[core/nvdrv] Fix Random Unmap Memory Access

2025-08-01 19:00:28 +00:00 · 2025-08-01 19:00:28 +00:00 · 98454aea5a
commit 98454aea5a
parent 6fd10fd85e
2 changed files with 12 additions and 10 deletions
--- a/src/core/hle/service/nvdrv/devices/nvhost_as_gpu.cpp
+++ b/src/core/hle/service/nvdrv/devices/nvhost_as_gpu.cpp
@ -312,7 +312,7 @@ NvResult nvhost_as_gpu::Remap(std::span<IoctlRemapEntry> entries) {
 NvResult nvhost_as_gpu::MapBufferEx(IoctlMapBufferEx& params) {
    LOG_DEBUG(Service_NVDRV,
              "called, flags={:X}, nvmap_handle={:X}, buffer_offset={}, mapping_size={}"
-              ", offset={}",
+              ", offset=0x{:X}",
              params.flags, params.handle, params.buffer_offset, params.mapping_size,
              params.offset);

@ -406,10 +406,13 @@ NvResult nvhost_as_gpu::MapBufferEx(IoctlMapBufferEx& params) {
        mapping_map[params.offset] = mapping;
    }

+    buffer_offsets.insert(params.offset);
+
    return NvResult::Success;
 }

 NvResult nvhost_as_gpu::UnmapBuffer(IoctlUnmapBuffer& params) {
+    if (buffer_offsets.find(params.offset) != buffer_offsets.end()) {
        LOG_DEBUG(Service_NVDRV, "called, offset=0x{:X}", params.offset);

        std::scoped_lock lock(mutex);
@ -418,7 +421,6 @@ NvResult nvhost_as_gpu::UnmapBuffer(IoctlUnmapBuffer& params) {
            return NvResult::BadValue;
        }

-    try {
        auto mapping{mapping_map.at(params.offset)};

        if (!mapping->fixed) {
@ -440,10 +442,8 @@ NvResult nvhost_as_gpu::UnmapBuffer(IoctlUnmapBuffer& params) {
        nvmap.UnpinHandle(mapping->handle);

        mapping_map.erase(params.offset);
-    } catch (const std::out_of_range&) {
-        LOG_WARNING(Service_NVDRV, "Couldn't find region to unmap at 0x{:X}", params.offset);
+        buffer_offsets.erase(params.offset);
    }
-
    return NvResult::Success;
 }

--- a/src/core/hle/service/nvdrv/devices/nvhost_as_gpu.h
+++ b/src/core/hle/service/nvdrv/devices/nvhost_as_gpu.h
@ -10,6 +10,7 @@
 #include <memory>
 #include <mutex>
 #include <optional>
+#include <unordered_set>
 #include <vector>

 #include "common/address_space.h"
@ -109,6 +110,7 @@ private:
    };
    static_assert(sizeof(IoctlRemapEntry) == 20, "IoctlRemapEntry is incorrect size");

+    std::unordered_set<s64_le> buffer_offsets{};
    struct IoctlMapBufferEx {
        MappingFlags flags{}; // bit0: fixed_offset, bit2: cacheable
        u32_le kind{};        // -1 is default