rusticl/memory: fix potential use-after-free in clEnqueueSVMFree

Fixes: bfee3a8563d ("rusticl: add support for fine-grained system SVM")
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/25719>

diff --git a/src/gallium/frontends/rusticl/api/memory.rs b/src/gallium/frontends/rusticl/api/memory.rs
index fbce8a7..fe16ede 100644 (file)
--- a/src/gallium/frontends/rusticl/api/memory.rs
+++ b/src/gallium/frontends/rusticl/api/memory.rs
@@ -2371,6 +2371,12 @@ fn enqueue_svm_free_impl(
         return Err(CL_INVALID_OPERATION);
     }
 
+    // The application is allowed to reuse or free the memory referenced by `svm_pointers` after this
+    // function returns so we have to make a copy.
+    // SAFETY: num_svm_pointers specifies the amount of elements in svm_pointers
+    let svm_pointers =
+        unsafe { slice::from_raw_parts(svm_pointers, num_svm_pointers as usize) }.to_vec();
+
     create_and_queue(
         q,
         cmd_type,
@@ -2379,15 +2385,14 @@ fn enqueue_svm_free_impl(
         false,
         Box::new(move |q, _| {
             if let Some(cb) = pfn_free_func {
+                let mut svm_pointers = svm_pointers.clone();
+                let ptr = svm_pointers.as_mut_ptr();
                 // SAFETY: it's undefined behavior if the application screws up
                 unsafe {
-                    cb(command_queue, num_svm_pointers, svm_pointers, user_data);
+                    cb(command_queue, num_svm_pointers, ptr, user_data);
                 }
             } else {
-                // SAFETY: num_svm_pointers specifies the amount of elements in svm_pointers
-                let svm_pointers =
-                    unsafe { slice::from_raw_parts(svm_pointers, num_svm_pointers as usize) };
-                for &ptr in svm_pointers {
+                for &ptr in &svm_pointers {
                     svm_free_impl(&q.context, ptr);
                 }
             }