From: Samuel Pitoiset <samuel.pitoiset@gmail.com>
To: Ilia Mirkin <imirkin@alum.mit.edu>
Cc: "nouveau@lists.freedesktop.org" <nouveau@lists.freedesktop.org>,
"mesa-dev@lists.freedesktop.org" <mesa-dev@lists.freedesktop.org>
Subject: Re: [Nouveau] [RFC PATCH 5/8] nv50: prevent NULL pointer dereference with pipe_query functions
Date: Mon, 22 Jun 2015 23:02:17 +0200 [thread overview]
Message-ID: <558877D9.8040501@gmail.com> (raw)
In-Reply-To: <CAKb7UvjfuOu6hAhB7ywQsMc6OXcjF-cn_5UC_O5oUKt4HzgZnQ@mail.gmail.com>
On 06/22/2015 10:52 PM, Ilia Mirkin wrote:
> If query_create fails, why would any of these functions get called?
Because the HUD doesn't check if query_create() fails and it calls other
pipe_query functions with NULL pointer instead of a valid query object.
>
> On Mon, Jun 22, 2015 at 4:53 PM, Samuel Pitoiset
> <samuel.pitoiset@gmail.com> wrote:
>> This may happen when nv50_query_create() fails to create a new query.
>>
>> Signed-off-by: Samuel Pitoiset <samuel.pitoiset@gmail.com>
>> ---
>> src/gallium/drivers/nouveau/nv50/nv50_query.c | 15 ++++++++++++++-
>> 1 file changed, 14 insertions(+), 1 deletion(-)
>>
>> diff --git a/src/gallium/drivers/nouveau/nv50/nv50_query.c b/src/gallium/drivers/nouveau/nv50/nv50_query.c
>> index 55fcac8..1162110 100644
>> --- a/src/gallium/drivers/nouveau/nv50/nv50_query.c
>> +++ b/src/gallium/drivers/nouveau/nv50/nv50_query.c
>> @@ -96,6 +96,9 @@ nv50_query_allocate(struct nv50_context *nv50, struct nv50_query *q, int size)
>> static void
>> nv50_query_destroy(struct pipe_context *pipe, struct pipe_query *pq)
>> {
>> + if (!pq)
>> + return;
>> +
>> nv50_query_allocate(nv50_context(pipe), nv50_query(pq), 0);
>> nouveau_fence_ref(NULL, &nv50_query(pq)->fence);
>> FREE(nv50_query(pq));
>> @@ -152,6 +155,9 @@ nv50_query_begin(struct pipe_context *pipe, struct pipe_query *pq)
>> struct nouveau_pushbuf *push = nv50->base.pushbuf;
>> struct nv50_query *q = nv50_query(pq);
>>
>> + if (!pq)
>> + return FALSE;
>> +
>> /* For occlusion queries we have to change the storage, because a previous
>> * query might set the initial render conition to FALSE even *after* we re-
>> * initialized it to TRUE.
>> @@ -218,6 +224,9 @@ nv50_query_end(struct pipe_context *pipe, struct pipe_query *pq)
>> struct nouveau_pushbuf *push = nv50->base.pushbuf;
>> struct nv50_query *q = nv50_query(pq);
>>
>> + if (!pq)
>> + return;
>> +
>> q->state = NV50_QUERY_STATE_ENDED;
>>
>> switch (q->type) {
>> @@ -294,9 +303,12 @@ nv50_query_result(struct pipe_context *pipe, struct pipe_query *pq,
>> uint64_t *res64 = (uint64_t *)result;
>> uint32_t *res32 = (uint32_t *)result;
>> boolean *res8 = (boolean *)result;
>> - uint64_t *data64 = (uint64_t *)q->data;
>> + uint64_t *data64;
>> int i;
>>
>> + if (!pq)
>> + return FALSE;
>> +
>> if (q->state != NV50_QUERY_STATE_READY)
>> nv50_query_update(q);
>>
>> @@ -314,6 +326,7 @@ nv50_query_result(struct pipe_context *pipe, struct pipe_query *pq,
>> }
>> q->state = NV50_QUERY_STATE_READY;
>>
>> + data64 = (uint64_t *)q->data;
>> switch (q->type) {
>> case PIPE_QUERY_GPU_FINISHED:
>> res8[0] = TRUE;
>> --
>> 2.4.4
>>
>> _______________________________________________
>> Nouveau mailing list
>> Nouveau@lists.freedesktop.org
>> http://lists.freedesktop.org/mailman/listinfo/nouveau
_______________________________________________
mesa-dev mailing list
mesa-dev@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/mesa-dev
next prev parent reply other threads:[~2015-06-22 21:02 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-22 20:53 [RFC PATCH 0/8] nv50: expose global performance counters Samuel Pitoiset
2015-06-22 20:53 ` [RFC PATCH 1/8] nouveau: implement the nvif hardware performance counters interface Samuel Pitoiset
2015-06-22 20:53 ` [RFC PATCH 4/8] nv50: configure the ring buffer for reading back PM counters Samuel Pitoiset
[not found] ` <1435006399-2088-5-git-send-email-samuel.pitoiset-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-06-25 23:04 ` Ilia Mirkin
[not found] ` <CAKb7UvgZ8km4FPKkmcpU_4-yGNZ1ELy+uP5YJO_RZ-Ab6v6t9w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-06-28 7:45 ` Samuel Pitoiset
2015-06-22 20:53 ` [RFC PATCH 5/8] nv50: prevent NULL pointer dereference with pipe_query functions Samuel Pitoiset
[not found] ` <1435006399-2088-6-git-send-email-samuel.pitoiset-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-06-22 20:52 ` Ilia Mirkin
2015-06-22 21:02 ` Samuel Pitoiset [this message]
[not found] ` <558877D9.8040501-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-06-23 6:57 ` [Mesa-dev] " Michel Dänzer
[not found] ` <55890375.10901-otUistvHUpPR7s880joybQ@public.gmane.org>
2015-06-23 7:28 ` Samuel Pitoiset
2015-06-22 20:53 ` [RFC PATCH 6/8] nv50: add support for compute/graphics global performance counters Samuel Pitoiset
2015-06-25 23:09 ` [Nouveau] " Ilia Mirkin
[not found] ` <CAKb7Uvg4DpTHoK0K-tywYaX=9=UfxKnQTz-hbvCngn1-jnQaiw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-06-28 7:54 ` Samuel Pitoiset
2015-06-22 20:53 ` [RFC PATCH 7/8] nv50: expose global performance counters to the HUD Samuel Pitoiset
[not found] ` <1435006399-2088-1-git-send-email-samuel.pitoiset-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-06-22 20:53 ` [RFC PATCH 2/8] nv50: allocate a software object class Samuel Pitoiset
2015-06-22 20:53 ` [RFC PATCH 3/8] nv50: allocate and map a notifier buffer object for PM Samuel Pitoiset
[not found] ` <1435006399-2088-4-git-send-email-samuel.pitoiset-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-06-25 23:02 ` Ilia Mirkin
2015-06-28 7:42 ` [Nouveau] " Samuel Pitoiset
2015-06-22 20:53 ` [RFC PATCH 8/8] nv50: enable GL_AMD_performance_monitor Samuel Pitoiset
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=558877D9.8040501@gmail.com \
--to=samuel.pitoiset@gmail.com \
--cc=imirkin@alum.mit.edu \
--cc=mesa-dev@lists.freedesktop.org \
--cc=nouveau@lists.freedesktop.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.