OpenHarmony/third_party_mesa3d
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

radeonsi: fix potential use after free in si_set_debug_callback

Browse Source 
si_destroy_context needs to call context->set_debug_callback(...) to
avoid the debug logs to access the destroyed context.

Adding this change introduced a different problem: when an aux context
is destroyed from si_destroy_screen, parts of the screen have been
freed already: the shader_compiler_queue_*.

c467a87e06 ("radeonsi: Destroy queues before the aux contexts") moved
the util_queue_destroy calls above the context destruction, but with
the 59a3f38ff6 change, it's not needed anymore: si_destroy_context
will finish the screen shader queues before proceeding with releasing,
so use-after-free isn't possible.

Fixes: 59a3f38ff6 ("radeonsi: clear the debug callback on ctx destroy")
Closes: https://gitlab.freedesktop.org/mesa/mesa/-/issues/12035
Reviewed-by: Marek Olšák <marek.olsak@amd.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/34574>
(cherry picked from commit 2a381bbc3cec1a54095cf4a51df8516d25207fe4)
This commit is contained in:
Pierre-Eric Pelloux-Prayer
2025-04-17 10:04:24 +02:00
committed by Eric Engestrom
parent f127f9ca88
commit ff40113ad5
2 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.pick_status.json
View File

@@ -134,7 +134,7 @@
"description": "radeonsi: fix potential use after free in si_set_debug_callback", "description": "radeonsi: fix potential use after free in si_set_debug_callback",
"nominated": true, "nominated": true,
"nomination_type": 2, "nomination_type": 2,
"resolution": 0, "resolution": 1,
"main_sha": null, "main_sha": null,
"because_sha": "59a3f38ff6fdc7bd47309dd58ce5070c903a0c28", "because_sha": "59a3f38ff6fdc7bd47309dd58ce5070c903a0c28",
"notes": null "notes": null

6
src/gallium/drivers/radeonsi/si_pipe.c
View File

@@ -997,9 +997,6 @@ void si_destroy_screen(struct pipe_screen *pscreen)
pipe_resource_reference(&sscreen->tess_rings, NULL); pipe_resource_reference(&sscreen->tess_rings, NULL);
pipe_resource_reference(&sscreen->tess_rings_tmz, NULL); pipe_resource_reference(&sscreen->tess_rings_tmz, NULL);
util_queue_destroy(&sscreen->shader_compiler_queue);
util_queue_destroy(&sscreen->shader_compiler_queue_opt_variants);
for (unsigned i = 0; i < ARRAY_SIZE(sscreen->aux_contexts); i++) { for (unsigned i = 0; i < ARRAY_SIZE(sscreen->aux_contexts); i++) {
if (!sscreen->aux_contexts[i].ctx) if (!sscreen->aux_contexts[i].ctx)
continue; continue;
@@ -1017,6 +1014,9 @@ void si_destroy_screen(struct pipe_screen *pscreen)
mtx_destroy(&sscreen->aux_contexts[i].lock); mtx_destroy(&sscreen->aux_contexts[i].lock);
} }
util_queue_destroy(&sscreen->shader_compiler_queue);
util_queue_destroy(&sscreen->shader_compiler_queue_opt_variants);
simple_mtx_destroy(&sscreen->async_compute_context_lock); simple_mtx_destroy(&sscreen->async_compute_context_lock);
if (sscreen->async_compute_context) { if (sscreen->async_compute_context) {
sscreen->async_compute_context->destroy(sscreen->async_compute_context); sscreen->async_compute_context->destroy(sscreen->async_compute_context);