Mesa (staging/21.1): freedreno/ir3: Fix use after free

GitLab Mirror gitlab-mirror at kemper.freedesktop.org
Thu Jun 10 11:32:25 UTC 2021 

Module: Mesa
Branch: staging/21.1
Commit: 23cb39dc66fd45aface33da74ffb2afe3439bc55
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=23cb39dc66fd45aface33da74ffb2afe3439bc55

Author: Rob Clark <robdclark at chromium.org>
Date:   Sun Apr 18 09:10:07 2021 -0700

freedreno/ir3: Fix use after free

If the tex/sfu ssa src is from a different block than the one currently
being scheduled, we do not have a valid sched-node.  So fallback to
previous behavior rather than dereference an invalid ptr.

Fixes: 7821e5a3f8d ("ir3/sched: Don't penalize uses of already-waited tex/SFU")
Signed-off-by: Rob Clark <robdclark at chromium.org>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/10306>
(cherry picked from commit 09f64f74db9e0dd22ef6e4bf616ac7bffde2a6fd)

---

 .pick_status.json             |  2 +-
 src/freedreno/ir3/ir3_sched.c | 12 ++++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/.pick_status.json b/.pick_status.json
index cc28051a311..93a2283095d 100644
--- a/.pick_status.json
+++ b/.pick_status.json
@@ -787,7 +787,7 @@
         "description": "freedreno/ir3: Fix use after free",
         "nominated": true,
         "nomination_type": 1,
-        "resolution": 0,
+        "resolution": 1,
         "main_sha": null,
         "because_sha": "7821e5a3f8d593e1e9738924f5f4dc5996583518"
     },
diff --git a/src/freedreno/ir3/ir3_sched.c b/src/freedreno/ir3/ir3_sched.c
index 51b39dc1ee9..2e6bb31840a 100644
--- a/src/freedreno/ir3/ir3_sched.c
+++ b/src/freedreno/ir3/ir3_sched.c
@@ -194,6 +194,12 @@ is_outstanding_tex_or_prefetch(struct ir3_instruction *instr, struct ir3_sched_c
 	if (!is_tex_or_prefetch(instr))
 		return false;
 
+	/* The sched node is only valid within the same block, we cannot
+	 * really say anything about src's from other blocks
+	 */
+	if (instr->block != ctx->block)
+		return true;
+
 	struct ir3_sched_node *n = instr->data;
 	return n->tex_index >= ctx->first_outstanding_tex_index;
 }
@@ -204,6 +210,12 @@ is_outstanding_sfu(struct ir3_instruction *instr, struct ir3_sched_ctx *ctx)
 	if (!is_sfu(instr))
 		return false;
 
+	/* The sched node is only valid within the same block, we cannot
+	 * really say anything about src's from other blocks
+	 */
+	if (instr->block != ctx->block)
+		return true;
+
 	struct ir3_sched_node *n = instr->data;
 	return n->sfu_index >= ctx->first_outstanding_sfu_index;
 }

More information about the mesa-commit mailing list