From b775aaff1ec86f4ebd50867a045695da1fbeb2e1 Mon Sep 17 00:00:00 2001 From: Samuel Pitoiset Date: Tue, 28 Dec 2021 15:14:02 +0100 Subject: [PATCH] radv: re-apply "Do not access set layout during vkCmdBindDescriptorSets." Uplay needs this to avoid a crash because it does an use-after-free of a descriptor set layout. This was initially introduced by Bas to workaround a similar issue with Baldur's Gate 3, it seems needed again. Cc: 21.3 mesa-stable Closes: https://gitlab.freedesktop.org/mesa/mesa/-/issues/5789 Signed-off-by: Samuel Pitoiset Reviewed-by: Bas Nieuwenhuizen Part-of: --- src/amd/vulkan/radv_cmd_buffer.c | 5 ++--- src/amd/vulkan/radv_descriptor_set.c | 9 +++++++-- src/amd/vulkan/radv_descriptor_set.h | 4 +++- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/src/amd/vulkan/radv_cmd_buffer.c b/src/amd/vulkan/radv_cmd_buffer.c index ec81e4a56c1..c20e75eb5be 100644 --- a/src/amd/vulkan/radv_cmd_buffer.c +++ b/src/amd/vulkan/radv_cmd_buffer.c @@ -4689,7 +4689,6 @@ radv_bind_descriptor_set(struct radv_cmd_buffer *cmd_buffer, VkPipelineBindPoint radv_set_descriptor_set(cmd_buffer, bind_point, set, idx); assert(set); - assert(!(set->header.layout->flags & VK_DESCRIPTOR_SET_LAYOUT_CREATE_PUSH_DESCRIPTOR_BIT_KHR)); if (!cmd_buffer->device->use_global_bo_list) { for (unsigned j = 0; j < set->header.buffer_count; ++j) @@ -4727,7 +4726,7 @@ radv_CmdBindDescriptorSets(VkCommandBuffer commandBuffer, VkPipelineBindPoint pi radv_bind_descriptor_set(cmd_buffer, pipelineBindPoint, set, set_idx); } - for (unsigned j = 0; j < set->header.layout->dynamic_offset_count; ++j, ++dyn_idx) { + for (unsigned j = 0; j < layout->set[set_idx].dynamic_offset_count; ++j, ++dyn_idx) { unsigned idx = j + layout->set[i + firstSet].dynamic_offset_start; uint32_t *dst = descriptors_state->dynamic_buffers + idx * 4; assert(dyn_idx < dynamicOffsetCount); @@ -4753,7 +4752,7 @@ radv_CmdBindDescriptorSets(VkCommandBuffer commandBuffer, VkPipelineBindPoint pi } } - cmd_buffer->push_constant_stages |= set->header.layout->dynamic_shader_stages; + cmd_buffer->push_constant_stages |= layout->set[set_idx].dynamic_offset_stages; } } } diff --git a/src/amd/vulkan/radv_descriptor_set.c b/src/amd/vulkan/radv_descriptor_set.c index fa23793c8e2..1c8ee0d7a0d 100644 --- a/src/amd/vulkan/radv_descriptor_set.c +++ b/src/amd/vulkan/radv_descriptor_set.c @@ -496,11 +496,16 @@ radv_CreatePipelineLayout(VkDevice _device, const VkPipelineLayoutCreateInfo *pC layout->set[set].layout = set_layout; layout->set[set].dynamic_offset_start = dynamic_offset_count; + layout->set[set].dynamic_offset_count = 0; + layout->set[set].dynamic_offset_stages = 0; for (uint32_t b = 0; b < set_layout->binding_count; b++) { - dynamic_offset_count += set_layout->binding[b].array_size * set_layout->binding[b].dynamic_offset_count; - dynamic_shader_stages |= set_layout->dynamic_shader_stages; + layout->set[set].dynamic_offset_count += + set_layout->binding[b].array_size * set_layout->binding[b].dynamic_offset_count; + layout->set[set].dynamic_offset_stages |= set_layout->dynamic_shader_stages; } + dynamic_offset_count += layout->set[set].dynamic_offset_count; + dynamic_shader_stages |= layout->set[set].dynamic_offset_stages; /* Hash the entire set layout except for the vk_object_base. The * rest of the set layout is carefully constructed to not have diff --git a/src/amd/vulkan/radv_descriptor_set.h b/src/amd/vulkan/radv_descriptor_set.h index 298c4c62fcb..1038bc52b16 100644 --- a/src/amd/vulkan/radv_descriptor_set.h +++ b/src/amd/vulkan/radv_descriptor_set.h @@ -89,7 +89,9 @@ struct radv_pipeline_layout { struct { struct radv_descriptor_set_layout *layout; uint32_t size; - uint32_t dynamic_offset_start; + uint16_t dynamic_offset_start; + uint16_t dynamic_offset_count; + VkShaderStageFlags dynamic_offset_stages; } set[MAX_SETS]; uint32_t num_sets;