Quoting [email protected] (2026-07-01 10:41:36) > Thank you for your contribution! Sashiko AI review found 1 potential issue(s) > to consider: > > Pre-existing issues: > - [Critical] Unchecked NULL pointer dereference of `pe->engine` in > `set_proto_ctx_sseu()`. > -- > > commit 65a99ba2c873d452c04e00448f3e025e69552b68 > Author: Joonas Lahtinen <[email protected]> > > drm/i915/gem: Do not leak siblings[] on proto context error > > This commit fixes a memory leak in the context creation error path. > It ensures the siblings[] array is properly freed if an error happens > while processing user extensions. > > > diff --git a/drivers/gpu/drm/i915/gem/i915_gem_context.c > > b/drivers/gpu/drm/i915/gem/i915_gem_context.c > > index aeafe1742d308..87fce2adfeefb 100644 > > --- a/drivers/gpu/drm/i915/gem/i915_gem_context.c > > +++ b/drivers/gpu/drm/i915/gem/i915_gem_context.c > [ ... ] > > @@ -800,15 +800,21 @@ static int set_proto_ctx_engines(struct > > drm_i915_file_private *fpriv, > > set_proto_ctx_engines_extensions, > > > > ARRAY_SIZE(set_proto_ctx_engines_extensions), > > &set); > [ ... ] > > +err_extensions: > > + for (n = 0; n < set.num_engines; n++) > > + kfree(set.engines[n].siblings); > > +err: > > + kfree(set.engines); > > + > > + return err; > > } > > > > static int set_proto_ctx_sseu(struct drm_i915_file_private *fpriv, > > [Severity: Critical] > This is a pre-existing issue, but could this cause a NULL pointer > dereference later in set_proto_ctx_sseu()? > > If a user creates a proto-context and uses I915_CONTEXT_PARAM_ENGINES to > set an engine array with an I915_ENGINE_CLASS_INVALID entry, > set_proto_ctx_engines() initializes the slot to 0 and skips setting > pe->engine. > > If the user then calls I915_CONTEXT_PARAM_SSEU and specifies the index of > that invalid engine, set_proto_ctx_sseu() executes this: > > idx = array_index_nospec(idx, pc->num_user_engines); > pe = &pc->user_engines[idx]; > > /* Only render engine supports RPCS configuration. */ > if (pe->engine->class != RENDER_CLASS) > return -EINVAL; > > Does pe->engine need to be checked for NULL before dereferencing it here, to > prevent a panic?
There is a fix submitted for this already at [1] given the issue was already taken note of. Regards, Joonas [1] https://lore.kernel.org/intel-gfx/[email protected]/ > -- > Sashiko AI review ยท > https://sashiko.dev/#/patchset/[email protected]?part=1
