From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: drm/xe/xe_drm_ras: Add support for XE DRM RAS
Date: Tue, 24 Feb 2026 10:45:41 +1000 [thread overview]
Message-ID: <review-patch2-20260223060541.526397-9-riana.tauro@intel.com> (raw)
In-Reply-To: <20260223060541.526397-9-riana.tauro@intel.com>
Patch Review
**`kfree()` on ERR_PTR in cleanup path:**
In `assign_node_params`:
> + ras->info[severity] = allocate_and_copy_counters(xe);
> + if (IS_ERR(ras->info[severity]))
> + return PTR_ERR(ras->info[severity]);
When `allocate_and_copy_counters` returns `ERR_PTR(-ENOMEM)`, `ras->info[severity]` is stored as that ERR_PTR value. The caller `register_nodes` then does:
> + ret = assign_node_params(xe, node, i);
> + if (ret) {
> + cleanup_node_param(ras, i);
And `cleanup_node_param` does:
> + kfree(ras->info[severity]);
Calling `kfree()` on an ERR_PTR value will corrupt the kernel heap or crash. The fix is to set `ras->info[severity] = NULL` before returning the error in `assign_node_params`, or to check for `IS_ERR_OR_NULL` in `cleanup_node_param`.
**Partial registration leak:**
> + for_each_error_severity(i) {
> + struct drm_ras_node *node = &ras->node[i];
> + int ret;
> +
> + ret = assign_node_params(xe, node, i);
> + if (ret) {
> + cleanup_node_param(ras, i);
> + return ret;
> + }
> +
> + ret = drm_ras_node_register(node);
> + if (ret) {
> + cleanup_node_param(ras, i);
> + return ret;
> + }
> + }
If the second iteration (uncorrectable, i=1) fails, the first iteration's node (correctable, i=0) is already registered in the global xarray and its `info` allocated, but neither is cleaned up. The node remains in the xarray with a `priv` pointer to `xe`. Later, when `xe` is freed (and `drmm_add_action_or_reset` was never called since `register_nodes` returned error), that node becomes a dangling pointer in the global xarray. A subsequent netlink query would dereference freed memory.
The function should unwind previously registered nodes on failure.
**`device_name` allocated per-node:**
> + device_name = kasprintf(GFP_KERNEL, "%04x:%02x:%02x.%d",
Both the correctable and uncorrectable nodes get their own `kasprintf` allocation with the same PCI BDF string. Minor, but you could share one string or use `pci_name(pdev)` (which returns a stable string owned by the PCI core and doesn't need to be freed).
---
Generated by Claude Code Patch Reviewer
next prev parent reply other threads:[~2026-02-24 0:45 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-23 6:05 [PATCH v8 0/5] Introduce DRM_RAS using generic netlink for RAS Riana Tauro
2026-02-23 6:05 ` [PATCH v8 1/5] drm/ras: Introduce the DRM RAS infrastructure over generic netlink Riana Tauro
2026-02-24 0:45 ` Claude review: " Claude Code Review Bot
2026-02-23 6:05 ` [PATCH v8 2/5] drm/xe/xe_drm_ras: Add support for XE DRM RAS Riana Tauro
2026-02-24 0:45 ` Claude Code Review Bot [this message]
2026-02-23 6:05 ` [PATCH v8 3/5] drm/xe/xe_hw_error: Integrate DRM RAS with hardware error handling Riana Tauro
2026-02-24 0:45 ` Claude review: " Claude Code Review Bot
2026-02-23 6:05 ` [PATCH v8 4/5] drm/xe/xe_hw_error: Add support for Core-Compute errors Riana Tauro
2026-02-24 0:45 ` Claude review: " Claude Code Review Bot
2026-02-23 6:05 ` [PATCH v8 5/5] drm/xe/xe_hw_error: Add support for PVC SoC errors Riana Tauro
2026-02-24 0:45 ` Claude review: " Claude Code Review Bot
2026-02-24 0:45 ` Claude review: Introduce DRM_RAS using generic netlink for RAS Claude Code Review Bot
-- strict thread matches above, loose matches on Subject: below --
2026-02-28 8:08 [PATCH v9 0/5] " Riana Tauro
2026-02-28 8:08 ` [PATCH v9 2/5] drm/xe/xe_drm_ras: Add support for XE DRM RAS Riana Tauro
2026-03-03 4:32 ` Claude review: " Claude Code Review Bot
2026-03-04 7:44 [PATCH v10 0/5] Introduce DRM_RAS using generic netlink for RAS Riana Tauro
2026-03-04 7:44 ` [PATCH v10 2/5] drm/xe/xe_drm_ras: Add support for XE DRM RAS Riana Tauro
2026-03-05 3:47 ` Claude review: " Claude Code Review Bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=review-patch2-20260223060541.526397-9-riana.tauro@intel.com \
--to=claude-review@example.com \
--cc=dri-devel-reviews@example.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox