DML icon indicating copy to clipboard operation
DML copied to clipboard
verified publisher icon intel

Possible use-after-free when handler is destroyed before operation completes?

Open igchor opened this issue 2 years ago • 2 comments

Consider the following code:

{
    auto h = dml::submit<path>(...);
}

The handler returned from submit may be destroyed before the operation completes. I don't see any mention in the documentation that the handler should be kept alive until the operation completes, so I would assume this code is valid.

However, I believe this can cause use-after-free in the hardware path since DML will try to write the completion status to the descriptor (which, if I understand correctly, is owned by the handler). Possibly the same is true for C API and dml_finalize_job().

Is my understanding correct or this is already handled by the DML somehow? If not, I think the best way to avoid this would be to wait for the operation to complete inside the handler destructor.

igchor avatar May 05 '23 22:05 igchor

Hi @igchor, it is a valid concern and you understanding is correct, thanks for bringing this issue! I believe short-term we will update the documentation/code to mention that user should keep handler alive and long-term we will explore how to address it better.

mzhukova avatar May 23 '23 18:05 mzhukova

Just FYI, the documentation was updated to reflect this limitation.

mzhukova avatar Oct 24 '23 22:10 mzhukova