From 5c00efec235652aee7ca2d959cc707ddced350f9 Mon Sep 17 00:00:00 2001 From: Dave Airlie Date: Thu, 11 Feb 2021 11:53:24 +1000 Subject: [PATCH] lavapipe: avoid pointer to pipeline layout in execution pipeline layout lifetime is only during command buffer recording, Don't store pointers to it, just extract them around it. Fixes asan use-after-free in dEQP-VK.api.pipeline.pipeline_layout.lifetime.destroy_after_end Acked-by: Eric Anholt Part-of: --- src/gallium/frontends/lavapipe/lvp_cmd_buffer.c | 4 +++- src/gallium/frontends/lavapipe/lvp_execute.c | 8 ++++---- src/gallium/frontends/lavapipe/lvp_private.h | 2 +- 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/src/gallium/frontends/lavapipe/lvp_cmd_buffer.c b/src/gallium/frontends/lavapipe/lvp_cmd_buffer.c index 67a5cc8e648..291a7e5f9cf 100644 --- a/src/gallium/frontends/lavapipe/lvp_cmd_buffer.c +++ b/src/gallium/frontends/lavapipe/lvp_cmd_buffer.c @@ -440,12 +440,14 @@ VKAPI_ATTR void VKAPI_CALL lvp_CmdBindDescriptorSets( return; cmd->u.descriptor_sets.bind_point = pipelineBindPoint; - cmd->u.descriptor_sets.layout = layout; cmd->u.descriptor_sets.first = firstSet; cmd->u.descriptor_sets.count = descriptorSetCount; + for (i = 0; i < layout->num_sets; i++) + cmd->u.descriptor_sets.set_layout[i] = layout->set[i].layout; sets = (struct lvp_descriptor_set **)(cmd + 1); for (i = 0; i < descriptorSetCount; i++) { + sets[i] = lvp_descriptor_set_from_handle(pDescriptorSets[i]); } cmd->u.descriptor_sets.sets = sets; diff --git a/src/gallium/frontends/lavapipe/lvp_execute.c b/src/gallium/frontends/lavapipe/lvp_execute.c index 07508659ca9..e1e542b59d3 100644 --- a/src/gallium/frontends/lavapipe/lvp_execute.c +++ b/src/gallium/frontends/lavapipe/lvp_execute.c @@ -1043,14 +1043,14 @@ static void handle_compute_descriptor_sets(struct lvp_cmd_buffer_entry *cmd, int i; for (i = 0; i < bds->first; i++) { - increment_dyn_info(dyn_info, bds->layout->set[i].layout, false); + increment_dyn_info(dyn_info, bds->set_layout[i], false); } for (i = 0; i < bds->count; i++) { const struct lvp_descriptor_set *set = bds->sets[i]; if (set->layout->shader_stages & VK_SHADER_STAGE_COMPUTE_BIT) handle_set_stage(state, dyn_info, set, MESA_SHADER_COMPUTE, PIPE_SHADER_COMPUTE); - increment_dyn_info(dyn_info, bds->layout->set[bds->first + i].layout, true); + increment_dyn_info(dyn_info, bds->set_layout[bds->first + i], true); } } @@ -1072,7 +1072,7 @@ static void handle_descriptor_sets(struct lvp_cmd_buffer_entry *cmd, } for (i = 0; i < bds->first; i++) { - increment_dyn_info(&dyn_info, bds->layout->set[i].layout, false); + increment_dyn_info(&dyn_info, bds->set_layout[i], false); } for (i = 0; i < bds->count; i++) { @@ -1092,7 +1092,7 @@ static void handle_descriptor_sets(struct lvp_cmd_buffer_entry *cmd, if (set->layout->shader_stages & VK_SHADER_STAGE_TESSELLATION_EVALUATION_BIT) handle_set_stage(state, &dyn_info, set, MESA_SHADER_TESS_EVAL, PIPE_SHADER_TESS_EVAL); - increment_dyn_info(&dyn_info, bds->layout->set[bds->first + i].layout, true); + increment_dyn_info(&dyn_info, bds->set_layout[bds->first + i], true); } } diff --git a/src/gallium/frontends/lavapipe/lvp_private.h b/src/gallium/frontends/lavapipe/lvp_private.h index 57a270c5fa2..bef83981a83 100644 --- a/src/gallium/frontends/lavapipe/lvp_private.h +++ b/src/gallium/frontends/lavapipe/lvp_private.h @@ -723,7 +723,7 @@ struct lvp_cmd_set_stencil_vals { struct lvp_cmd_bind_descriptor_sets { VkPipelineBindPoint bind_point; - struct lvp_pipeline_layout *layout; + struct lvp_descriptor_set_layout *set_layout[MAX_SETS]; uint32_t first; uint32_t count; struct lvp_descriptor_set **sets;