[Nouveau] [RFC PATCH 5/8] nv50: prevent NULL pointer dereference with pipe_query functions

Samuel Pitoiset samuel.pitoiset at gmail.com
Mon Jun 22 14:02:17 PDT 2015 


On 06/22/2015 10:52 PM, Ilia Mirkin wrote:
> If query_create fails, why would any of these functions get called?

Because the HUD doesn't check if query_create() fails and it calls other 
pipe_query functions with NULL pointer instead of a valid query object.

>
> On Mon, Jun 22, 2015 at 4:53 PM, Samuel Pitoiset
> <samuel.pitoiset at gmail.com> wrote:
>> This may happen when nv50_query_create() fails to create a new query.
>>
>> Signed-off-by: Samuel Pitoiset <samuel.pitoiset at gmail.com>
>> ---
>>   src/gallium/drivers/nouveau/nv50/nv50_query.c | 15 ++++++++++++++-
>>   1 file changed, 14 insertions(+), 1 deletion(-)
>>
>> diff --git a/src/gallium/drivers/nouveau/nv50/nv50_query.c b/src/gallium/drivers/nouveau/nv50/nv50_query.c
>> index 55fcac8..1162110 100644
>> --- a/src/gallium/drivers/nouveau/nv50/nv50_query.c
>> +++ b/src/gallium/drivers/nouveau/nv50/nv50_query.c
>> @@ -96,6 +96,9 @@ nv50_query_allocate(struct nv50_context *nv50, struct nv50_query *q, int size)
>>   static void
>>   nv50_query_destroy(struct pipe_context *pipe, struct pipe_query *pq)
>>   {
>> +   if (!pq)
>> +      return;
>> +
>>      nv50_query_allocate(nv50_context(pipe), nv50_query(pq), 0);
>>      nouveau_fence_ref(NULL, &nv50_query(pq)->fence);
>>      FREE(nv50_query(pq));
>> @@ -152,6 +155,9 @@ nv50_query_begin(struct pipe_context *pipe, struct pipe_query *pq)
>>      struct nouveau_pushbuf *push = nv50->base.pushbuf;
>>      struct nv50_query *q = nv50_query(pq);
>>
>> +   if (!pq)
>> +      return FALSE;
>> +
>>      /* For occlusion queries we have to change the storage, because a previous
>>       * query might set the initial render conition to FALSE even *after* we re-
>>       * initialized it to TRUE.
>> @@ -218,6 +224,9 @@ nv50_query_end(struct pipe_context *pipe, struct pipe_query *pq)
>>      struct nouveau_pushbuf *push = nv50->base.pushbuf;
>>      struct nv50_query *q = nv50_query(pq);
>>
>> +   if (!pq)
>> +      return;
>> +
>>      q->state = NV50_QUERY_STATE_ENDED;
>>
>>      switch (q->type) {
>> @@ -294,9 +303,12 @@ nv50_query_result(struct pipe_context *pipe, struct pipe_query *pq,
>>      uint64_t *res64 = (uint64_t *)result;
>>      uint32_t *res32 = (uint32_t *)result;
>>      boolean *res8 = (boolean *)result;
>> -   uint64_t *data64 = (uint64_t *)q->data;
>> +   uint64_t *data64;
>>      int i;
>>
>> +   if (!pq)
>> +      return FALSE;
>> +
>>      if (q->state != NV50_QUERY_STATE_READY)
>>         nv50_query_update(q);
>>
>> @@ -314,6 +326,7 @@ nv50_query_result(struct pipe_context *pipe, struct pipe_query *pq,
>>      }
>>      q->state = NV50_QUERY_STATE_READY;
>>
>> +   data64 = (uint64_t *)q->data;
>>      switch (q->type) {
>>      case PIPE_QUERY_GPU_FINISHED:
>>         res8[0] = TRUE;
>> --
>> 2.4.4
>>
>> _______________________________________________
>> Nouveau mailing list
>> Nouveau at lists.freedesktop.org
>> http://lists.freedesktop.org/mailman/listinfo/nouveau

More information about the Nouveau mailing list