Mesa (staging/21.2): gallium: fix surface->destroy use-after-free
GitLab Mirror
gitlab-mirror at kemper.freedesktop.org
Tue Aug 31 16:27:42 UTC 2021
Module: Mesa
Branch: staging/21.2
Commit: 2058e98e411e4fc398c278947bcfe2245bb1cb38
URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=2058e98e411e4fc398c278947bcfe2245bb1cb38
Author: liuyujun <liuyujun at uniontech.com>
Date: Tue Aug 24 20:34:14 2021 +0800
gallium: fix surface->destroy use-after-free
regen surface on every update framebuffer
Cc: mesa-stable at lists.freedesktop.org
Reviewed-by: Marek Olšák <marek.olsak at amd.com>
Signed-off-by: liuyujun <liuyujun at uniontech.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/12520>
(cherry picked from commit 2bdc0bb324d60546257b250d9a78af1ee61539b8)
---
.pick_status.json | 2 +-
src/mesa/state_tracker/st_atom_framebuffer.c | 6 ++++++
src/mesa/state_tracker/st_cb_fbo.c | 24 ++++++++++++++++++++++++
src/mesa/state_tracker/st_cb_fbo.h | 4 ++++
4 files changed, 35 insertions(+), 1 deletion(-)
diff --git a/.pick_status.json b/.pick_status.json
index 18235d38cff..a44774c6e3f 100644
--- a/.pick_status.json
+++ b/.pick_status.json
@@ -22,7 +22,7 @@
"description": "gallium: fix surface->destroy use-after-free",
"nominated": true,
"nomination_type": 0,
- "resolution": 0,
+ "resolution": 1,
"main_sha": null,
"because_sha": null
},
diff --git a/src/mesa/state_tracker/st_atom_framebuffer.c b/src/mesa/state_tracker/st_atom_framebuffer.c
index 0bc93d65b34..322602ea18c 100644
--- a/src/mesa/state_tracker/st_atom_framebuffer.c
+++ b/src/mesa/state_tracker/st_atom_framebuffer.c
@@ -152,6 +152,9 @@ st_update_framebuffer_state( struct st_context *st )
}
if (strb->surface) {
+ if (strb->surface->context != st->pipe) {
+ st_regen_renderbuffer_surface(st, strb);
+ }
framebuffer.cbufs[i] = strb->surface;
update_framebuffer_size(&framebuffer, strb->surface);
}
@@ -181,6 +184,9 @@ st_update_framebuffer_state( struct st_context *st )
/* rendering to a GL texture, may have to update surface */
st_update_renderbuffer_surface(st, strb);
}
+ if (strb->surface && strb->surface->context != st->pipe) {
+ st_regen_renderbuffer_surface(st, strb);
+ }
framebuffer.zsbuf = strb->surface;
if (strb->surface)
update_framebuffer_size(&framebuffer, strb->surface);
diff --git a/src/mesa/state_tracker/st_cb_fbo.c b/src/mesa/state_tracker/st_cb_fbo.c
index 50c9a4220e0..43f1c3f7e4b 100644
--- a/src/mesa/state_tracker/st_cb_fbo.c
+++ b/src/mesa/state_tracker/st_cb_fbo.c
@@ -447,6 +447,30 @@ st_new_renderbuffer_fb(enum pipe_format format, unsigned samples, boolean sw)
return &strb->Base;
}
+void
+st_regen_renderbuffer_surface(struct st_context *st,
+ struct st_renderbuffer *strb)
+{
+ struct pipe_context *pipe = st->pipe;
+ struct pipe_resource *resource = strb->texture;
+
+ struct pipe_surface **psurf =
+ strb->surface_srgb ? &strb->surface_srgb : &strb->surface_linear;
+ struct pipe_surface *surf = *psurf;
+ /* create a new pipe_surface */
+ struct pipe_surface surf_tmpl;
+ memset(&surf_tmpl, 0, sizeof(surf_tmpl));
+ surf_tmpl.format = surf->format;
+ surf_tmpl.nr_samples = strb->rtt_nr_samples;
+ surf_tmpl.u.tex.level = surf->u.tex.level;
+ surf_tmpl.u.tex.first_layer = surf->u.tex.first_layer;
+ surf_tmpl.u.tex.last_layer = surf->u.tex.last_layer;
+
+ pipe_surface_release(pipe, psurf);
+
+ *psurf = pipe->create_surface(pipe, resource, &surf_tmpl);
+ strb->surface = *psurf;
+}
/**
* Create or update the pipe_surface of a FBO renderbuffer.
diff --git a/src/mesa/state_tracker/st_cb_fbo.h b/src/mesa/state_tracker/st_cb_fbo.h
index 046f01713ce..908ae5d0c4b 100644
--- a/src/mesa/state_tracker/st_cb_fbo.h
+++ b/src/mesa/state_tracker/st_cb_fbo.h
@@ -112,4 +112,8 @@ st_update_renderbuffer_surface(struct st_context *st,
extern void
st_init_fbo_functions(struct dd_function_table *functions);
+extern void
+st_regen_renderbuffer_surface(struct st_context *st,
+ struct st_renderbuffer *strb);
+
#endif /* ST_CB_FBO_H */
More information about the mesa-commit
mailing list