rusticl/memory: fix potential use-after-free in clEnqueueSVMMemFill

Fixes: bfee3a8563d ("rusticl: add support for fine-grained system SVM")
Signed-off-by: Karol Herbst <kherbst@redhat.com>
Reported-by: @LingMan <18294-LingMan@users.noreply.gitlab.freedesktop.org>
Reviewed-by: @LingMan <18294-LingMan@users.noreply.gitlab.freedesktop.org>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/25637>

diff --git a/src/gallium/frontends/rusticl/api/memory.rs b/src/gallium/frontends/rusticl/api/memory.rs
index 0de2a390d4c6f662cca7185c36119cbc60274b5d..fbce8a776a0f36f0692cf71212e2d445c919d5a8 100644 (file)
--- a/src/gallium/frontends/rusticl/api/memory.rs
+++ b/src/gallium/frontends/rusticl/api/memory.rs
@@ -2591,6 +2591,9 @@ fn enqueue_svm_mem_fill_impl(
         return Err(CL_INVALID_VALUE);
     }
 
+    // The application is allowed to reuse or free the memory referenced by `pattern` after this
+    // function returns so we have to make a copy.
+    let pattern: Vec<u8> = unsafe { slice::from_raw_parts(pattern.cast(), pattern_size).to_vec() };
     create_and_queue(
         q,
         cmd_type,
@@ -2602,7 +2605,7 @@ fn enqueue_svm_mem_fill_impl(
             while offset < size {
                 // SAFETY: pointer are either valid or undefined behavior
                 unsafe {
-                    ptr::copy(pattern, svm_ptr.add(offset), pattern_size);
+                    ptr::copy(pattern.as_ptr().cast(), svm_ptr.add(offset), pattern_size);
                 }
                 offset += pattern_size;
             }