Ilia Mirkin
2015-Jun-22 20:52 UTC
[Nouveau] [RFC PATCH 5/8] nv50: prevent NULL pointer dereference with pipe_query functions
If query_create fails, why would any of these functions get called? On Mon, Jun 22, 2015 at 4:53 PM, Samuel Pitoiset <samuel.pitoiset at gmail.com> wrote:> This may happen when nv50_query_create() fails to create a new query. > > Signed-off-by: Samuel Pitoiset <samuel.pitoiset at gmail.com> > --- > src/gallium/drivers/nouveau/nv50/nv50_query.c | 15 ++++++++++++++- > 1 file changed, 14 insertions(+), 1 deletion(-) > > diff --git a/src/gallium/drivers/nouveau/nv50/nv50_query.c b/src/gallium/drivers/nouveau/nv50/nv50_query.c > index 55fcac8..1162110 100644 > --- a/src/gallium/drivers/nouveau/nv50/nv50_query.c > +++ b/src/gallium/drivers/nouveau/nv50/nv50_query.c > @@ -96,6 +96,9 @@ nv50_query_allocate(struct nv50_context *nv50, struct nv50_query *q, int size) > static void > nv50_query_destroy(struct pipe_context *pipe, struct pipe_query *pq) > { > + if (!pq) > + return; > + > nv50_query_allocate(nv50_context(pipe), nv50_query(pq), 0); > nouveau_fence_ref(NULL, &nv50_query(pq)->fence); > FREE(nv50_query(pq)); > @@ -152,6 +155,9 @@ nv50_query_begin(struct pipe_context *pipe, struct pipe_query *pq) > struct nouveau_pushbuf *push = nv50->base.pushbuf; > struct nv50_query *q = nv50_query(pq); > > + if (!pq) > + return FALSE; > + > /* For occlusion queries we have to change the storage, because a previous > * query might set the initial render conition to FALSE even *after* we re- > * initialized it to TRUE. > @@ -218,6 +224,9 @@ nv50_query_end(struct pipe_context *pipe, struct pipe_query *pq) > struct nouveau_pushbuf *push = nv50->base.pushbuf; > struct nv50_query *q = nv50_query(pq); > > + if (!pq) > + return; > + > q->state = NV50_QUERY_STATE_ENDED; > > switch (q->type) { > @@ -294,9 +303,12 @@ nv50_query_result(struct pipe_context *pipe, struct pipe_query *pq, > uint64_t *res64 = (uint64_t *)result; > uint32_t *res32 = (uint32_t *)result; > boolean *res8 = (boolean *)result; > - uint64_t *data64 = (uint64_t *)q->data; > + uint64_t *data64; > int i; > > + if (!pq) > + return FALSE; > + > if (q->state != NV50_QUERY_STATE_READY) > nv50_query_update(q); > > @@ -314,6 +326,7 @@ nv50_query_result(struct pipe_context *pipe, struct pipe_query *pq, > } > q->state = NV50_QUERY_STATE_READY; > > + data64 = (uint64_t *)q->data; > switch (q->type) { > case PIPE_QUERY_GPU_FINISHED: > res8[0] = TRUE; > -- > 2.4.4 > > _______________________________________________ > Nouveau mailing list > Nouveau at lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/nouveau
Samuel Pitoiset
2015-Jun-22 21:02 UTC
[Nouveau] [RFC PATCH 5/8] nv50: prevent NULL pointer dereference with pipe_query functions
On 06/22/2015 10:52 PM, Ilia Mirkin wrote:> If query_create fails, why would any of these functions get called?Because the HUD doesn't check if query_create() fails and it calls other pipe_query functions with NULL pointer instead of a valid query object.> > On Mon, Jun 22, 2015 at 4:53 PM, Samuel Pitoiset > <samuel.pitoiset at gmail.com> wrote: >> This may happen when nv50_query_create() fails to create a new query. >> >> Signed-off-by: Samuel Pitoiset <samuel.pitoiset at gmail.com> >> --- >> src/gallium/drivers/nouveau/nv50/nv50_query.c | 15 ++++++++++++++- >> 1 file changed, 14 insertions(+), 1 deletion(-) >> >> diff --git a/src/gallium/drivers/nouveau/nv50/nv50_query.c b/src/gallium/drivers/nouveau/nv50/nv50_query.c >> index 55fcac8..1162110 100644 >> --- a/src/gallium/drivers/nouveau/nv50/nv50_query.c >> +++ b/src/gallium/drivers/nouveau/nv50/nv50_query.c >> @@ -96,6 +96,9 @@ nv50_query_allocate(struct nv50_context *nv50, struct nv50_query *q, int size) >> static void >> nv50_query_destroy(struct pipe_context *pipe, struct pipe_query *pq) >> { >> + if (!pq) >> + return; >> + >> nv50_query_allocate(nv50_context(pipe), nv50_query(pq), 0); >> nouveau_fence_ref(NULL, &nv50_query(pq)->fence); >> FREE(nv50_query(pq)); >> @@ -152,6 +155,9 @@ nv50_query_begin(struct pipe_context *pipe, struct pipe_query *pq) >> struct nouveau_pushbuf *push = nv50->base.pushbuf; >> struct nv50_query *q = nv50_query(pq); >> >> + if (!pq) >> + return FALSE; >> + >> /* For occlusion queries we have to change the storage, because a previous >> * query might set the initial render conition to FALSE even *after* we re- >> * initialized it to TRUE. >> @@ -218,6 +224,9 @@ nv50_query_end(struct pipe_context *pipe, struct pipe_query *pq) >> struct nouveau_pushbuf *push = nv50->base.pushbuf; >> struct nv50_query *q = nv50_query(pq); >> >> + if (!pq) >> + return; >> + >> q->state = NV50_QUERY_STATE_ENDED; >> >> switch (q->type) { >> @@ -294,9 +303,12 @@ nv50_query_result(struct pipe_context *pipe, struct pipe_query *pq, >> uint64_t *res64 = (uint64_t *)result; >> uint32_t *res32 = (uint32_t *)result; >> boolean *res8 = (boolean *)result; >> - uint64_t *data64 = (uint64_t *)q->data; >> + uint64_t *data64; >> int i; >> >> + if (!pq) >> + return FALSE; >> + >> if (q->state != NV50_QUERY_STATE_READY) >> nv50_query_update(q); >> >> @@ -314,6 +326,7 @@ nv50_query_result(struct pipe_context *pipe, struct pipe_query *pq, >> } >> q->state = NV50_QUERY_STATE_READY; >> >> + data64 = (uint64_t *)q->data; >> switch (q->type) { >> case PIPE_QUERY_GPU_FINISHED: >> res8[0] = TRUE; >> -- >> 2.4.4 >> >> _______________________________________________ >> Nouveau mailing list >> Nouveau at lists.freedesktop.org >> http://lists.freedesktop.org/mailman/listinfo/nouveau
Michel Dänzer
2015-Jun-23 06:57 UTC
[Nouveau] [Mesa-dev] [RFC PATCH 5/8] nv50: prevent NULL pointer dereference with pipe_query functions
On 23.06.2015 06:02, Samuel Pitoiset wrote:> > > On 06/22/2015 10:52 PM, Ilia Mirkin wrote: >> If query_create fails, why would any of these functions get called? > > Because the HUD doesn't check if query_create() fails and it calls other > pipe_query functions with NULL pointer instead of a valid query object.Could the HUD code be fixed instead? -- Earthling Michel Dänzer | http://www.amd.com Libre software enthusiast | Mesa and X developer