[Nouveau] [RFC PATCH 5/8] nv50: prevent NULL pointer dereference with pipe_query functions
Ilia Mirkin
imirkin at alum.mit.edu
Mon Jun 22 13:52:26 PDT 2015
If query_create fails, why would any of these functions get called?
On Mon, Jun 22, 2015 at 4:53 PM, Samuel Pitoiset
<samuel.pitoiset at gmail.com> wrote:
> This may happen when nv50_query_create() fails to create a new query.
>
> Signed-off-by: Samuel Pitoiset <samuel.pitoiset at gmail.com>
> ---
> src/gallium/drivers/nouveau/nv50/nv50_query.c | 15 ++++++++++++++-
> 1 file changed, 14 insertions(+), 1 deletion(-)
>
> diff --git a/src/gallium/drivers/nouveau/nv50/nv50_query.c b/src/gallium/drivers/nouveau/nv50/nv50_query.c
> index 55fcac8..1162110 100644
> --- a/src/gallium/drivers/nouveau/nv50/nv50_query.c
> +++ b/src/gallium/drivers/nouveau/nv50/nv50_query.c
> @@ -96,6 +96,9 @@ nv50_query_allocate(struct nv50_context *nv50, struct nv50_query *q, int size)
> static void
> nv50_query_destroy(struct pipe_context *pipe, struct pipe_query *pq)
> {
> + if (!pq)
> + return;
> +
> nv50_query_allocate(nv50_context(pipe), nv50_query(pq), 0);
> nouveau_fence_ref(NULL, &nv50_query(pq)->fence);
> FREE(nv50_query(pq));
> @@ -152,6 +155,9 @@ nv50_query_begin(struct pipe_context *pipe, struct pipe_query *pq)
> struct nouveau_pushbuf *push = nv50->base.pushbuf;
> struct nv50_query *q = nv50_query(pq);
>
> + if (!pq)
> + return FALSE;
> +
> /* For occlusion queries we have to change the storage, because a previous
> * query might set the initial render conition to FALSE even *after* we re-
> * initialized it to TRUE.
> @@ -218,6 +224,9 @@ nv50_query_end(struct pipe_context *pipe, struct pipe_query *pq)
> struct nouveau_pushbuf *push = nv50->base.pushbuf;
> struct nv50_query *q = nv50_query(pq);
>
> + if (!pq)
> + return;
> +
> q->state = NV50_QUERY_STATE_ENDED;
>
> switch (q->type) {
> @@ -294,9 +303,12 @@ nv50_query_result(struct pipe_context *pipe, struct pipe_query *pq,
> uint64_t *res64 = (uint64_t *)result;
> uint32_t *res32 = (uint32_t *)result;
> boolean *res8 = (boolean *)result;
> - uint64_t *data64 = (uint64_t *)q->data;
> + uint64_t *data64;
> int i;
>
> + if (!pq)
> + return FALSE;
> +
> if (q->state != NV50_QUERY_STATE_READY)
> nv50_query_update(q);
>
> @@ -314,6 +326,7 @@ nv50_query_result(struct pipe_context *pipe, struct pipe_query *pq,
> }
> q->state = NV50_QUERY_STATE_READY;
>
> + data64 = (uint64_t *)q->data;
> switch (q->type) {
> case PIPE_QUERY_GPU_FINISHED:
> res8[0] = TRUE;
> --
> 2.4.4
>
> _______________________________________________
> Nouveau mailing list
> Nouveau at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/nouveau
More information about the Nouveau
mailing list