<div dir="ltr">virgl_renderer_get_cap_set() could return 0 in max_size, malloc(0) could return you a valid pointer (not null) which can be passed to free(), so, in this case you could overwrite memory. Probably, you'd better to check max_size for a minimum valid size.</div><div class="gmail_extra"> <div class="gmail_quote">On Thu, Jun 7, 2018 at 11:21 PM, Dave Airlie <<a href="mailto:airlied@gmail.com" target="_blank">airlied@gmail.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">From: Dave Airlie <<a href="mailto:airlied@redhat.com">airlied@redhat.com</a>> I've come up with a workaround on the mesa side that should be backwards compatible with old vtests and vice-versa. It involves sending both caps 2 and 1 queries back to back, and taking the first response an indication of what to expect, --- vtest/vtest.h | 2 +- vtest/vtest_protocol.h | 2 ++ vtest/vtest_renderer.c | 28 ++++++++++++++++++++++++++++ vtest/vtest_server.c | 3 +++ 4 files changed, 34 insertions(+), 1 deletion(-) diff --git a/vtest/vtest.h b/vtest/vtest.h index deb6618..327c193 100644 --- a/vtest/vtest.h +++ b/vtest/vtest.h @@ -28,7 +28,7 @@ int vtest_create_renderer(int in_fd, int out_fd, uint32_t length); int vtest_send_caps(void); - +int vtest_send_caps2(void); int vtest_create_resource(void); int vtest_resource_unref(void); int vtest_submit_cmd(uint32_t length_dw); diff --git a/vtest/vtest_protocol.h b/vtest/vtest_protocol.h index 84fd3eb..f617643 100644 --- a/vtest/vtest_protocol.h +++ b/vtest/vtest_protocol.h @@ -48,6 +48,8 @@ /* pass the process cmd line for debugging */ #define VCMD_CREATE_RENDERER 8 + +#define VCMD_GET_CAPS2 9 /* get caps */ /* 0 length cmd */ /* resp VCMD_GET_CAPS + caps */ diff --git a/vtest/vtest_renderer.c b/vtest/vtest_renderer.c index 3b8fe1a..e0e7d64 100644 --- a/vtest/vtest_renderer.c +++ b/vtest/vtest_renderer.c @@ -153,6 +153,34 @@ void vtest_destroy_renderer(void) renderer.out_fd = -1; } +int vtest_send_caps2(void) +{ + uint32_t hdr_buf[2]; + void *caps_buf; + int ret; + uint32_t max_ver, max_size; + + virgl_renderer_get_cap_set(2, &max_ver, &max_size); + + caps_buf = malloc(max_size); + if (!caps_buf) + return -1; + + virgl_renderer_fill_caps(2, 1, caps_buf); + + hdr_buf[0] = max_size + 1; + hdr_buf[1] = 2; + ret = vtest_block_write(renderer.out_fd, hdr_buf, 8); + if (ret < 0) + goto end; + vtest_block_write(renderer.out_fd, caps_buf, max_size); + if (ret < 0) + goto end; + end: + free(caps_buf); + return 0; +} + int vtest_send_caps(void) { uint32_t max_ver, max_size; diff --git a/vtest/vtest_server.c b/vtest/vtest_server.c index 918639b..3868fe3 100644 --- a/vtest/vtest_server.c +++ b/vtest/vtest_server.c @@ -129,6 +129,9 @@ again: vtest_renderer_create_fence(); ret = vtest_resource_busy_wait(); break; + case VCMD_GET_CAPS2: + ret = vtest_send_caps2(); + break; default: break; } -- 2.14.3 _______________________________________________ virglrenderer-devel mailing list <a href="mailto:virglrenderer-devel@lists.freedesktop.org">virglrenderer-devel@lists.freedesktop.org</a> <a href="https://lists.freedesktop.org/mailman/listinfo/virglrenderer-devel" rel="noreferrer" target="_blank">https://lists.freedesktop.org/mailman/listinfo/virglrenderer-devel</a> </blockquote></div> </div>