Re: [Nouveau] [RFC PATCH 5/8] nv50: prevent NULL pointer dereference with pipe_query functions
If query_create fails, why would any of these functions get called?
On Mon, Jun 22, 2015 at 4:53 PM, Samuel Pitoiset
samuel.pitoi...@gmail.com wrote:
This may happen when nv50_query_create() fails to create a new query.
Signed-off-by: Samuel Pitoiset samuel.pitoi...@gmail.com
---
src/gallium/drivers/nouveau/nv50/nv50_query.c | 15 ++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/src/gallium/drivers/nouveau/nv50/nv50_query.c
b/src/gallium/drivers/nouveau/nv50/nv50_query.c
index 55fcac8..1162110 100644
--- a/src/gallium/drivers/nouveau/nv50/nv50_query.c
+++ b/src/gallium/drivers/nouveau/nv50/nv50_query.c
@@ -96,6 +96,9 @@ nv50_query_allocate(struct nv50_context *nv50, struct
nv50_query *q, int size)
static void
nv50_query_destroy(struct pipe_context *pipe, struct pipe_query *pq)
{
+ if (!pq)
+ return;
+
nv50_query_allocate(nv50_context(pipe), nv50_query(pq), 0);
nouveau_fence_ref(NULL, nv50_query(pq)-fence);
FREE(nv50_query(pq));
@@ -152,6 +155,9 @@ nv50_query_begin(struct pipe_context *pipe, struct
pipe_query *pq)
struct nouveau_pushbuf *push = nv50-base.pushbuf;
struct nv50_query *q = nv50_query(pq);
+ if (!pq)
+ return FALSE;
+
/* For occlusion queries we have to change the storage, because a previous
* query might set the initial render conition to FALSE even *after* we
re-
* initialized it to TRUE.
@@ -218,6 +224,9 @@ nv50_query_end(struct pipe_context *pipe, struct
pipe_query *pq)
struct nouveau_pushbuf *push = nv50-base.pushbuf;
struct nv50_query *q = nv50_query(pq);
+ if (!pq)
+ return;
+
q-state = NV50_QUERY_STATE_ENDED;
switch (q-type) {
@@ -294,9 +303,12 @@ nv50_query_result(struct pipe_context *pipe, struct
pipe_query *pq,
uint64_t *res64 = (uint64_t *)result;
uint32_t *res32 = (uint32_t *)result;
boolean *res8 = (boolean *)result;
- uint64_t *data64 = (uint64_t *)q-data;
+ uint64_t *data64;
int i;
+ if (!pq)
+ return FALSE;
+
if (q-state != NV50_QUERY_STATE_READY)
nv50_query_update(q);
@@ -314,6 +326,7 @@ nv50_query_result(struct pipe_context *pipe, struct
pipe_query *pq,
}
q-state = NV50_QUERY_STATE_READY;
+ data64 = (uint64_t *)q-data;
switch (q-type) {
case PIPE_QUERY_GPU_FINISHED:
res8[0] = TRUE;
--
2.4.4
___
Nouveau mailing list
Nouveau@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/nouveau
___
Nouveau mailing list
Nouveau@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/nouveau
[Nouveau] [RFC PATCH 5/8] nv50: prevent NULL pointer dereference with pipe_query functions
This may happen when nv50_query_create() fails to create a new query.
Signed-off-by: Samuel Pitoiset samuel.pitoi...@gmail.com
---
src/gallium/drivers/nouveau/nv50/nv50_query.c | 15 ++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/src/gallium/drivers/nouveau/nv50/nv50_query.c
b/src/gallium/drivers/nouveau/nv50/nv50_query.c
index 55fcac8..1162110 100644
--- a/src/gallium/drivers/nouveau/nv50/nv50_query.c
+++ b/src/gallium/drivers/nouveau/nv50/nv50_query.c
@@ -96,6 +96,9 @@ nv50_query_allocate(struct nv50_context *nv50, struct
nv50_query *q, int size)
static void
nv50_query_destroy(struct pipe_context *pipe, struct pipe_query *pq)
{
+ if (!pq)
+ return;
+
nv50_query_allocate(nv50_context(pipe), nv50_query(pq), 0);
nouveau_fence_ref(NULL, nv50_query(pq)-fence);
FREE(nv50_query(pq));
@@ -152,6 +155,9 @@ nv50_query_begin(struct pipe_context *pipe, struct
pipe_query *pq)
struct nouveau_pushbuf *push = nv50-base.pushbuf;
struct nv50_query *q = nv50_query(pq);
+ if (!pq)
+ return FALSE;
+
/* For occlusion queries we have to change the storage, because a previous
* query might set the initial render conition to FALSE even *after* we re-
* initialized it to TRUE.
@@ -218,6 +224,9 @@ nv50_query_end(struct pipe_context *pipe, struct pipe_query
*pq)
struct nouveau_pushbuf *push = nv50-base.pushbuf;
struct nv50_query *q = nv50_query(pq);
+ if (!pq)
+ return;
+
q-state = NV50_QUERY_STATE_ENDED;
switch (q-type) {
@@ -294,9 +303,12 @@ nv50_query_result(struct pipe_context *pipe, struct
pipe_query *pq,
uint64_t *res64 = (uint64_t *)result;
uint32_t *res32 = (uint32_t *)result;
boolean *res8 = (boolean *)result;
- uint64_t *data64 = (uint64_t *)q-data;
+ uint64_t *data64;
int i;
+ if (!pq)
+ return FALSE;
+
if (q-state != NV50_QUERY_STATE_READY)
nv50_query_update(q);
@@ -314,6 +326,7 @@ nv50_query_result(struct pipe_context *pipe, struct
pipe_query *pq,
}
q-state = NV50_QUERY_STATE_READY;
+ data64 = (uint64_t *)q-data;
switch (q-type) {
case PIPE_QUERY_GPU_FINISHED:
res8[0] = TRUE;
--
2.4.4
___
Nouveau mailing list
Nouveau@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/nouveau
Re: [Nouveau] [RFC PATCH 5/8] nv50: prevent NULL pointer dereference with pipe_query functions
On 06/22/2015 10:52 PM, Ilia Mirkin wrote:
If query_create fails, why would any of these functions get called?
Because the HUD doesn't check if query_create() fails and it calls other
pipe_query functions with NULL pointer instead of a valid query object.
On Mon, Jun 22, 2015 at 4:53 PM, Samuel Pitoiset
samuel.pitoi...@gmail.com wrote:
This may happen when nv50_query_create() fails to create a new query.
Signed-off-by: Samuel Pitoiset samuel.pitoi...@gmail.com
---
src/gallium/drivers/nouveau/nv50/nv50_query.c | 15 ++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/src/gallium/drivers/nouveau/nv50/nv50_query.c
b/src/gallium/drivers/nouveau/nv50/nv50_query.c
index 55fcac8..1162110 100644
--- a/src/gallium/drivers/nouveau/nv50/nv50_query.c
+++ b/src/gallium/drivers/nouveau/nv50/nv50_query.c
@@ -96,6 +96,9 @@ nv50_query_allocate(struct nv50_context *nv50, struct
nv50_query *q, int size)
static void
nv50_query_destroy(struct pipe_context *pipe, struct pipe_query *pq)
{
+ if (!pq)
+ return;
+
nv50_query_allocate(nv50_context(pipe), nv50_query(pq), 0);
nouveau_fence_ref(NULL, nv50_query(pq)-fence);
FREE(nv50_query(pq));
@@ -152,6 +155,9 @@ nv50_query_begin(struct pipe_context *pipe, struct
pipe_query *pq)
struct nouveau_pushbuf *push = nv50-base.pushbuf;
struct nv50_query *q = nv50_query(pq);
+ if (!pq)
+ return FALSE;
+
/* For occlusion queries we have to change the storage, because a previous
* query might set the initial render conition to FALSE even *after* we re-
* initialized it to TRUE.
@@ -218,6 +224,9 @@ nv50_query_end(struct pipe_context *pipe, struct pipe_query
*pq)
struct nouveau_pushbuf *push = nv50-base.pushbuf;
struct nv50_query *q = nv50_query(pq);
+ if (!pq)
+ return;
+
q-state = NV50_QUERY_STATE_ENDED;
switch (q-type) {
@@ -294,9 +303,12 @@ nv50_query_result(struct pipe_context *pipe, struct
pipe_query *pq,
uint64_t *res64 = (uint64_t *)result;
uint32_t *res32 = (uint32_t *)result;
boolean *res8 = (boolean *)result;
- uint64_t *data64 = (uint64_t *)q-data;
+ uint64_t *data64;
int i;
+ if (!pq)
+ return FALSE;
+
if (q-state != NV50_QUERY_STATE_READY)
nv50_query_update(q);
@@ -314,6 +326,7 @@ nv50_query_result(struct pipe_context *pipe, struct
pipe_query *pq,
}
q-state = NV50_QUERY_STATE_READY;
+ data64 = (uint64_t *)q-data;
switch (q-type) {
case PIPE_QUERY_GPU_FINISHED:
res8[0] = TRUE;
--
2.4.4
___
Nouveau mailing list
Nouveau@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/nouveau
___
Nouveau mailing list
Nouveau@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/nouveau
