From 9fcc36977038597e1f381fca5289420679376eb8 Mon Sep 17 00:00:00 2001
From: Eric Anholt <eric@anholt.net>
Date: Thu, 18 Feb 2021 13:53:31 -0800
Subject: [PATCH] mesa: Always make sure uniform storage doesn't get
 reallocated.
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Every caller of associate_uniform_storage was doing this to safety-check
that the uniform storage didn't get reallocated, except for
st_deserialise_ir_program().  This ended up leaving an opening for
use-after-free without hitting the assert in the hot-cache case (and I
found it on freedreno).  Having added it, it also reveals use-after-frees
in the drawpixels shader variant cases on llvmpipe and zink.

Reviewed-by: Marek OlÅ¡Ã¡k <marek.olsak@amd.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/8997>
---
 src/gallium/drivers/llvmpipe/ci/gitlab-ci.yml         | 3 +++
 src/gallium/drivers/llvmpipe/ci/llvmpipe-quick_gl.txt | 2 ++
 src/mesa/program/ir_to_mesa.cpp                       | 2 ++
 src/mesa/state_tracker/st_glsl_to_nir.cpp             | 1 -
 src/mesa/state_tracker/st_glsl_to_tgsi.cpp            | 1 -
 5 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/gallium/drivers/llvmpipe/ci/gitlab-ci.yml b/src/gallium/drivers/llvmpipe/ci/gitlab-ci.yml
index 73c321a..6bec330 100644
--- a/src/gallium/drivers/llvmpipe/ci/gitlab-ci.yml
+++ b/src/gallium/drivers/llvmpipe/ci/gitlab-ci.yml
@@ -31,7 +31,10 @@ llvmpipe-piglit-quick_gl:
     LP_NUM_THREADS: 0
     PIGLIT_OPTIONS: >
       --process-isolation false
+    # Can't run gl-2.0-edgeflag* because of assertion failures on loading from
+    # disk cache which flake depending on which one runs first
     PIGLIT_TESTS: >
+      -x gl-2.0-edgeflag
       -x egl_ext_device_
       -x egl_ext_platform_device
       -x ext_timer_query@time-elapsed
diff --git a/src/gallium/drivers/llvmpipe/ci/llvmpipe-quick_gl.txt b/src/gallium/drivers/llvmpipe/ci/llvmpipe-quick_gl.txt
index 965ebe1..fb9028c 100644
--- a/src/gallium/drivers/llvmpipe/ci/llvmpipe-quick_gl.txt
+++ b/src/gallium/drivers/llvmpipe/ci/llvmpipe-quick_gl.txt
@@ -88,6 +88,7 @@ shaders/sso-uniforms-01: skip
 shaders/sso-uniforms-02: skip
 shaders/sso-user-varying-01: skip
 shaders/sso-user-varying-02: skip
+shaders/useprogram-refcount-1: crash
 shaders/useshaderprogram-bad-program: skip
 shaders/useshaderprogram-bad-type: skip
 shaders/useshaderprogram-flushverts-1: skip
@@ -470,6 +471,7 @@ spec/arb_fragment_shader_interlock/arb_fragment_shader_interlock-image-load-stor
 spec/arb_framebuffer_no_attachments/arb_framebuffer_no_attachments-params/dsa: skip
 spec/arb_framebuffer_no_attachments/arb_framebuffer_no_attachments-query/ms2: skip
 spec/arb_framebuffer_object/fbo-blit-scaled-linear: fail
+spec/arb_framebuffer_object/fbo-drawbuffers-none gldrawpixels: crash
 spec/arb_geometry_shader4/arb_geometry_shader4-ignore-adjacent-vertices  gl_line_strip_adjacency: skip
 spec/arb_geometry_shader4/arb_geometry_shader4-ignore-adjacent-vertices  gl_lines_adjacency: skip
 spec/arb_geometry_shader4/arb_geometry_shader4-ignore-adjacent-vertices  gl_triangle_strip_adjacency: skip
diff --git a/src/mesa/program/ir_to_mesa.cpp b/src/mesa/program/ir_to_mesa.cpp
index 9214f8b..d3ea9b0 100644
--- a/src/mesa/program/ir_to_mesa.cpp
+++ b/src/mesa/program/ir_to_mesa.cpp
@@ -2474,6 +2474,8 @@ _mesa_associate_uniform_storage(struct gl_context *ctx,
    struct gl_program_parameter_list *params = prog->Parameters;
    gl_shader_stage shader_type = prog->info.stage;
 
+   _mesa_disallow_parameter_storage_realloc(params);
+
    /* After adding each uniform to the parameter list, connect the storage for
     * the parameter with the tracking structure used by the API for the
     * uniform.
diff --git a/src/mesa/state_tracker/st_glsl_to_nir.cpp b/src/mesa/state_tracker/st_glsl_to_nir.cpp
index 4708c59..2a1916c 100644
--- a/src/mesa/state_tracker/st_glsl_to_nir.cpp
+++ b/src/mesa/state_tracker/st_glsl_to_nir.cpp
@@ -505,7 +505,6 @@ st_glsl_to_nir_post_opts(struct st_context *st, struct gl_program *prog,
     * This should be enough for Bitmap and DrawPixels constants.
     */
    _mesa_reserve_parameter_storage(prog->Parameters, 16, 16);
-   _mesa_disallow_parameter_storage_realloc(prog->Parameters);
 
    /* This has to be done last.  Any operation the can cause
     * prog->ParameterValues to get reallocated (e.g., anything that adds a
diff --git a/src/mesa/state_tracker/st_glsl_to_tgsi.cpp b/src/mesa/state_tracker/st_glsl_to_tgsi.cpp
index 53697ac..6c9edd3 100644
--- a/src/mesa/state_tracker/st_glsl_to_tgsi.cpp
+++ b/src/mesa/state_tracker/st_glsl_to_tgsi.cpp
@@ -7238,7 +7238,6 @@ get_mesa_program_tgsi(struct gl_context *ctx,
     * This should be enough for Bitmap and DrawPixels constants.
     */
    _mesa_reserve_parameter_storage(prog->Parameters, 8, 8);
-   _mesa_disallow_parameter_storage_realloc(prog->Parameters);
 
    /* This has to be done last.  Any operation the can cause
     * prog->ParameterValues to get reallocated (e.g., anything that adds a
-- 
2.7.4