fdo-mirrors/mesa
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/mesa/mesa.git synced 2026-01-27 05:30:24 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

zink: Use the correct array size for signal_values[]

Browse source 
When the size of the signals[] array was changed to 3, the
signal_values[] array was not updated accordingly.  If we have a
signal_semaphore and are presenting at the same time, this can lead to
an array overflow and the driver will read some random stack value as
the signal value.  This is causing chromium to lock up when running
WebGL.

Fixes: 7f56fd9655 ("zink: it's kopperin' time")
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/33549>
(cherry picked from commit 1ffa782227)
This commit is contained in:
Faith Ekstrand 2025-02-14 08:58:38 -06:00 committed by Eric Engestrom
parent ce12f4c6f8
commit 3055ca6ff6
2 changed files with 7 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.pick_status.json
View file

@ -304,7 +304,7 @@
"description": "zink: Use the correct array size for signal_values[]",
"nominated": true,
"nomination_type": 2,
"resolution": 0,
"resolution": 1,
"main_sha": null,
"because_sha": "7f56fd965504b4c21417e6f54267f7c7b8470caf",
"notes": null

8
src/gallium/drivers/zink/zink_batch.c
View file

@ -619,6 +619,8 @@ typedef enum {
ZINK_SUBMIT_MAX
} zink_submit;
#define ZINK_MAX_SIGNALS 3
static void
submit_queue(void *data, void *gdata, int thread_index)
{
@ -685,12 +687,12 @@ submit_queue(void *data, void *gdata, int thread_index)
si[ZINK_SUBMIT_CMDBUF].pSignalSemaphores = bs->signal_semaphores.data;
/* then the signal submit with the timeline (fence) semaphore */
VkSemaphore signals[3];
VkSemaphore signals[ZINK_MAX_SIGNALS];
si[ZINK_SUBMIT_SIGNAL].signalSemaphoreCount = !!bs->signal_semaphore;
signals[0] = bs->signal_semaphore;
si[ZINK_SUBMIT_SIGNAL].pSignalSemaphores = signals;
VkTimelineSemaphoreSubmitInfo tsi = {0};
uint64_t signal_values[2] = {0};
uint64_t signal_values[ZINK_MAX_SIGNALS] = {0};
tsi.sType = VK_STRUCTURE_TYPE_TIMELINE_SEMAPHORE_SUBMIT_INFO;
si[ZINK_SUBMIT_SIGNAL].pNext = &tsi;
tsi.pSignalSemaphoreValues = signal_values;
@ -702,6 +704,8 @@ submit_queue(void *data, void *gdata, int thread_index)
signals[si[ZINK_SUBMIT_SIGNAL].signalSemaphoreCount++] = bs->present;
tsi.signalSemaphoreValueCount = si[ZINK_SUBMIT_SIGNAL].signalSemaphoreCount;
assert(si[ZINK_SUBMIT_SIGNAL].signalSemaphoreCount <= ZINK_MAX_SIGNALS);
assert(tsi.signalSemaphoreValueCount <= ZINK_MAX_SIGNALS);
VkResult result;
if (bs->has_work) {