From 985a5c8f1ad7c0cdaa9c8e874442145c156a1181 Mon Sep 17 00:00:00 2001
From: "Juan A. Suarez Romero" <jasuarez@igalia.com>
Date: Mon, 15 Jan 2024 10:59:56 +0100
Subject: [PATCH] broadcom/simulator: protect simulator BO rallocs with mutexes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Move ralloc allocations and frees for BOs into the critical sections
protected with mutexes.

This fixes several double-free and use-after-free crashes that happens
sometimes when using the simulator to run Vulkan CTS tests, specially
when these tests involve multithreading, like
`dEQP-VK.api.object_management.multithreaded_per_thread_resources.device_memory_small`.

Reviewed-by: Alejandro Piñeiro <apinheiro@igalia.com>
Signed-off-by: Juan A. Suarez Romero <jasuarez@igalia.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/27070>
---
 src/broadcom/simulator/v3d_simulator.c | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/src/broadcom/simulator/v3d_simulator.c b/src/broadcom/simulator/v3d_simulator.c
index 5b43e269fdc..ee062504fc1 100644
--- a/src/broadcom/simulator/v3d_simulator.c
+++ b/src/broadcom/simulator/v3d_simulator.c
@@ -216,17 +216,15 @@ static struct v3d_simulator_bo *
 v3d_create_simulator_bo(int fd, unsigned size)
 {
         struct v3d_simulator_file *file = v3d_get_simulator_file_for_fd(fd);
-        struct v3d_simulator_bo *sim_bo = rzalloc(file,
-                                                  struct v3d_simulator_bo);
-        size = align(size, 4096);
-
-        sim_bo->file = file;
 
         simple_mtx_lock(&sim_state.mutex);
+        struct v3d_simulator_bo *sim_bo = rzalloc(file,
+                                                  struct v3d_simulator_bo);
         sim_bo->block = u_mmAllocMem(sim_state.heap, size + 4, GMP_ALIGN2, 0);
         simple_mtx_unlock(&sim_state.mutex);
         assert(sim_bo->block);
-
+        size = align(size, 4096);
+        sim_bo->file = file;
         set_gmp_flags(file, sim_bo->block->ofs, size, 0x3);
 
         sim_bo->size = size;
@@ -344,8 +342,8 @@ v3d_free_simulator_bo(struct v3d_simulator_bo *sim_bo)
                 _mesa_hash_table_remove_key(sim_file->bo_map,
                                             int_to_key(sim_bo->handle));
         }
-        simple_mtx_unlock(&sim_state.mutex);
         ralloc_free(sim_bo);
+        simple_mtx_unlock(&sim_state.mutex);
 }
 
 static struct v3d_simulator_bo *
@@ -1208,8 +1206,8 @@ v3d_simulator_destroy(struct v3d_simulator_file *sim_file)
                 /* No memsetting the struct, because it contains the mutex. */
                 sim_state.mem = NULL;
         }
-        simple_mtx_unlock(&sim_state.mutex);
         ralloc_free(sim_file);
+        simple_mtx_unlock(&sim_state.mutex);
 }
 
 #endif /* USE_V3D_SIMULATOR */