gallium/u_threaded: add missing reference counts for draw_multi slots

If a glMultiDrawElementsEXT() call doesn't fit into a single slot, the same pipe_resource pointer is copied into all following slots, the completion of each will decrement the reference counter; however, it was never incremented for all but the first slot. This fixes a use-after-free bug with glMultiDrawElementsEXT(). Cc: mesa-stable Reviewed-by: Marek Olšák <marek.olsak@amd.com> Reviewed-By: Mike Blumenkrantz <michael.blumenkrantz@gmail.com> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/18189> (cherry picked from commit 0a0fb7cbc63d66977c148c3f5fd86de8e879f1ab)
2024-11-23 15:30:09 +00:00 · 2022-08-22 20:10:46 +02:00 · 2022-08-22 20:10:46 +02:00 · 3ded967693
commit 3ded967693
parent 609949fbcf
2 changed files with 9 additions and 2 deletions
--- a/.pick_status.json
+++ b/.pick_status.json
@ -4297,7 +4297,7 @@
        "description": "gallium/u_threaded: add missing reference counts for draw_multi slots",
        "nominated": true,
        "nomination_type": 0,
-        "resolution": 0,
+        "resolution": 1,
        "main_sha": null,
        "because_sha": null
    },
--- a/src/gallium/auxiliary/util/u_threaded_context.c
+++ b/src/gallium/auxiliary/util/u_threaded_context.c
@ -3371,7 +3371,14 @@ tc_draw_vbo(struct pipe_context *_pipe, const struct pipe_draw_info *info,
            tc_add_slot_based_call(tc, TC_CALL_draw_multi, tc_draw_multi,
                                   dr);
         memcpy(&p->info, info, DRAW_INFO_SIZE_WITHOUT_INDEXBUF_AND_MIN_MAX_INDEX);
+
+         if (total_offset == 0)
+            /* the first slot inherits the reference from u_upload_alloc() */
            p->info.index.resource = buffer;
+         else
+            /* all following slots need a new reference */
+            tc_set_resource_reference(&p->info.index.resource, buffer);
+
         p->num_draws = dr;

         /* Upload index buffers. */