From mboxrd@z Thu Jan  1 00:00:00 1970
From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: drm/xe/xe_drm_ras: Add support for XE DRM RAS
Date: Tue, 24 Feb 2026 10:45:41 +1000
Message-ID: <review-patch2-20260223060541.526397-9-riana.tauro@intel.com>
In-Reply-To: <20260223060541.526397-9-riana.tauro@intel.com>
References: <20260223060541.526397-7-riana.tauro@intel.com> <20260223060541.526397-9-riana.tauro@intel.com>
X-Mailer: Claude Code Patch Reviewer
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0

Patch Review

**`kfree()` on ERR_PTR in cleanup path:**

In `assign_node_params`:

> +	ras->info[severity] = allocate_and_copy_counters(xe);
> +	if (IS_ERR(ras->info[severity]))
> +		return PTR_ERR(ras->info[severity]);

When `allocate_and_copy_counters` returns `ERR_PTR(-ENOMEM)`, `ras->info[severity]` is stored as that ERR_PTR value. The caller `register_nodes` then does:

> +		ret = assign_node_params(xe, node, i);
> +		if (ret) {
> +			cleanup_node_param(ras, i);

And `cleanup_node_param` does:

> +	kfree(ras->info[severity]);

Calling `kfree()` on an ERR_PTR value will corrupt the kernel heap or crash. The fix is to set `ras->info[severity] = NULL` before returning the error in `assign_node_params`, or to check for `IS_ERR_OR_NULL` in `cleanup_node_param`.

**Partial registration leak:**

> +	for_each_error_severity(i) {
> +		struct drm_ras_node *node = &ras->node[i];
> +		int ret;
> +
> +		ret = assign_node_params(xe, node, i);
> +		if (ret) {
> +			cleanup_node_param(ras, i);
> +			return ret;
> +		}
> +
> +		ret = drm_ras_node_register(node);
> +		if (ret) {
> +			cleanup_node_param(ras, i);
> +			return ret;
> +		}
> +	}

If the second iteration (uncorrectable, i=1) fails, the first iteration's node (correctable, i=0) is already registered in the global xarray and its `info` allocated, but neither is cleaned up. The node remains in the xarray with a `priv` pointer to `xe`. Later, when `xe` is freed (and `drmm_add_action_or_reset` was never called since `register_nodes` returned error), that node becomes a dangling pointer in the global xarray. A subsequent netlink query would dereference freed memory.

The function should unwind previously registered nodes on failure.

**`device_name` allocated per-node:**

> +	device_name = kasprintf(GFP_KERNEL, "%04x:%02x:%02x.%d",

Both the correctable and uncorrectable nodes get their own `kasprintf` allocation with the same PCI BDF string. Minor, but you could share one string or use `pci_name(pdev)` (which returns a stable string owned by the PCI core and doesn't need to be freed).

---
Generated by Claude Code Patch Reviewer