aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRob Clark2017-03-21 09:01:02 -0500
committerRob Clark2017-03-21 09:03:55 -0500
commit2b7453f47862b0ae8032ba269b40830a34a6fb43 (patch)
tree2a48ffac7c2580f40863c6d4d74dc80f71173cce /freedreno
parent19c4cfc54918d361f2535aec16650e9f0be667cd (diff)
downloadexternal-libgbm-2b7453f47862b0ae8032ba269b40830a34a6fb43.tar.gz
external-libgbm-2b7453f47862b0ae8032ba269b40830a34a6fb43.tar.xz
external-libgbm-2b7453f47862b0ae8032ba269b40830a34a6fb43.zip
freedreno: fix potential use-after-free on a5xx+
Something that valgrind spotted: ==8441== Invalid read of size 4 ==8441== at 0x5DEE168: msm_ringbuffer_emit_reloc (msm_ringbuffer.c:506) ==8441== by 0x5B48F0F: OUT_RELOCW (freedreno_util.h:241) ==8441== by 0x5B48F0F: fd5_emit_blit (fd5_emit.h:131) ==8441== by 0x5B48F0F: emit_gmem2mem_surf.isra.12 (fd5_gmem.c:450) ==8441== by 0x5B4910F: fd5_emit_tile_gmem2mem (fd5_gmem.c:477) ==8441== by 0x5B14943: render_tiles (freedreno_gmem.c:342) ==8441== by 0x5B14943: fd_gmem_render_tiles (freedreno_gmem.c:416) ==8441== by 0x5B0FBA7: batch_flush (freedreno_batch.c:281) ==8441== by 0x5B0FBA7: fd_batch_flush (freedreno_batch.c:306) ==8441== by 0x5B11FE7: fd_context_flush (freedreno_context.c:52) ==8441== by 0x58AD783: st_glFlush (st_cb_flush.c:121) ==8441== by 0x5751EE7: _mesa_make_current (context.c:1652) ==8441== by 0x58E6A97: st_api_make_current (st_manager.c:811) ==8441== by 0x5A2CE43: dri_unbind_context (dri_context.c:207) ==8441== by 0x5A2C77F: driUnbindContext (dri_util.c:589) ==8441== by 0x4AC8A67: MakeContextCurrent (glxcurrent.c:214) ==8441== Address 0x6f5eb1c is 204 bytes inside a block of size 240 free'd ==8441== at 0x4868F44: realloc (vg_replace_malloc.c:785) ==8441== by 0x5DEE143: msm_ringbuffer_emit_reloc (msm_ringbuffer.c:502) ==8441== by 0x5B48F0F: OUT_RELOCW (freedreno_util.h:241) ==8441== by 0x5B48F0F: fd5_emit_blit (fd5_emit.h:131) ==8441== by 0x5B48F0F: emit_gmem2mem_surf.isra.12 (fd5_gmem.c:450) ==8441== by 0x5B4910F: fd5_emit_tile_gmem2mem (fd5_gmem.c:477) ==8441== by 0x5B14943: render_tiles (freedreno_gmem.c:342) ==8441== by 0x5B14943: fd_gmem_render_tiles (freedreno_gmem.c:416) ==8441== by 0x5B0FBA7: batch_flush (freedreno_batch.c:281) ==8441== by 0x5B0FBA7: fd_batch_flush (freedreno_batch.c:306) ==8441== by 0x5B11FE7: fd_context_flush (freedreno_context.c:52) ==8441== by 0x58AD783: st_glFlush (st_cb_flush.c:121) ==8441== by 0x5751EE7: _mesa_make_current (context.c:1652) ==8441== by 0x58E6A97: st_api_make_current (st_manager.c:811) ==8441== by 0x5A2CE43: dri_unbind_context (dri_context.c:207) ==8441== by 0x5A2C77F: driUnbindContext (dri_util.c:589) ==8441== Block was alloc'd at ==8441== at 0x4868F44: realloc (vg_replace_malloc.c:785) ==8441== by 0x5DEE08B: msm_ringbuffer_emit_reloc (msm_ringbuffer.c:481) ==8441== by 0x5B48F0F: OUT_RELOCW (freedreno_util.h:241) ==8441== by 0x5B48F0F: fd5_emit_blit (fd5_emit.h:131) ==8441== by 0x5B48F0F: emit_gmem2mem_surf.isra.12 (fd5_gmem.c:450) ==8441== by 0x5B4909F: fd5_emit_tile_gmem2mem (fd5_gmem.c:465) ==8441== by 0x5B14943: render_tiles (freedreno_gmem.c:342) ==8441== by 0x5B14943: fd_gmem_render_tiles (freedreno_gmem.c:416) ==8441== by 0x5B0FBA7: batch_flush (freedreno_batch.c:281) ==8441== by 0x5B0FBA7: fd_batch_flush (freedreno_batch.c:306) ==8441== by 0x5B11FE7: fd_context_flush (freedreno_context.c:52) ==8441== by 0x58AD783: st_glFlush (st_cb_flush.c:121) ==8441== by 0x5751EE7: _mesa_make_current (context.c:1652) ==8441== by 0x58E6A97: st_api_make_current (st_manager.c:811) ==8441== by 0x5A2CE43: dri_unbind_context (dri_context.c:207) ==8441== by 0x5A2C77F: driUnbindContext (dri_util.c:589) Signed-off-by: Rob Clark <robclark@freedesktop.org>
Diffstat (limited to 'freedreno')
-rw-r--r--freedreno/msm/msm_ringbuffer.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/freedreno/msm/msm_ringbuffer.c b/freedreno/msm/msm_ringbuffer.c
index 17194f4c..c3b2eded 100644
--- a/freedreno/msm/msm_ringbuffer.c
+++ b/freedreno/msm/msm_ringbuffer.c
@@ -496,11 +496,16 @@ static void msm_ringbuffer_emit_reloc(struct fd_ringbuffer *ring,
496 if (ring->pipe->gpu_id >= 500) { 496 if (ring->pipe->gpu_id >= 500) {
497 struct drm_msm_gem_submit_reloc *reloc_hi; 497 struct drm_msm_gem_submit_reloc *reloc_hi;
498 498
499 /* NOTE: grab reloc_idx *before* APPEND() since that could
500 * realloc() meaning that 'reloc' ptr is no longer valid:
501 */
502 uint32_t reloc_idx = reloc->reloc_idx;
503
499 idx = APPEND(cmd, relocs); 504 idx = APPEND(cmd, relocs);
500 505
501 reloc_hi = &cmd->relocs[idx]; 506 reloc_hi = &cmd->relocs[idx];
502 507
503 reloc_hi->reloc_idx = reloc->reloc_idx; 508 reloc_hi->reloc_idx = reloc_idx;
504 reloc_hi->reloc_offset = r->offset; 509 reloc_hi->reloc_offset = r->offset;
505 reloc_hi->or = r->orhi; 510 reloc_hi->or = r->orhi;
506 reloc_hi->shift = r->shift - 32; 511 reloc_hi->shift = r->shift - 32;