AlexIndustrial/mesa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

rusticl/memory: fix potential use-after-free in clEnqueueSVMFree

Browse Source 
Fixes: bfee3a8563 ("rusticl: add support for fine-grained system SVM")
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/25719>
This commit is contained in:
LingMan
2023-10-13 18:51:22 +02:00
committed by Marge Bot
parent 5ee883a23b
commit d9abc07151
1 changed files with 10 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/gallium/frontends/rusticl/api/memory.rs
+10 -5
View File
@@ -2371,6 +2371,12 @@ fn enqueue_svm_free_impl(
return Err(CL_INVALID_OPERATION);
}
// The application is allowed to reuse or free the memory referenced by `svm_pointers` after this
// function returns so we have to make a copy.
// SAFETY: num_svm_pointers specifies the amount of elements in svm_pointers
let svm_pointers =
unsafe { slice::from_raw_parts(svm_pointers, num_svm_pointers as usize) }.to_vec();
create_and_queue(
q,
cmd_type,
@@ -2379,15 +2385,14 @@ fn enqueue_svm_free_impl(
false,
Box::new(move |q, _| {
if let Some(cb) = pfn_free_func {
let mut svm_pointers = svm_pointers.clone();
let ptr = svm_pointers.as_mut_ptr();
// SAFETY: it's undefined behavior if the application screws up
unsafe {
cb(command_queue, num_svm_pointers, svm_pointers, user_data);
cb(command_queue, num_svm_pointers, ptr, user_data);
}
} else {
// SAFETY: num_svm_pointers specifies the amount of elements in svm_pointers
let svm_pointers =
unsafe { slice::from_raw_parts(svm_pointers, num_svm_pointers as usize) };
for &ptr in svm_pointers {
for &ptr in &svm_pointers {
svm_free_impl(&q.context, ptr);
}
}