[Beignet] [PATCH 03/12] runtime: error handling to avoid null pointer dereference.

xionghu.luo at intel.com xionghu.luo at intel.com
Thu May 5 16:11:46 UTC 2016


From: Luo Xionghu <xionghu.luo at intel.com>

Signed-off-by: Luo Xionghu <xionghu.luo at intel.com>
---
 src/cl_device_id.c      |  2 ++
 src/cl_event.c          | 28 ++++++++++++++++++----------
 src/cl_extensions.c     |  2 +-
 src/cl_mem.c            |  7 +++++--
 src/cl_thread.c         | 14 ++++++++++++++
 src/cl_utils.h          | 10 ++++++++++
 src/intel/intel_gpgpu.c |  4 +++-
 src/performance.c       |  3 +++
 src/x11/dricommon.c     |  6 +++++-
 9 files changed, 61 insertions(+), 15 deletions(-)

diff --git a/src/cl_device_id.c b/src/cl_device_id.c
index f8e06e2..00d014b 100644
--- a/src/cl_device_id.c
+++ b/src/cl_device_id.c
@@ -661,6 +661,8 @@ cl_self_test(cl_device_id device, cl_self_test_res atomic_in_l3_flag)
     return ret;
   tested = 1;
   ctx = clCreateContext(NULL, 1, &device, NULL, NULL, &status);
+  if(!ctx)
+    return ret;
   cl_driver_set_atomic_flag(ctx->drv, atomic_in_l3_flag);
   if (status == CL_SUCCESS) {
     queue = clCreateCommandQueue(ctx, device, 0, &status);
diff --git a/src/cl_event.c b/src/cl_event.c
index d2aee1e..a2aacea 100644
--- a/src/cl_event.c
+++ b/src/cl_event.c
@@ -76,6 +76,11 @@ cl_event_is_gpu_command_type(cl_command_type type)
 int cl_event_flush(cl_event event)
 {
   int err = CL_SUCCESS;
+  if(!event) {
+    err = CL_INVALID_VALUE;
+    return err;
+  }
+
   assert(event->gpgpu_event != NULL);
   if (event->gpgpu) {
     err = cl_command_queue_flush_gpgpu(event->queue, event->gpgpu);
@@ -303,7 +308,7 @@ void cl_event_new_enqueue_callback(cl_event event,
 {
   enqueue_callback *cb, *node;
   user_event *user_events, *u_ev;
-  cl_command_queue queue = event->queue;
+  cl_command_queue queue = event ? event->queue : NULL;
   cl_int i;
   cl_int err = CL_SUCCESS;
 
@@ -362,9 +367,10 @@ void cl_event_new_enqueue_callback(cl_event event,
       /* Insert the user event to enqueue_callback's wait_user_events */
       TRY(cl_event_insert_user_event, &cb->wait_user_events, event_wait_list[i]);
       cl_event_add_ref(event_wait_list[i]);
-      cl_command_queue_insert_event(event->queue, event_wait_list[i]);
-      if(data->type == EnqueueBarrier){
-        cl_command_queue_insert_barrier_event(event->queue, event_wait_list[i]);
+      if(queue)
+        cl_command_queue_insert_event(queue, event_wait_list[i]);
+      if(queue && data->type == EnqueueBarrier){
+        cl_command_queue_insert_barrier_event(queue, event_wait_list[i]);
       }
     } else if(event_wait_list[i]->enqueue_cb != NULL) {
       user_events = event_wait_list[i]->enqueue_cb->wait_user_events;
@@ -386,20 +392,22 @@ void cl_event_new_enqueue_callback(cl_event event,
         /* Insert the user event to enqueue_callback's wait_user_events */
         TRY(cl_event_insert_user_event, &cb->wait_user_events, user_events->event);
         cl_event_add_ref(user_events->event);
-        cl_command_queue_insert_event(event->queue, user_events->event);
-        if(data->type == EnqueueBarrier){
+        if(queue)
+          cl_command_queue_insert_event(event->queue, user_events->event);
+        if(queue && data->type == EnqueueBarrier){
           cl_command_queue_insert_barrier_event(event->queue, user_events->event);
         }
         user_events = user_events->next;
       }
     }
   }
-  if(data->queue != NULL && event->gpgpu_event != NULL) {
+  if(event != NULL && event->queue != NULL && event->gpgpu_event != NULL) {
     event->gpgpu = cl_thread_gpgpu_take(event->queue);
     data->ptr = (void *)event->gpgpu_event;
   }
   cb->data = *data;
-  event->enqueue_cb = cb;
+  if(event)
+    event->enqueue_cb = cb;
 
 exit:
   return;
@@ -595,12 +603,12 @@ cl_int cl_event_marker_with_wait_list(cl_command_queue queue,
   if(num_events_in_wait_list > 0){
     if(cl_event_wait_events(num_events_in_wait_list, event_wait_list, queue) == CL_ENQUEUE_EXECUTE_DEFER) {
       data.type = EnqueueMarker;
-      cl_event_new_enqueue_callback(*event, &data, num_events_in_wait_list, event_wait_list);
+      cl_event_new_enqueue_callback(event?*event:NULL, &data, num_events_in_wait_list, event_wait_list);
       return CL_SUCCESS;
     }
   } else if(queue->wait_events_num > 0) {
     data.type = EnqueueMarker;
-    cl_event_new_enqueue_callback(*event, &data, queue->wait_events_num, queue->wait_events);
+    cl_event_new_enqueue_callback(event?*event:NULL, &data, queue->wait_events_num, queue->wait_events);
     return CL_SUCCESS;
   }
 
diff --git a/src/cl_extensions.c b/src/cl_extensions.c
index b35ea30..349f2f1 100644
--- a/src/cl_extensions.c
+++ b/src/cl_extensions.c
@@ -134,7 +134,7 @@ cl_intel_platform_enable_extension(cl_device_id device, uint32_t ext)
   }
 
   /* already enabled, skip. */
-  if (strstr(device->extensions, ext_str))
+  if (ext_str && strstr(device->extensions, ext_str))
     ext_str = NULL;
 
   if (ext_str) {
diff --git a/src/cl_mem.c b/src/cl_mem.c
index 5d28fa9..229bc0a 100644
--- a/src/cl_mem.c
+++ b/src/cl_mem.c
@@ -938,10 +938,10 @@ _cl_mem_new_image(cl_context ctx,
                     0, 0, 0);
 
   /* Copy the data if required */
-  if (flags & CL_MEM_COPY_HOST_PTR)
+  if (flags & CL_MEM_COPY_HOST_PTR && data)
     cl_mem_copy_image(cl_mem_image(mem), pitch, slice_pitch, data);
 
-  if (flags & CL_MEM_USE_HOST_PTR) {
+  if (flags & CL_MEM_USE_HOST_PTR && data) {
     mem->host_ptr = data;
     cl_mem_image(mem)->host_row_pitch = pitch;
     cl_mem_image(mem)->host_slice_pitch = slice_pitch;
@@ -1417,6 +1417,9 @@ cl_mem_copy(cl_command_queue queue, cl_mem src_buf, cl_mem dst_buf,
              cl_internal_copy_buf_unalign_src_offset_str,
              (size_t)cl_internal_copy_buf_unalign_src_offset_str_size, NULL);
 
+    if (!ker)
+      return CL_OUT_OF_RESOURCES;
+
     cl_kernel_set_arg(ker, 0, sizeof(cl_mem), &src_buf);
     cl_kernel_set_arg(ker, 1, sizeof(int), &dw_src_offset);
     cl_kernel_set_arg(ker, 2, sizeof(cl_mem), &dst_buf);
diff --git a/src/cl_thread.c b/src/cl_thread.c
index 5e5a351..9614dfd 100644
--- a/src/cl_thread.c
+++ b/src/cl_thread.c
@@ -75,6 +75,12 @@ static thread_spec_data * __create_thread_spec_data(cl_command_queue queue, int
     if (i == thread_array_num) {
       thread_array_num *= 2;
       thread_slot_map = realloc(thread_slot_map, sizeof(int) * thread_array_num);
+
+      if(thread_slot_map == NULL) {
+        pthread_mutex_unlock(&thread_queue_map_lock);
+        return NULL;
+      }
+
       memset(thread_slot_map + thread_array_num/2, 0, sizeof(int) * (thread_array_num/2));
       thread_id = thread_array_num/2;
     }
@@ -91,6 +97,12 @@ static thread_spec_data * __create_thread_spec_data(cl_command_queue queue, int
     thread_private->threads_data_num = thread_array_num;
     thread_private->threads_data = realloc(thread_private->threads_data,
                 thread_private->threads_data_num * sizeof(void *));
+
+    if(thread_private->threads_data == NULL) {
+      pthread_mutex_unlock(&thread_private->thread_data_lock);
+      return NULL;
+    }
+
     memset(thread_private->threads_data + old_num, 0,
            sizeof(void*) * (thread_private->threads_data_num - old_num));
   }
@@ -164,6 +176,8 @@ void* cl_thread_data_create(void)
 cl_gpgpu cl_get_thread_gpgpu(cl_command_queue queue)
 {
   thread_spec_data* spec = __create_thread_spec_data(queue, 1);
+  if(!spec)
+    return NULL;
 
   if (!spec->thread_magic && spec->thread_magic != thread_magic) {
     //We may get the slot from last thread. So free the resource.
diff --git a/src/cl_utils.h b/src/cl_utils.h
index 0934d5f..2926611 100644
--- a/src/cl_utils.h
+++ b/src/cl_utils.h
@@ -169,6 +169,11 @@ IMAGE = cl_mem_image(MEM);                                  \
 const size_t *REGION;                                       \
 size_t REGION ##_REC[3];                                    \
 do {                                                        \
+  if (PREGION == NULL)                                      \
+  {                                                         \
+    err = CL_INVALID_VALUE;                                 \
+    goto error;                                             \
+  }                                                         \
   if (IMAGE->image_type == CL_MEM_OBJECT_IMAGE1D_ARRAY) {   \
     REGION ##_REC[0] = PREGION[0];                          \
     REGION ##_REC[1] = 1;                                   \
@@ -188,6 +193,11 @@ do {                                                        \
 const size_t *REGION;                                       \
 size_t REGION ##_REC[3];                                    \
 do {                                                        \
+  if (PREGION == NULL)                                      \
+  {                                                         \
+    err = CL_INVALID_VALUE;                                 \
+    goto error;                                             \
+  }                                                         \
   if (IMAGE->image_type == CL_MEM_OBJECT_IMAGE1D_ARRAY) {   \
     REGION ##_REC[0] = PREGION[0];                          \
     REGION ##_REC[1] = 0;                                   \
diff --git a/src/intel/intel_gpgpu.c b/src/intel/intel_gpgpu.c
index f9ff4a0..39b7e4d 100644
--- a/src/intel/intel_gpgpu.c
+++ b/src/intel/intel_gpgpu.c
@@ -180,6 +180,9 @@ void intel_gpgpu_delete_all(intel_driver_t *drv)
 static void
 intel_gpgpu_delete(intel_gpgpu_t *gpgpu)
 {
+  if (gpgpu == NULL)
+    return;
+
   intel_driver_t *drv = gpgpu->drv;
   struct intel_gpgpu_node *p, *node;
 
@@ -205,7 +208,6 @@ intel_gpgpu_delete(intel_gpgpu_t *gpgpu)
       drv->gpgpu_list = drv->gpgpu_list->next;
       intel_gpgpu_delete_finished(node->gpgpu);
       cl_free(node);
-      node = p->next;
     }
   }
   if (gpgpu == NULL)
diff --git a/src/performance.c b/src/performance.c
index 85cd481..28bd6c6 100644
--- a/src/performance.c
+++ b/src/performance.c
@@ -280,6 +280,9 @@ static void insert(cl_context context, const char *kernel_name, const char *buil
   }
   context_storage_node *p_context = find_context(context);
   kernel_storage_node *p_kernel = find_kernel(p_context, kernel_name, build_opt);
+  if(!p_kernel)
+    return;
+
   prev_context_pointer = p_context;
   prev_kernel_pointer = p_kernel;
   p_kernel->kernel_times[p_kernel->current_count++] = time;
diff --git a/src/x11/dricommon.c b/src/x11/dricommon.c
index 16f50e4..98eb713 100644
--- a/src/x11/dricommon.c
+++ b/src/x11/dricommon.c
@@ -68,6 +68,9 @@ dri_state_do_drawable_hash(dri_state_t *state, XID drawable)
   }
 
   dri_drawable = dri_state_create_drawable(state, drawable);
+  if(dri_drawable == NULL)
+    return NULL;
+
   dri_drawable->x_drawable = drawable;
   dri_drawable->next = state->drawable_hash[index];
   state->drawable_hash[index] = dri_drawable;
@@ -283,7 +286,8 @@ getDRI2State(Display* dpy, int screen, char **driver_name)
         &internal_driver_name, &device_name))
     goto err_out;
 
-  fd = open(device_name, O_RDWR);
+  if(device_name != NULL )
+    fd = open(device_name, O_RDWR);
 
   if (fd < 0)
     goto err_out;
-- 
2.1.4



More information about the Beignet mailing list