Re: [Nouveau] [RFC PATCH 5/8] nv50: prevent NULL pointer dereference with pipe_query functions
If query_create fails, why would any of these functions get called? On Mon, Jun 22, 2015 at 4:53 PM, Samuel Pitoiset samuel.pitoi...@gmail.com wrote: This may happen when nv50_query_create() fails to create a new query. Signed-off-by: Samuel Pitoiset samuel.pitoi...@gmail.com --- src/gallium/drivers/nouveau/nv50/nv50_query.c | 15 ++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/src/gallium/drivers/nouveau/nv50/nv50_query.c b/src/gallium/drivers/nouveau/nv50/nv50_query.c index 55fcac8..1162110 100644 --- a/src/gallium/drivers/nouveau/nv50/nv50_query.c +++ b/src/gallium/drivers/nouveau/nv50/nv50_query.c @@ -96,6 +96,9 @@ nv50_query_allocate(struct nv50_context *nv50, struct nv50_query *q, int size) static void nv50_query_destroy(struct pipe_context *pipe, struct pipe_query *pq) { + if (!pq) + return; + nv50_query_allocate(nv50_context(pipe), nv50_query(pq), 0); nouveau_fence_ref(NULL, nv50_query(pq)-fence); FREE(nv50_query(pq)); @@ -152,6 +155,9 @@ nv50_query_begin(struct pipe_context *pipe, struct pipe_query *pq) struct nouveau_pushbuf *push = nv50-base.pushbuf; struct nv50_query *q = nv50_query(pq); + if (!pq) + return FALSE; + /* For occlusion queries we have to change the storage, because a previous * query might set the initial render conition to FALSE even *after* we re- * initialized it to TRUE. @@ -218,6 +224,9 @@ nv50_query_end(struct pipe_context *pipe, struct pipe_query *pq) struct nouveau_pushbuf *push = nv50-base.pushbuf; struct nv50_query *q = nv50_query(pq); + if (!pq) + return; + q-state = NV50_QUERY_STATE_ENDED; switch (q-type) { @@ -294,9 +303,12 @@ nv50_query_result(struct pipe_context *pipe, struct pipe_query *pq, uint64_t *res64 = (uint64_t *)result; uint32_t *res32 = (uint32_t *)result; boolean *res8 = (boolean *)result; - uint64_t *data64 = (uint64_t *)q-data; + uint64_t *data64; int i; + if (!pq) + return FALSE; + if (q-state != NV50_QUERY_STATE_READY) nv50_query_update(q); @@ -314,6 +326,7 @@ nv50_query_result(struct pipe_context *pipe, struct pipe_query *pq, } q-state = NV50_QUERY_STATE_READY; + data64 = (uint64_t *)q-data; switch (q-type) { case PIPE_QUERY_GPU_FINISHED: res8[0] = TRUE; -- 2.4.4 ___ Nouveau mailing list Nouveau@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/nouveau ___ Nouveau mailing list Nouveau@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/nouveau
[Nouveau] [RFC PATCH 5/8] nv50: prevent NULL pointer dereference with pipe_query functions
This may happen when nv50_query_create() fails to create a new query. Signed-off-by: Samuel Pitoiset samuel.pitoi...@gmail.com --- src/gallium/drivers/nouveau/nv50/nv50_query.c | 15 ++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/src/gallium/drivers/nouveau/nv50/nv50_query.c b/src/gallium/drivers/nouveau/nv50/nv50_query.c index 55fcac8..1162110 100644 --- a/src/gallium/drivers/nouveau/nv50/nv50_query.c +++ b/src/gallium/drivers/nouveau/nv50/nv50_query.c @@ -96,6 +96,9 @@ nv50_query_allocate(struct nv50_context *nv50, struct nv50_query *q, int size) static void nv50_query_destroy(struct pipe_context *pipe, struct pipe_query *pq) { + if (!pq) + return; + nv50_query_allocate(nv50_context(pipe), nv50_query(pq), 0); nouveau_fence_ref(NULL, nv50_query(pq)-fence); FREE(nv50_query(pq)); @@ -152,6 +155,9 @@ nv50_query_begin(struct pipe_context *pipe, struct pipe_query *pq) struct nouveau_pushbuf *push = nv50-base.pushbuf; struct nv50_query *q = nv50_query(pq); + if (!pq) + return FALSE; + /* For occlusion queries we have to change the storage, because a previous * query might set the initial render conition to FALSE even *after* we re- * initialized it to TRUE. @@ -218,6 +224,9 @@ nv50_query_end(struct pipe_context *pipe, struct pipe_query *pq) struct nouveau_pushbuf *push = nv50-base.pushbuf; struct nv50_query *q = nv50_query(pq); + if (!pq) + return; + q-state = NV50_QUERY_STATE_ENDED; switch (q-type) { @@ -294,9 +303,12 @@ nv50_query_result(struct pipe_context *pipe, struct pipe_query *pq, uint64_t *res64 = (uint64_t *)result; uint32_t *res32 = (uint32_t *)result; boolean *res8 = (boolean *)result; - uint64_t *data64 = (uint64_t *)q-data; + uint64_t *data64; int i; + if (!pq) + return FALSE; + if (q-state != NV50_QUERY_STATE_READY) nv50_query_update(q); @@ -314,6 +326,7 @@ nv50_query_result(struct pipe_context *pipe, struct pipe_query *pq, } q-state = NV50_QUERY_STATE_READY; + data64 = (uint64_t *)q-data; switch (q-type) { case PIPE_QUERY_GPU_FINISHED: res8[0] = TRUE; -- 2.4.4 ___ Nouveau mailing list Nouveau@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/nouveau
Re: [Nouveau] [RFC PATCH 5/8] nv50: prevent NULL pointer dereference with pipe_query functions
On 06/22/2015 10:52 PM, Ilia Mirkin wrote: If query_create fails, why would any of these functions get called? Because the HUD doesn't check if query_create() fails and it calls other pipe_query functions with NULL pointer instead of a valid query object. On Mon, Jun 22, 2015 at 4:53 PM, Samuel Pitoiset samuel.pitoi...@gmail.com wrote: This may happen when nv50_query_create() fails to create a new query. Signed-off-by: Samuel Pitoiset samuel.pitoi...@gmail.com --- src/gallium/drivers/nouveau/nv50/nv50_query.c | 15 ++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/src/gallium/drivers/nouveau/nv50/nv50_query.c b/src/gallium/drivers/nouveau/nv50/nv50_query.c index 55fcac8..1162110 100644 --- a/src/gallium/drivers/nouveau/nv50/nv50_query.c +++ b/src/gallium/drivers/nouveau/nv50/nv50_query.c @@ -96,6 +96,9 @@ nv50_query_allocate(struct nv50_context *nv50, struct nv50_query *q, int size) static void nv50_query_destroy(struct pipe_context *pipe, struct pipe_query *pq) { + if (!pq) + return; + nv50_query_allocate(nv50_context(pipe), nv50_query(pq), 0); nouveau_fence_ref(NULL, nv50_query(pq)-fence); FREE(nv50_query(pq)); @@ -152,6 +155,9 @@ nv50_query_begin(struct pipe_context *pipe, struct pipe_query *pq) struct nouveau_pushbuf *push = nv50-base.pushbuf; struct nv50_query *q = nv50_query(pq); + if (!pq) + return FALSE; + /* For occlusion queries we have to change the storage, because a previous * query might set the initial render conition to FALSE even *after* we re- * initialized it to TRUE. @@ -218,6 +224,9 @@ nv50_query_end(struct pipe_context *pipe, struct pipe_query *pq) struct nouveau_pushbuf *push = nv50-base.pushbuf; struct nv50_query *q = nv50_query(pq); + if (!pq) + return; + q-state = NV50_QUERY_STATE_ENDED; switch (q-type) { @@ -294,9 +303,12 @@ nv50_query_result(struct pipe_context *pipe, struct pipe_query *pq, uint64_t *res64 = (uint64_t *)result; uint32_t *res32 = (uint32_t *)result; boolean *res8 = (boolean *)result; - uint64_t *data64 = (uint64_t *)q-data; + uint64_t *data64; int i; + if (!pq) + return FALSE; + if (q-state != NV50_QUERY_STATE_READY) nv50_query_update(q); @@ -314,6 +326,7 @@ nv50_query_result(struct pipe_context *pipe, struct pipe_query *pq, } q-state = NV50_QUERY_STATE_READY; + data64 = (uint64_t *)q-data; switch (q-type) { case PIPE_QUERY_GPU_FINISHED: res8[0] = TRUE; -- 2.4.4 ___ Nouveau mailing list Nouveau@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/nouveau ___ Nouveau mailing list Nouveau@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/nouveau