From df82221bb32c73f111d60e02655339846136e2de Mon Sep 17 00:00:00 2001 From: Konstantin Seurer Date: Sun, 28 Apr 2024 15:57:30 +0200 Subject: [PATCH] radv: Remove arenas from capture_replay_arena_vas Avoids an use after free when looking up an arena. cc: mesa-stable Reviewed-by: Samuel Pitoiset Part-of: --- src/amd/vulkan/radv_device.c | 5 ++--- src/amd/vulkan/radv_shader.c | 12 ++++++++++++ 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/src/amd/vulkan/radv_device.c b/src/amd/vulkan/radv_device.c index 7d598981ffd..5b5600fc8c9 100644 --- a/src/amd/vulkan/radv_device.c +++ b/src/amd/vulkan/radv_device.c @@ -1294,9 +1294,6 @@ radv_DestroyDevice(VkDevice _device, const VkAllocationCallbacks *pAllocator) if (!device) return; - if (device->capture_replay_arena_vas) - _mesa_hash_table_u64_destroy(device->capture_replay_arena_vas); - radv_device_finish_perf_counter_lock_cs(device); if (device->perf_counter_bo) radv_bo_destroy(device, NULL, device->perf_counter_bo); @@ -1347,6 +1344,8 @@ radv_DestroyDevice(VkDevice _device, const VkAllocationCallbacks *pAllocator) radv_finish_trace(device); radv_destroy_shader_arenas(device); + if (device->capture_replay_arena_vas) + _mesa_hash_table_u64_destroy(device->capture_replay_arena_vas); radv_printf_data_finish(device); diff --git a/src/amd/vulkan/radv_shader.c b/src/amd/vulkan/radv_shader.c index 15d10a90f9f..366224c06ea 100644 --- a/src/amd/vulkan/radv_shader.c +++ b/src/amd/vulkan/radv_shader.c @@ -1153,6 +1153,18 @@ radv_free_shader_memory(struct radv_device *device, union radv_shader_arena_bloc radv_bo_destroy(device, NULL, arena->bo); list_del(&arena->list); + + if (device->capture_replay_arena_vas) { + struct hash_entry *arena_entry = NULL; + hash_table_foreach (device->capture_replay_arena_vas->table, entry) { + if (entry->data == arena) { + arena_entry = entry; + break; + } + } + _mesa_hash_table_remove(device->capture_replay_arena_vas->table, arena_entry); + } + free(arena); } else if (free_list) { add_hole(free_list, hole);