From d9abc07151e4785f3a8392d459e1370fb34811b3 Mon Sep 17 00:00:00 2001 From: LingMan <18294-LingMan@users.noreply.gitlab.freedesktop.org> Date: Fri, 13 Oct 2023 18:51:22 +0200 Subject: [PATCH] rusticl/memory: fix potential use-after-free in clEnqueueSVMFree Fixes: bfee3a8563d ("rusticl: add support for fine-grained system SVM") Part-of: --- src/gallium/frontends/rusticl/api/memory.rs | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/src/gallium/frontends/rusticl/api/memory.rs b/src/gallium/frontends/rusticl/api/memory.rs index fbce8a7..fe16ede 100644 --- a/src/gallium/frontends/rusticl/api/memory.rs +++ b/src/gallium/frontends/rusticl/api/memory.rs @@ -2371,6 +2371,12 @@ fn enqueue_svm_free_impl( return Err(CL_INVALID_OPERATION); } + // The application is allowed to reuse or free the memory referenced by `svm_pointers` after this + // function returns so we have to make a copy. + // SAFETY: num_svm_pointers specifies the amount of elements in svm_pointers + let svm_pointers = + unsafe { slice::from_raw_parts(svm_pointers, num_svm_pointers as usize) }.to_vec(); + create_and_queue( q, cmd_type, @@ -2379,15 +2385,14 @@ fn enqueue_svm_free_impl( false, Box::new(move |q, _| { if let Some(cb) = pfn_free_func { + let mut svm_pointers = svm_pointers.clone(); + let ptr = svm_pointers.as_mut_ptr(); // SAFETY: it's undefined behavior if the application screws up unsafe { - cb(command_queue, num_svm_pointers, svm_pointers, user_data); + cb(command_queue, num_svm_pointers, ptr, user_data); } } else { - // SAFETY: num_svm_pointers specifies the amount of elements in svm_pointers - let svm_pointers = - unsafe { slice::from_raw_parts(svm_pointers, num_svm_pointers as usize) }; - for &ptr in svm_pointers { + for &ptr in &svm_pointers { svm_free_impl(&q.context, ptr); } } -- 2.7.4