user creates a proto-context and uses I915_CONTEXT_PARAM_ENGINES to
set an engine array with an I915_ENGINE_CLASS_INVALID entry,
set_proto_ctx_engines() initializes the slot to 0 and skips setting
pe->engine.

If the user then calls I915_CONTEXT_PARAM_SSEU and specifies the index of
that invalid engine, set_proto_ctx_sseu() executes this:

    idx = array_index_nospec(idx, pc->num_user_engines);
    pe = &pc->user_engines[idx];

    /* Only render engine supports RPCS configuration. */
    if (pe->engine->class != RENDER_CLASS)
        return -EINVAL;

Does pe->engine need to be checked for NULL before dereferencing it here, to
prevent a panic?

-- 
Sashiko AI review ยท 
https://sashiko.dev/#/patchset/[email protected]?part=1

Reply via email to