Mesa (main): gallium: fix surface->destroy use-after-free

GitLab Mirror gitlab-mirror at kemper.freedesktop.org
Tue Aug 31 14:41:12 UTC 2021 

Module: Mesa
Branch: main
Commit: 2bdc0bb324d60546257b250d9a78af1ee61539b8
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=2bdc0bb324d60546257b250d9a78af1ee61539b8

Author: liuyujun <liuyujun at uniontech.com>
Date:   Tue Aug 24 20:34:14 2021 +0800

gallium: fix surface->destroy use-after-free

regen surface on every update framebuffer

Cc: mesa-stable at lists.freedesktop.org

Reviewed-by: Marek Olšák <marek.olsak at amd.com>

Signed-off-by: liuyujun <liuyujun at uniontech.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/12520>

---

 src/mesa/state_tracker/st_atom_framebuffer.c |  6 ++++++
 src/mesa/state_tracker/st_cb_fbo.c           | 24 ++++++++++++++++++++++++
 src/mesa/state_tracker/st_cb_fbo.h           |  4 ++++
 3 files changed, 34 insertions(+)

diff --git a/src/mesa/state_tracker/st_atom_framebuffer.c b/src/mesa/state_tracker/st_atom_framebuffer.c
index 0bc93d65b34..322602ea18c 100644
--- a/src/mesa/state_tracker/st_atom_framebuffer.c
+++ b/src/mesa/state_tracker/st_atom_framebuffer.c
@@ -152,6 +152,9 @@ st_update_framebuffer_state( struct st_context *st )
          }
 
          if (strb->surface) {
+            if (strb->surface->context != st->pipe) {
+               st_regen_renderbuffer_surface(st, strb);
+            }
             framebuffer.cbufs[i] = strb->surface;
             update_framebuffer_size(&framebuffer, strb->surface);
          }
@@ -181,6 +184,9 @@ st_update_framebuffer_state( struct st_context *st )
          /* rendering to a GL texture, may have to update surface */
          st_update_renderbuffer_surface(st, strb);
       }
+      if (strb->surface && strb->surface->context != st->pipe) {
+         st_regen_renderbuffer_surface(st, strb);
+      }
       framebuffer.zsbuf = strb->surface;
       if (strb->surface)
          update_framebuffer_size(&framebuffer, strb->surface);
diff --git a/src/mesa/state_tracker/st_cb_fbo.c b/src/mesa/state_tracker/st_cb_fbo.c
index 50c9a4220e0..43f1c3f7e4b 100644
--- a/src/mesa/state_tracker/st_cb_fbo.c
+++ b/src/mesa/state_tracker/st_cb_fbo.c
@@ -447,6 +447,30 @@ st_new_renderbuffer_fb(enum pipe_format format, unsigned samples, boolean sw)
    return &strb->Base;
 }
 
+void
+st_regen_renderbuffer_surface(struct st_context *st,
+                              struct st_renderbuffer *strb)
+{
+   struct pipe_context *pipe = st->pipe;
+   struct pipe_resource *resource = strb->texture;
+
+   struct pipe_surface **psurf =
+      strb->surface_srgb ? &strb->surface_srgb : &strb->surface_linear;
+   struct pipe_surface *surf = *psurf;
+   /* create a new pipe_surface */
+   struct pipe_surface surf_tmpl;
+   memset(&surf_tmpl, 0, sizeof(surf_tmpl));
+   surf_tmpl.format = surf->format;
+   surf_tmpl.nr_samples = strb->rtt_nr_samples;
+   surf_tmpl.u.tex.level = surf->u.tex.level;
+   surf_tmpl.u.tex.first_layer = surf->u.tex.first_layer;
+   surf_tmpl.u.tex.last_layer = surf->u.tex.last_layer;
+
+   pipe_surface_release(pipe, psurf);
+
+   *psurf = pipe->create_surface(pipe, resource, &surf_tmpl);
+   strb->surface = *psurf;
+}
 
 /**
  * Create or update the pipe_surface of a FBO renderbuffer.
diff --git a/src/mesa/state_tracker/st_cb_fbo.h b/src/mesa/state_tracker/st_cb_fbo.h
index 046f01713ce..908ae5d0c4b 100644
--- a/src/mesa/state_tracker/st_cb_fbo.h
+++ b/src/mesa/state_tracker/st_cb_fbo.h
@@ -112,4 +112,8 @@ st_update_renderbuffer_surface(struct st_context *st,
 extern void
 st_init_fbo_functions(struct dd_function_table *functions);
 
+extern void
+st_regen_renderbuffer_surface(struct st_context *st,
+                              struct st_renderbuffer *strb);
+
 #endif /* ST_CB_FBO_H */

More information about the mesa-commit mailing list