[amdgpu] Update buffer in use flag on rpcsx-gpu side

Fixed dangling pointer dereferences
2025-03-04 00:27:40 +00:00 · 2023-07-20 03:14:52 +03:00 · 2023-07-20 03:14:52 +03:00 · fd16ce4f62
commit fd16ce4f62
parent 294feb5f9d
3 changed files with 21 additions and 26 deletions
--- a/hw/amdgpu/bridge/include/amdgpu/bridge/bridge.hpp
+++ b/hw/amdgpu/bridge/include/amdgpu/bridge/bridge.hpp
@ -50,6 +50,7 @@ struct BridgeHeader {
  volatile std::uint32_t flipBuffer;
  volatile std::uint64_t flipArg;
  volatile std::uint64_t flipCount;
+  volatile std::uint64_t bufferInUseAddress;
  std::uint32_t memoryAreaCount;
  std::uint32_t commandBufferCount;
  std::uint32_t bufferCount;
--- a/hw/amdgpu/device/src/device.cpp
+++ b/hw/amdgpu/device/src/device.cpp
@ -2075,7 +2075,7 @@ struct AreaCache {
    auto imageHandle = vk::Image2D::Allocate(getDeviceLocalMemory(), width,
                                             height, vkFormat, usage);

-    auto image = vk::ImageRef(imageHandle);
+    auto image = vk::ImageRef(images.emplace_front(std::move(imageHandle)));

    if ((access & shader::AccessOp::Load) == shader::AccessOp::Load) {
      buffers.push_back(image.read(
@ -2084,8 +2084,6 @@ struct AreaCache {
          getBitWidthOfSurfaceFormat(format) / 8, pitch));
    }

-    images.emplace_front(std::move(imageHandle));
-
    if ((access & shader::AccessOp::Store) == shader::AccessOp::Store) {
      writeBackImages.push_back({
          .image = image,
@ -2377,7 +2375,6 @@ struct RenderState {
            colorFormat,
            VK_IMAGE_USAGE_SAMPLED_BIT | VK_IMAGE_USAGE_TRANSFER_DST_BIT);
        auto image = vk::ImageRef(imageHandle);
-        images.push_back(std::move(imageHandle));

        buffers.push_back(
            image.read(cmdBuffer, getHostVisibleMemory(),
@ -2400,6 +2397,7 @@ struct RenderState {

        image.transitionLayout(cmdBuffer,
                               VK_IMAGE_LAYOUT_SHADER_READ_ONLY_OPTIMAL);
+        images.push_back(std::move(imageHandle));
        break;
      }

@ -2561,7 +2559,6 @@ struct RenderState {
                                    VK_IMAGE_USAGE_TRANSFER_SRC_BIT |
                                    VK_IMAGE_USAGE_TRANSFER_DST_BIT);
      auto colorImage = vk::ImageRef(colorImageHandle);
-      colorImages.push_back(std::move(colorImageHandle));

      buffers.push_back(colorImage.read(
          readCommandBuffer, getHostVisibleMemory(),
@ -2595,6 +2592,8 @@ struct RenderState {
          .attachment = attachmentIndex,
          .layout = VK_IMAGE_LAYOUT_COLOR_ATTACHMENT_OPTIMAL,
      });
+
+      colorImages.push_back(std::move(colorImageHandle));
    }

    auto depthImageHandle =
@ -3457,17 +3456,17 @@ bool amdgpu::device::AmdgpuDevice::handleFlip(
    std::vector<VkBuffer> &usedBuffers, std::vector<VkImage> &usedImages) {
  std::printf("requested flip %d\n", bufferIndex);

-  bridge->flipBuffer = bufferIndex;
-  bridge->flipArg = arg;
-  bridge->flipCount = bridge->flipCount + 1;
-
-  auto buffer = bridge->buffers[bufferIndex];
-
  if (bufferIndex == ~static_cast<std::uint32_t>(0)) {
+    bridge->flipBuffer = bufferIndex;
+    bridge->flipArg = arg;
+    bridge->flipCount = bridge->flipCount + 1;
+
    // black surface, ignore for now
    return false;
  }

+  auto buffer = bridge->buffers[bufferIndex];
+
  if (buffer.pitch == 0 || buffer.height == 0 || buffer.address == 0) {
    std::printf("Attempt to flip unallocated buffer\n");
    return false;
@ -3526,5 +3525,14 @@ bool amdgpu::device::AmdgpuDevice::handleFlip(

  usedBuffers.push_back(tmpBuffer.release());
  usedImages.push_back(bufferImageHandle.release());
+
+  bridge->flipBuffer = bufferIndex;
+  bridge->flipArg = arg;
+  bridge->flipCount = bridge->flipCount + 1;
+  auto bufferInUse =
+      g_hostMemory.getPointer<std::uint64_t>(bridge->bufferInUseAddress);
+  if (bufferInUse != nullptr) {
+    bufferInUse[bufferIndex] = 0;
+  }
  return true;
 }
--- a/rpcsx-os/iodev/dce.cpp
+++ b/rpcsx-os/iodev/dce.cpp
@ -90,7 +90,6 @@ struct ResolutionStatus {
 static std::int64_t dce_instance_ioctl(IoDeviceInstance *instance,
                                       std::uint64_t request, void *argp) {
  auto dceInstance = static_cast<DceInstance *>(instance);
-  static std::uint64_t *bufferInUsePtr = nullptr;

  if (request == 0xc0308203) {
    // returns:
@ -154,8 +153,7 @@ static std::int64_t dce_instance_ioctl(IoDeviceInstance *instance,
      *(std::uint64_t *)args->ptr = 0;         // dev offset
      *(std::uint64_t *)args->size = 0x100000; // size
    } else if (args->id == 31) {
-      bufferInUsePtr = (std::uint64_t *)args->size;
-      ORBIS_LOG_NOTICE("flipStatusPtr: ", bufferInUsePtr);
+      rx::bridge.header->bufferInUseAddress = args->size;
      return 0;
    } else if (args->id == 33) { // adjust color
      std::printf("adjust color\n");
@ -219,18 +217,6 @@ static std::int64_t dce_instance_ioctl(IoDeviceInstance *instance,

    rx::bridge.sendFlip(args->displayBufferIndex,
                        /*args->flipMode,*/ args->flipArg);
-
-    if (args->flipMode == 1 || args->arg7 == 0) {
-      // orbis::bridge.sendDoFlip();
-    }
-
-    if (args->displayBufferIndex != -1) {
-      if (bufferInUsePtr) {
-        auto ptr = bufferInUsePtr + args->displayBufferIndex;
-        ORBIS_LOG_NOTICE(" ========== fill status to:", ptr);
-        *ptr = 0;
-      }
-    }
    return 0;
  }