mesa: Always make sure uniform storage doesn't get reallocated.

Every caller of associate_uniform_storage was doing this to safety-check that the uniform storage didn't get reallocated, except for st_deserialise_ir_program(). This ended up leaving an opening for use-after-free without hitting the assert in the hot-cache case (and I found it on freedreno). Having added it, it also reveals use-after-frees in the drawpixels shader variant cases on llvmpipe and zink. Reviewed-by: Marek Olšák <marek.olsak@amd.com> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/8997>
2026-05-08 02:38:04 +02:00 · 2021-02-18 13:53:31 -08:00 · 2021-02-18 13:53:31 -08:00 · 9fcc369770
commit 9fcc369770
parent 3468c0dd4d
5 changed files with 7 additions and 2 deletions
--- a/src/gallium/drivers/llvmpipe/ci/gitlab-ci.yml
+++ b/src/gallium/drivers/llvmpipe/ci/gitlab-ci.yml
@ -31,7 +31,10 @@ llvmpipe-piglit-quick_gl:
    LP_NUM_THREADS: 0
    PIGLIT_OPTIONS: >
      --process-isolation false
+    # Can't run gl-2.0-edgeflag* because of assertion failures on loading from
+    # disk cache which flake depending on which one runs first
    PIGLIT_TESTS: >
+      -x gl-2.0-edgeflag
      -x egl_ext_device_
      -x egl_ext_platform_device
      -x ext_timer_query@time-elapsed
--- a/src/gallium/drivers/llvmpipe/ci/llvmpipe-quick_gl.txt
+++ b/src/gallium/drivers/llvmpipe/ci/llvmpipe-quick_gl.txt
@ -88,6 +88,7 @@ shaders/sso-uniforms-01: skip
 shaders/sso-uniforms-02: skip
 shaders/sso-user-varying-01: skip
 shaders/sso-user-varying-02: skip
+shaders/useprogram-refcount-1: crash
 shaders/useshaderprogram-bad-program: skip
 shaders/useshaderprogram-bad-type: skip
 shaders/useshaderprogram-flushverts-1: skip
@ -470,6 +471,7 @@ spec/arb_fragment_shader_interlock/arb_fragment_shader_interlock-image-load-stor
 spec/arb_framebuffer_no_attachments/arb_framebuffer_no_attachments-params/dsa: skip
 spec/arb_framebuffer_no_attachments/arb_framebuffer_no_attachments-query/ms2: skip
 spec/arb_framebuffer_object/fbo-blit-scaled-linear: fail
+spec/arb_framebuffer_object/fbo-drawbuffers-none gldrawpixels: crash
 spec/arb_geometry_shader4/arb_geometry_shader4-ignore-adjacent-vertices  gl_line_strip_adjacency: skip
 spec/arb_geometry_shader4/arb_geometry_shader4-ignore-adjacent-vertices  gl_lines_adjacency: skip
 spec/arb_geometry_shader4/arb_geometry_shader4-ignore-adjacent-vertices  gl_triangle_strip_adjacency: skip
--- a/src/mesa/program/ir_to_mesa.cpp
+++ b/src/mesa/program/ir_to_mesa.cpp
@ -2474,6 +2474,8 @@ _mesa_associate_uniform_storage(struct gl_context *ctx,
   struct gl_program_parameter_list *params = prog->Parameters;
   gl_shader_stage shader_type = prog->info.stage;

+   _mesa_disallow_parameter_storage_realloc(params);
+
   /* After adding each uniform to the parameter list, connect the storage for
    * the parameter with the tracking structure used by the API for the
    * uniform.
--- a/src/mesa/state_tracker/st_glsl_to_nir.cpp
+++ b/src/mesa/state_tracker/st_glsl_to_nir.cpp
@ -505,7 +505,6 @@ st_glsl_to_nir_post_opts(struct st_context *st, struct gl_program *prog,
    * This should be enough for Bitmap and DrawPixels constants.
    */
   _mesa_reserve_parameter_storage(prog->Parameters, 16, 16);
-   _mesa_disallow_parameter_storage_realloc(prog->Parameters);

   /* This has to be done last.  Any operation the can cause
    * prog->ParameterValues to get reallocated (e.g., anything that adds a
--- a/src/mesa/state_tracker/st_glsl_to_tgsi.cpp
+++ b/src/mesa/state_tracker/st_glsl_to_tgsi.cpp
@ -7238,7 +7238,6 @@ get_mesa_program_tgsi(struct gl_context *ctx,
    * This should be enough for Bitmap and DrawPixels constants.
    */
   _mesa_reserve_parameter_storage(prog->Parameters, 8, 8);
-   _mesa_disallow_parameter_storage_realloc(prog->Parameters);

   /* This has to be done last.  Any operation the can cause
    * prog->ParameterValues to get reallocated (e.g., anything that adds a