diff options
| author | Lionel Landwerlin <lionel.g.landwerlin@intel.com> | 2019-05-09 13:33:43 +0100 |
|---|---|---|
| committer | Dylan Baker <dylan@pnwbakers.com> | 2019-05-10 10:29:53 -0700 |
| commit | f4ab855312ced8e5467615d09f9787aadce0b4f1 (patch) | |
| tree | 8ed5347bbf9692b47e6270f343f16e5f025b5e87 | |
| parent | ab41ddb671a17b10786c051d912882809b5e7151 (diff) | |
anv: Use corresponding type from the vector allocation
We didn't notice this issue much because the 2 struct share a similar
layout, expect for the additional fields...
We run into that issue in Anv :
==15236== Invalid write of size 8
==15236== at 0x8CF3939C: anv_state_table_expand_range (anv_allocator.c:211)
==15236== by 0x8CF394D5: anv_state_table_grow (anv_allocator.c:264)
==15236== by 0x8CF3967E: anv_state_table_add (anv_allocator.c:312)
==15236== by 0x8CF3B13C: anv_state_pool_alloc_no_vg (anv_allocator.c:1167)
==15236== by 0x8CF3B2B0: anv_state_pool_alloc (anv_allocator.c:1190)
==15236== by 0x8CF60871: alloc_surface_state (anv_image.c:1122)
==15236== by 0x8CF61FF9: anv_CreateImageView (anv_image.c:1519)
==15236== by 0x8BCBD2ED: vkCreateImageView (trampoline.c:1358)
==15236== Address 0x8994ef10 is 0 bytes after a block of size 128 alloc'd
==15236== at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15236== by 0x8D2578E6: u_vector_init (u_vector.c:47)
==15236== by 0x8CF3929A: anv_state_table_init (anv_allocator.c:168)
==15236== by 0x8CF3A99A: anv_state_pool_init (anv_allocator.c:921)
==15236== by 0x8CF56517: anv_CreateDevice (anv_device.c:1909)
==15236== by 0x8BCB4FBA: terminator_CreateDevice (loader.c:6073)
==15236== by 0x8DD2CB3D: ??? (in /home/djdeath/.steam/ubuntu12_64/libVkLayer_steam_fossilize.so)
==15236== by 0x8DF4D241: vkCreateDevice (in /home/djdeath/.steam/ubuntu12_64/steamoverlayvulkanlayer.so)
==15236== by 0x8BCB35C6: loader_create_device_chain (loader.c:5449)
==15236== by 0x8BCBC230: vkCreateDevice (trampoline.c:838)
v2: Rename mmap_cleanups to avoid confusion (Caio)
v3: s/fail_mmap_cleanups/fail_cleanups/ (Caio)
Signed-off-by: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=110648
Cc: <mesa-stable@lists.freedesktop.org>
Reviewed-by: Caio Marcelo de Oliveira Filho <caio.oliveira@intel.com>
(cherry picked from commit f2f6ac1c0811858374142022f81bdcf0207e640c)
| -rw-r--r-- | src/intel/vulkan/anv_allocator.c | 18 | ||||
| -rw-r--r-- | src/intel/vulkan/anv_private.h | 2 |
2 files changed, 10 insertions, 10 deletions
diff --git a/src/intel/vulkan/anv_allocator.c b/src/intel/vulkan/anv_allocator.c index 006175c8c65..e9cc5764924 100644 --- a/src/intel/vulkan/anv_allocator.c +++ b/src/intel/vulkan/anv_allocator.c @@ -165,7 +165,7 @@ anv_state_table_init(struct anv_state_table *table, goto fail_fd; } - if (!u_vector_init(&table->mmap_cleanups, + if (!u_vector_init(&table->cleanups, round_to_power_of_two(sizeof(struct anv_state_table_cleanup)), 128)) { result = vk_error(VK_ERROR_INITIALIZATION_FAILED); @@ -179,12 +179,12 @@ anv_state_table_init(struct anv_state_table *table, uint32_t initial_size = initial_entries * ANV_STATE_ENTRY_SIZE; result = anv_state_table_expand_range(table, initial_size); if (result != VK_SUCCESS) - goto fail_mmap_cleanups; + goto fail_cleanups; return VK_SUCCESS; - fail_mmap_cleanups: - u_vector_finish(&table->mmap_cleanups); + fail_cleanups: + u_vector_finish(&table->cleanups); fail_fd: close(table->fd); @@ -195,7 +195,7 @@ static VkResult anv_state_table_expand_range(struct anv_state_table *table, uint32_t size) { void *map; - struct anv_mmap_cleanup *cleanup; + struct anv_state_table_cleanup *cleanup; /* Assert that we only ever grow the pool */ assert(size >= table->state.end); @@ -204,11 +204,11 @@ anv_state_table_expand_range(struct anv_state_table *table, uint32_t size) if (size > BLOCK_POOL_MEMFD_SIZE) return vk_error(VK_ERROR_OUT_OF_HOST_MEMORY); - cleanup = u_vector_add(&table->mmap_cleanups); + cleanup = u_vector_add(&table->cleanups); if (!cleanup) return vk_error(VK_ERROR_OUT_OF_HOST_MEMORY); - *cleanup = ANV_MMAP_CLEANUP_INIT; + *cleanup = ANV_STATE_TABLE_CLEANUP_INIT; /* Just leak the old map until we destroy the pool. We can't munmap it * without races or imposing locking on the block allocate fast path. On @@ -272,12 +272,12 @@ anv_state_table_finish(struct anv_state_table *table) { struct anv_state_table_cleanup *cleanup; - u_vector_foreach(cleanup, &table->mmap_cleanups) { + u_vector_foreach(cleanup, &table->cleanups) { if (cleanup->map) munmap(cleanup->map, cleanup->size); } - u_vector_finish(&table->mmap_cleanups); + u_vector_finish(&table->cleanups); close(table->fd); } diff --git a/src/intel/vulkan/anv_private.h b/src/intel/vulkan/anv_private.h index 73fad8f9948..c10d4732942 100644 --- a/src/intel/vulkan/anv_private.h +++ b/src/intel/vulkan/anv_private.h @@ -742,7 +742,7 @@ struct anv_state_table { struct anv_free_entry *map; uint32_t size; struct anv_block_state state; - struct u_vector mmap_cleanups; + struct u_vector cleanups; }; struct anv_state_pool { |