From 23cb39dc66fd45aface33da74ffb2afe3439bc55 Mon Sep 17 00:00:00 2001
From: Rob Clark <robdclark@chromium.org>
Date: Sun, 18 Apr 2021 09:10:07 -0700
Subject: [PATCH] freedreno/ir3: Fix use after free

If the tex/sfu ssa src is from a different block than the one currently
being scheduled, we do not have a valid sched-node.  So fallback to
previous behavior rather than dereference an invalid ptr.

Fixes: 7821e5a3f8d ("ir3/sched: Don't penalize uses of already-waited tex/SFU")
Signed-off-by: Rob Clark <robdclark@chromium.org>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/10306>
(cherry picked from commit 09f64f74db9e0dd22ef6e4bf616ac7bffde2a6fd)
---
 .pick_status.json             |  2 +-
 src/freedreno/ir3/ir3_sched.c | 12 ++++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/.pick_status.json b/.pick_status.json
index cc28051a311..93a2283095d 100644
--- a/.pick_status.json
+++ b/.pick_status.json
@@ -787,7 +787,7 @@
         "description": "freedreno/ir3: Fix use after free",
         "nominated": true,
         "nomination_type": 1,
-        "resolution": 0,
+        "resolution": 1,
         "main_sha": null,
         "because_sha": "7821e5a3f8d593e1e9738924f5f4dc5996583518"
     },
diff --git a/src/freedreno/ir3/ir3_sched.c b/src/freedreno/ir3/ir3_sched.c
index 51b39dc1ee9..2e6bb31840a 100644
--- a/src/freedreno/ir3/ir3_sched.c
+++ b/src/freedreno/ir3/ir3_sched.c
@@ -194,6 +194,12 @@ is_outstanding_tex_or_prefetch(struct ir3_instruction *instr, struct ir3_sched_c
 	if (!is_tex_or_prefetch(instr))
 		return false;
 
+	/* The sched node is only valid within the same block, we cannot
+	 * really say anything about src's from other blocks
+	 */
+	if (instr->block != ctx->block)
+		return true;
+
 	struct ir3_sched_node *n = instr->data;
 	return n->tex_index >= ctx->first_outstanding_tex_index;
 }
@@ -204,6 +210,12 @@ is_outstanding_sfu(struct ir3_instruction *instr, struct ir3_sched_ctx *ctx)
 	if (!is_sfu(instr))
 		return false;
 
+	/* The sched node is only valid within the same block, we cannot
+	 * really say anything about src's from other blocks
+	 */
+	if (instr->block != ctx->block)
+		return true;
+
 	struct ir3_sched_node *n = instr->data;
 	return n->sfu_index >= ctx->first_outstanding_sfu_index;
 }