From 3ded967693e2adf679d536fe4311ab78f75ebf24 Mon Sep 17 00:00:00 2001
From: Max Kellermann <max.kellermann@gmail.com>
Date: Mon, 22 Aug 2022 20:10:46 +0200
Subject: [PATCH] gallium/u_threaded: add missing reference counts for
 draw_multi slots
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If a glMultiDrawElementsEXT() call doesn't fit into a single slot, the
same pipe_resource pointer is copied into all following slots, the
completion of each will decrement the reference counter; however, it
was never incremented for all but the first slot.

This fixes a use-after-free bug with glMultiDrawElementsEXT().

Cc: mesa-stable
Reviewed-by: Marek Olšák <marek.olsak@amd.com>
Reviewed-By: Mike Blumenkrantz <michael.blumenkrantz@gmail.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/18189>
(cherry picked from commit 0a0fb7cbc63d66977c148c3f5fd86de8e879f1ab)
---
 .pick_status.json                               | 2 +-
 src/gallium/auxiliary/util/u_threaded_context.c | 9 ++++++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/.pick_status.json b/.pick_status.json
index dd24d4e0a3e..4578d4ab612 100644
--- a/.pick_status.json
+++ b/.pick_status.json
@@ -4297,7 +4297,7 @@
         "description": "gallium/u_threaded: add missing reference counts for draw_multi slots",
         "nominated": true,
         "nomination_type": 0,
-        "resolution": 0,
+        "resolution": 1,
         "main_sha": null,
         "because_sha": null
     },
diff --git a/src/gallium/auxiliary/util/u_threaded_context.c b/src/gallium/auxiliary/util/u_threaded_context.c
index 74d39f8da9b..8b28276c615 100644
--- a/src/gallium/auxiliary/util/u_threaded_context.c
+++ b/src/gallium/auxiliary/util/u_threaded_context.c
@@ -3371,7 +3371,14 @@ tc_draw_vbo(struct pipe_context *_pipe, const struct pipe_draw_info *info,
             tc_add_slot_based_call(tc, TC_CALL_draw_multi, tc_draw_multi,
                                    dr);
          memcpy(&p->info, info, DRAW_INFO_SIZE_WITHOUT_INDEXBUF_AND_MIN_MAX_INDEX);
-         p->info.index.resource = buffer;
+
+         if (total_offset == 0)
+            /* the first slot inherits the reference from u_upload_alloc() */
+            p->info.index.resource = buffer;
+         else
+            /* all following slots need a new reference */
+            tc_set_resource_reference(&p->info.index.resource, buffer);
+
          p->num_draws = dr;
 
          /* Upload index buffers. */