Mesa (staging/22.2): gallium/u_threaded: add missing reference counts for draw_multi slots

Thu, 15 Sep 2022 09:27:20 -0700 

Module: Mesa
Branch: staging/22.2
Commit: 3ded967693e2adf679d536fe4311ab78f75ebf24
URL:    
http://cgit.freedesktop.org/mesa/mesa/commit/?id=3ded967693e2adf679d536fe4311ab78f75ebf24

Author: Max Kellermann <[email protected]>
Date:   Mon Aug 22 20:10:46 2022 +0200

gallium/u_threaded: add missing reference counts for draw_multi slots

If a glMultiDrawElementsEXT() call doesn't fit into a single slot, the
same pipe_resource pointer is copied into all following slots, the
completion of each will decrement the reference counter; however, it
was never incremented for all but the first slot.

This fixes a use-after-free bug with glMultiDrawElementsEXT().

Cc: mesa-stable
Reviewed-by: Marek Olšák <[email protected]>
Reviewed-By: Mike Blumenkrantz <[email protected]>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/18189>
(cherry picked from commit 0a0fb7cbc63d66977c148c3f5fd86de8e879f1ab)

---

 .pick_status.json                               | 2 +-
 src/gallium/auxiliary/util/u_threaded_context.c | 9 ++++++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/.pick_status.json b/.pick_status.json
index dd24d4e0a3e..4578d4ab612 100644
--- a/.pick_status.json
+++ b/.pick_status.json
@@ -4297,7 +4297,7 @@
         "description": "gallium/u_threaded: add missing reference counts for 
draw_multi slots",
         "nominated": true,
         "nomination_type": 0,
-        "resolution": 0,
+        "resolution": 1,
         "main_sha": null,
         "because_sha": null
     },
diff --git a/src/gallium/auxiliary/util/u_threaded_context.c 
b/src/gallium/auxiliary/util/u_threaded_context.c
index 74d39f8da9b..8b28276c615 100644
--- a/src/gallium/auxiliary/util/u_threaded_context.c
+++ b/src/gallium/auxiliary/util/u_threaded_context.c
@@ -3371,7 +3371,14 @@ tc_draw_vbo(struct pipe_context *_pipe, const struct 
pipe_draw_info *info,
             tc_add_slot_based_call(tc, TC_CALL_draw_multi, tc_draw_multi,
                                    dr);
          memcpy(&p->info, info, 
DRAW_INFO_SIZE_WITHOUT_INDEXBUF_AND_MIN_MAX_INDEX);
-         p->info.index.resource = buffer;
+
+         if (total_offset == 0)
+            /* the first slot inherits the reference from u_upload_alloc() */
+            p->info.index.resource = buffer;
+         else
+            /* all following slots need a new reference */
+            tc_set_resource_reference(&p->info.index.resource, buffer);
+
          p->num_draws = dr;
 
          /* Upload index buffers. */

Reply via email to