Module: Mesa Branch: main Commit: d9abc07151e4785f3a8392d459e1370fb34811b3 URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=d9abc07151e4785f3a8392d459e1370fb34811b3
Author: LingMan <[email protected]> Date: Fri Oct 13 18:51:22 2023 +0200 rusticl/memory: fix potential use-after-free in clEnqueueSVMFree Fixes: bfee3a8563d ("rusticl: add support for fine-grained system SVM") Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/25719> --- src/gallium/frontends/rusticl/api/memory.rs | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/src/gallium/frontends/rusticl/api/memory.rs b/src/gallium/frontends/rusticl/api/memory.rs index fbce8a776a0..fe16ede5cba 100644 --- a/src/gallium/frontends/rusticl/api/memory.rs +++ b/src/gallium/frontends/rusticl/api/memory.rs @@ -2371,6 +2371,12 @@ fn enqueue_svm_free_impl( return Err(CL_INVALID_OPERATION); } + // The application is allowed to reuse or free the memory referenced by `svm_pointers` after this + // function returns so we have to make a copy. + // SAFETY: num_svm_pointers specifies the amount of elements in svm_pointers + let svm_pointers = + unsafe { slice::from_raw_parts(svm_pointers, num_svm_pointers as usize) }.to_vec(); + create_and_queue( q, cmd_type, @@ -2379,15 +2385,14 @@ fn enqueue_svm_free_impl( false, Box::new(move |q, _| { if let Some(cb) = pfn_free_func { + let mut svm_pointers = svm_pointers.clone(); + let ptr = svm_pointers.as_mut_ptr(); // SAFETY: it's undefined behavior if the application screws up unsafe { - cb(command_queue, num_svm_pointers, svm_pointers, user_data); + cb(command_queue, num_svm_pointers, ptr, user_data); } } else { - // SAFETY: num_svm_pointers specifies the amount of elements in svm_pointers - let svm_pointers = - unsafe { slice::from_raw_parts(svm_pointers, num_svm_pointers as usize) }; - for &ptr in svm_pointers { + for &ptr in &svm_pointers { svm_free_impl(&q.context, ptr); } }
