From 3274fb5265e77cb15c3515d7d4f397908b34d5bf Mon Sep 17 00:00:00 2001 From: Sophie Mao Date: Thu, 28 Jul 2022 12:22:04 -0700 Subject: [PATCH 1/7] mem_test: resolve memory leak --- test/acl_mem_test.cpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test/acl_mem_test.cpp b/test/acl_mem_test.cpp index 31e3e0b8..0ca1133f 100644 --- a/test/acl_mem_test.cpp +++ b/test/acl_mem_test.cpp @@ -3394,6 +3394,8 @@ MT_TEST(acl_mem, map_svm_pointer) { sizeof(uses_svm_pointer), &uses_svm_pointer, NULL)); CHECK_EQUAL(CL_TRUE, uses_svm_pointer); + + acl_free(host_pointer); clReleaseMemObject(svm_mem); } @@ -3502,6 +3504,7 @@ MT_TEST(acl_mem, map_unmap_image) { CHECK_EQUAL(acl_ref_count(image), refcnt); clReleaseMemObject(image); + acl_free(input_ptr); ACL_LOCKED(acl_print_debug_msg("end map_unmap_image\n")); } From 770762b02e6506c907214e2c3c63c331e48fe85a Mon Sep 17 00:00:00 2001 From: Sophie Mao Date: Thu, 28 Jul 2022 12:25:24 -0700 Subject: [PATCH 2/7] context: resolve memory leak in l_init_context_with_devices --- src/acl_context.cpp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/acl_context.cpp b/src/acl_context.cpp index f3413ec0..405a8b2f 100644 --- a/src/acl_context.cpp +++ b/src/acl_context.cpp @@ -895,9 +895,11 @@ static cl_int l_init_context_with_devices(cl_context context, } else { num_absent++; } - if (num_present && num_absent) + if (num_present && num_absent) { + acl_free(context->command_queue); ERR_RET(CL_INVALID_DEVICE, context, "Can't create a context with both offline and online devices"); + } usable = usable || acl_platform.offline_device == devices[i]->def.autodiscovery_def.name; From c98cfe80bbe642cfc98ffc0fd7e4445f85ec2be3 Mon Sep 17 00:00:00 2001 From: Sophie Mao Date: Thu, 28 Jul 2022 12:27:08 -0700 Subject: [PATCH 3/7] program_test: resolve stack buffer overflow caused by wrong variable type --- test/acl_program_test.cpp | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/test/acl_program_test.cpp b/test/acl_program_test.cpp index 97539672..93f8c96a 100644 --- a/test/acl_program_test.cpp +++ b/test/acl_program_test.cpp @@ -1143,19 +1143,20 @@ MT_TEST(from_source, offline_mode_build_failure) { CHECK_EQUAL(0, size_ret); // Try to get the binaries. - unsigned char bins[1] = {'h'}; + unsigned char bin[1] = {'h'}; + unsigned char *bins[1] = {bin}; size_ret = 99; CHECK_EQUAL(CL_SUCCESS, clGetProgramInfo(m_program, CL_PROGRAM_BINARIES, 0, 0, &size_ret)); - CHECK_EQUAL(sizeof(char *), size_ret); + CHECK_EQUAL(sizeof(bins), size_ret); CHECK_EQUAL(CL_SUCCESS, clGetProgramInfo(m_program, CL_PROGRAM_BINARIES, - sizeof(char *), bins, 0)); + sizeof(bins), bins, 0)); // Should not have overwritten! - CHECK_EQUAL('h', bins[0]); - bins[0] = 'i'; + CHECK_EQUAL('h', bins[0][0]); + bins[0][0] = 'i'; CHECK_EQUAL(CL_SUCCESS, clGetProgramInfo(m_program, CL_PROGRAM_BINARIES, - sizeof(char *), bins, 0)); - CHECK_EQUAL('i', bins[0]); + sizeof(bins), bins, 0)); + CHECK_EQUAL('i', bins[0][0]); } MT_TEST(from_source, compile_program) { From 7e80b1b8dcfeccd9cd40a0f31448d171fba2bdf2 Mon Sep 17 00:00:00 2001 From: Sophie Mao Date: Tue, 2 Aug 2022 14:03:12 -0700 Subject: [PATCH 4/7] kernel: resolve stack buffer overflow caused by casting void pointer to cl_sampler without checking --- src/acl_kernel.cpp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/acl_kernel.cpp b/src/acl_kernel.cpp index 49013db7..2f6e5b85 100644 --- a/src/acl_kernel.cpp +++ b/src/acl_kernel.cpp @@ -345,11 +345,14 @@ CL_API_ENTRY cl_int CL_API_CALL clSetKernelArgIntelFPGA(cl_kernel kernel, "Non-memory object passed in as memory object argument"); } else if (arg_info->category == ACL_ARG_SAMPLER) { - if (arg_value && !acl_sampler_is_valid(*(cl_sampler *)arg_value)) + if (arg_value && (arg_size != sizeof(cl_sampler) || + !acl_sampler_is_valid(*(cl_sampler *)arg_value))) { UNLOCK_ERR_RET(CL_INVALID_SAMPLER, context, "Non-sampler object passed in as sampler object argument"); + } is_sampler = CL_TRUE; } else if (arg_size != arg_info->size && arg_value && + arg_size == sizeof(cl_sampler) && acl_sampler_is_valid(*(cl_sampler *)arg_value)) { is_sampler = CL_TRUE; } From dc374e4c3492f7369b884fd63cd9f975613dad2a Mon Sep 17 00:00:00 2001 From: Sophie Mao Date: Fri, 12 Aug 2022 06:56:46 -0700 Subject: [PATCH 5/7] command_queue_test: resolve stack buffer overflow caused by casting cl_int to a cl_command_queue without checking --- test/acl_command_queue_test.cpp | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/test/acl_command_queue_test.cpp b/test/acl_command_queue_test.cpp index 56f30750..fddcf914 100644 --- a/test/acl_command_queue_test.cpp +++ b/test/acl_command_queue_test.cpp @@ -170,8 +170,15 @@ MT_TEST(acl_command_queue, create) { 3 + sizeof(unsupported_props) / sizeof(cl_command_queue_properties); CHECK_EQUAL(callback_num, m_callback_count); + // check if acl_command_queue_is_valid is working properly ACL_LOCKED(CHECK(!acl_command_queue_is_valid(0))); - ACL_LOCKED(CHECK(!acl_command_queue_is_valid((cl_command_queue)&status))); + { + cl_command_queue fake_cq = acl_alloc_cl_command_queue(); + assert(fake_cq); + fake_cq->magic = 0xDEADBEEFDEADBEEF; + ACL_LOCKED(CHECK(!acl_command_queue_is_valid(fake_cq))); + acl_free_cl_command_queue(fake_cq); + } CHECK_EQUAL(CL_INVALID_COMMAND_QUEUE, clRetainCommandQueue(0)); CHECK_EQUAL(CL_INVALID_COMMAND_QUEUE, clReleaseCommandQueue(0)); @@ -356,8 +363,15 @@ MT_TEST(acl_command_queue, create_with_properties) { sizeof(invalid_props) / sizeof(cl_command_queue_properties); CHECK_EQUAL(callback_num, m_callback_count); + // check if acl_command_queue_is_valid is working properly ACL_LOCKED(CHECK(!acl_command_queue_is_valid(0))); - ACL_LOCKED(CHECK(!acl_command_queue_is_valid((cl_command_queue)&status))); + { + cl_command_queue fake_cq = acl_alloc_cl_command_queue(); + assert(fake_cq); + fake_cq->magic = 0xDEADBEEFDEADBEEF; + ACL_LOCKED(CHECK(!acl_command_queue_is_valid(fake_cq))); + acl_free_cl_command_queue(fake_cq); + } CHECK_EQUAL(CL_INVALID_COMMAND_QUEUE, clRetainCommandQueue(0)); CHECK_EQUAL(CL_INVALID_COMMAND_QUEUE, clReleaseCommandQueue(0)); From 420e7ab20186028a1c9f3fb8240b9b55ad1e3ff6 Mon Sep 17 00:00:00 2001 From: Sophie Mao Date: Fri, 12 Aug 2022 06:58:27 -0700 Subject: [PATCH 6/7] mem: resolve memory leak in clCreateImage --- src/acl_mem.cpp | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/src/acl_mem.cpp b/src/acl_mem.cpp index af10328d..c9287536 100644 --- a/src/acl_mem.cpp +++ b/src/acl_mem.cpp @@ -97,6 +97,7 @@ static int acl_allocate_block(acl_block_allocation_t *block_allocation, static int copy_image_metadata(cl_mem mem); static void remove_mem_block_linked_list(acl_block_allocation_t *block); static cl_bool is_image(cl_mem mem); +static void l_free_image_members(cl_mem mem); cl_int acl_convert_image_format(const void *input_element, void *output_element, cl_image_format format_from, @@ -198,6 +199,9 @@ CL_API_ENTRY cl_int CL_API_CALL clReleaseMemObjectIntelFPGA(cl_mem mem) { --mem->fields.buffer_objs.parent->fields.buffer_objs.num_subbuffers; clReleaseMemObject(mem->fields.buffer_objs.parent); } else { + if (is_image(mem)) { + l_free_image_members(mem); + } // The only case wehre mem->region->is_user_provided && mem->host_mem.raw // != NULL is when user creates a buffer with CL_MEM_USE_HOST_PTR set and // the pointer is allocated with clSVMAlloc. @@ -6247,6 +6251,23 @@ static cl_bool is_image(cl_mem mem) { mem->mem_object_type == CL_MEM_OBJECT_IMAGE1D_BUFFER); } +static void l_free_image_members(cl_mem mem) { + if (mem->fields.image_objs.image_format != NULL) { + acl_free(mem->fields.image_objs.image_format); + } + if (mem->fields.image_objs.image_desc != NULL) { + if (mem->fields.image_objs.image_desc->buffer != NULL) { + clReleaseMemObject(mem->fields.image_objs.image_desc->buffer); + mem->fields.image_objs.image_desc->buffer = NULL; + } + if (mem->fields.image_objs.image_desc->mem_object != NULL) { + clReleaseMemObject(mem->fields.image_objs.image_desc->mem_object); + mem->fields.image_objs.image_desc->mem_object = NULL; + } + acl_free(mem->fields.image_objs.image_desc); + } +} + void acl_copy_device_buffers_to_host_before_programming( cl_context _context, unsigned int physical_device_id, void(CL_CALLBACK *read_callback)(cl_mem, int)) { From 0f360ce526dfeaf38abf8d9e81b3b821d984290b Mon Sep 17 00:00:00 2001 From: Sophie Mao Date: Fri, 12 Aug 2022 07:03:16 -0700 Subject: [PATCH 7/7] event: resolve memory leak in ndrange_kernel memory_migration struct --- src/acl_event.cpp | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/acl_event.cpp b/src/acl_event.cpp index 99f12dad..ffccdaf9 100644 --- a/src/acl_event.cpp +++ b/src/acl_event.cpp @@ -620,6 +620,13 @@ static void l_release_command_resources(acl_command_info_t &cmd) { case CL_COMMAND_TASK: case CL_COMMAND_NDRANGE_KERNEL: + if (cmd.info.ndrange_kernel.memory_migration.num_mem_objects != 0 && + cmd.info.ndrange_kernel.memory_migration.src_mem_list) { + // src_mem should be user-provided buffers, users are responsible for + // releasing them Just free the src memory list here + acl_free(cmd.info.ndrange_kernel.memory_migration.src_mem_list); + cmd.info.ndrange_kernel.memory_migration.src_mem_list = nullptr; + } // Cleanup is handled via the completion callback. break;