[ET-VK][ez] Fix use-after-free bug in Vulkan queue creation #16367
+16
−5
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Summary: A use-after-free bug in find_compute_queues() was discovered using Valgrind. The function created a local queue_priorities vector inside a loop and stored its data pointer in VkDeviceQueueCreateInfo. When the vector went out of scope, its memory was freed, but vkCreateDevice() later accessed this freed memory. Fixed by adding a queue_priorities parameter to persist the data until after vkCreateDevice() completes. ## Problem A use-after-free bug was discovered in find_compute_queues() using Valgrind. The function created a local std::vector<float> queue_priorities inside a loop and stored its data pointer in VkDeviceQueueCreateInfo. When the vector went out of scope at the end of each iteration, its memory was freed. Later, when vkCreateDevice() accessed these queue priorities, it read from freed memory. ## Investigation Valgrind reported: - Invalid read of size 4 at 0xb3bdd60 (freed memory) - Block was freed by operator delete in find_compute_queues() - Block was allocated by operator new in find_compute_queues() - Error occurred during vkCreateDevice() call ## Fix Modified find_compute_queues() to accept an additional parameter std::vector<std::vector<float>>& queue_priorities that persists the queue priority data until after vkCreateDevice() completes. This ensures the memory remains valid when Vulkan needs to access it. Updated all call sites: - create_logical_device() - Adapter constructor (external device variant) ## Verification Valgrind results before fix: 296 errors from 13 contexts, 1 Invalid read Valgrind results after fix: 295 errors from 12 contexts, 0 Invalid reads ✓ Remaining errors are in NVIDIA drivers and third-party libraries.
pytorch-bot
bot
added
the
module: vulkan
🔗 Helpful Links🧪 See artifacts and rendered test results at hud.pytorch.org/pr/pytorch/executorch/16367
Note: Links to docs will display an error until the docs builds have been completed. ❌ 1 Cancelled Job, 1 Unrelated FailureAs of commit 128b9e8 with merge base 0ee2f49 ( CANCELLED JOB - The following job was cancelled. Please retry:
UNSTABLE - The following job is marked as unstable, possibly due to flakiness on trunk:
This comment was automatically generated by Dr. CI and updates every 15 minutes. |
meta-cla
bot
added
the
CLA Signed
This PR needs a
|
kirklandsign
approved these changes
Dec 22, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary:
A use-after-free bug in find_compute_queues() was discovered using Valgrind. The function created a local queue_priorities vector inside a loop and stored its data pointer in VkDeviceQueueCreateInfo. When the vector went out of scope, its memory was freed, but vkCreateDevice() later accessed this freed memory. Fixed by adding a queue_priorities parameter to persist the data until after vkCreateDevice() completes.
Problem
A use-after-free bug was discovered in find_compute_queues() using Valgrind.
The function created a local std::vector queue_priorities inside a
loop and stored its data pointer in VkDeviceQueueCreateInfo. When the vector
went out of scope at the end of each iteration, its memory was freed. Later,
when vkCreateDevice() accessed these queue priorities, it read from freed
memory.
Investigation
Valgrind reported:
Fix
Modified find_compute_queues() to accept an additional parameter
std::vector<std::vector>& queue_priorities that persists the
queue priority data until after vkCreateDevice() completes. This ensures
the memory remains valid when Vulkan needs to access it.
Updated all call sites:
Verification
Valgrind results before fix: 296 errors from 13 contexts, 1 Invalid read
Valgrind results after fix: 295 errors from 12 contexts, 0 Invalid reads ✓
Remaining errors are in NVIDIA drivers and third-party libraries.
cc @manuelcandales @digantdesai @cbilgin