From 612b99d721cf8239626589281446bc1d25805490 Mon Sep 17 00:00:00 2001 From: Lucas Stach Date: Thu, 14 Jul 2022 10:27:05 +0200 Subject: [PATCH] etnaviv: fix use after free in async shader compile When the shader state is destroyed before the async shader compile is done, we get a use after free in the async thread, as the shader state it is operating on is gone. Fix this by dropping any pending job from the async queue or wait for it to finish before destroying the state by calling util_queue_drop_job. Also call util_queue_fence_destroy, which would have caught this issue by asserting that the queue_fence is in signalled state when the shader state is destroyed. Fixes: 1141ed585901 ("etnaviv: async shader compile") Signed-off-by: Lucas Stach Reviewed-by: Christian Gmeiner Part-of: --- src/gallium/drivers/etnaviv/etnaviv_shader.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/gallium/drivers/etnaviv/etnaviv_shader.c b/src/gallium/drivers/etnaviv/etnaviv_shader.c index 67268f3..fe028ae 100644 --- a/src/gallium/drivers/etnaviv/etnaviv_shader.c +++ b/src/gallium/drivers/etnaviv/etnaviv_shader.c @@ -511,9 +511,13 @@ etna_create_shader_state(struct pipe_context *pctx, static void etna_delete_shader_state(struct pipe_context *pctx, void *ss) { + struct etna_context *ctx = etna_context(pctx); + struct etna_screen *screen = ctx->screen; struct etna_shader *shader = ss; struct etna_shader_variant *v, *t; + util_queue_drop_job(&screen->shader_compiler_queue, &shader->ready); + v = shader->variants; while (v) { t = v; @@ -526,6 +530,7 @@ etna_delete_shader_state(struct pipe_context *pctx, void *ss) tgsi_free_tokens(shader->tokens); ralloc_free(shader->nir); + util_queue_fence_destroy(&shader->ready); FREE(shader); } -- 2.7.4