From 3055ca6ff6563bce89af020c69e5fecafc4441d8 Mon Sep 17 00:00:00 2001 From: Faith Ekstrand Date: Fri, 14 Feb 2025 08:58:38 -0600 Subject: [PATCH] zink: Use the correct array size for signal_values[] When the size of the signals[] array was changed to 3, the signal_values[] array was not updated accordingly. If we have a signal_semaphore and are presenting at the same time, this can lead to an array overflow and the driver will read some random stack value as the signal value. This is causing chromium to lock up when running WebGL. Fixes: 7f56fd965504 ("zink: it's kopperin' time") Part-of: (cherry picked from commit 1ffa782227912fbab4ada0902fc71487acad2150) --- .pick_status.json | 2 +- src/gallium/drivers/zink/zink_batch.c | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.pick_status.json b/.pick_status.json index b6a49dbd301..35b6b227f97 100644 --- a/.pick_status.json +++ b/.pick_status.json @@ -304,7 +304,7 @@ "description": "zink: Use the correct array size for signal_values[]", "nominated": true, "nomination_type": 2, - "resolution": 0, + "resolution": 1, "main_sha": null, "because_sha": "7f56fd965504b4c21417e6f54267f7c7b8470caf", "notes": null diff --git a/src/gallium/drivers/zink/zink_batch.c b/src/gallium/drivers/zink/zink_batch.c index 851270a08a9..0540c08e489 100644 --- a/src/gallium/drivers/zink/zink_batch.c +++ b/src/gallium/drivers/zink/zink_batch.c @@ -619,6 +619,8 @@ typedef enum { ZINK_SUBMIT_MAX } zink_submit; +#define ZINK_MAX_SIGNALS 3 + static void submit_queue(void *data, void *gdata, int thread_index) { @@ -685,12 +687,12 @@ submit_queue(void *data, void *gdata, int thread_index) si[ZINK_SUBMIT_CMDBUF].pSignalSemaphores = bs->signal_semaphores.data; /* then the signal submit with the timeline (fence) semaphore */ - VkSemaphore signals[3]; + VkSemaphore signals[ZINK_MAX_SIGNALS]; si[ZINK_SUBMIT_SIGNAL].signalSemaphoreCount = !!bs->signal_semaphore; signals[0] = bs->signal_semaphore; si[ZINK_SUBMIT_SIGNAL].pSignalSemaphores = signals; VkTimelineSemaphoreSubmitInfo tsi = {0}; - uint64_t signal_values[2] = {0}; + uint64_t signal_values[ZINK_MAX_SIGNALS] = {0}; tsi.sType = VK_STRUCTURE_TYPE_TIMELINE_SEMAPHORE_SUBMIT_INFO; si[ZINK_SUBMIT_SIGNAL].pNext = &tsi; tsi.pSignalSemaphoreValues = signal_values; @@ -702,6 +704,8 @@ submit_queue(void *data, void *gdata, int thread_index) signals[si[ZINK_SUBMIT_SIGNAL].signalSemaphoreCount++] = bs->present; tsi.signalSemaphoreValueCount = si[ZINK_SUBMIT_SIGNAL].signalSemaphoreCount; + assert(si[ZINK_SUBMIT_SIGNAL].signalSemaphoreCount <= ZINK_MAX_SIGNALS); + assert(tsi.signalSemaphoreValueCount <= ZINK_MAX_SIGNALS); VkResult result; if (bs->has_work) {