Use after free in bli_gemmsup_int

In bli_l3_sup_thread_decorator_entry,
https://github.com/flame/blis/blob/b5d57831a9cecd6e7e83b039be66fbf31a005062/frame/3/bli_l3_decor.c#L70-L90
thrinfo_t thread gets passed into `bli_gemmsup_int`, which frees it via `bli_l3_sup_thrinfo_update`.

Line 88 bli_l3_sup_thread_decorator_entry then tries to call `bli_thrinfo_barrier( thread ); ` using the previously freed `thrinfo_t thread`.
This causes tests to fail when mimalloc is preloaded and pba/sba are disabled, since `thread` no longer contains valid data.

One solution is to change the signature of `bli_gemmsup_int` like so
```c
 err_t bli_gemmsup_int
     (
       const obj_t*  alpha,
       const obj_t*  a,
       const obj_t*  b,
       const obj_t*  beta,
       const obj_t*  c,
       const cntx_t* cntx,
       const rntm_t* rntm,
             thrinfo_t** thread
     )
```
This function should then return a valid thrinfo_t.

	// control tree node.
	thrinfo_t* thread = bli_l3_thrinfo_create( tid, gl_comm, array, rntm, cntl );

	bli_l3_int
	(
	a,
	b,
	c,
	cntx,
	cntl,
	thread
	);

	// Free the current thread's thrinfo_t structure.
	// NOTE: The barrier here is very important as it prevents memory being
	// released by the chief of some thread sub-group before its peers are done
	// using it. See PR #702 for more info [1].
	// [1] https://github.com/flame/blis/pull/702
	bli_thrinfo_barrier( thread );
	bli_thrinfo_free( thread );
	}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Use after free in bli_gemmsup_int #919

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Use after free in bli_gemmsup_int #919

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions