From: Eric Anholt <eric@anholt.net>
Date: Mon, 18 Sep 2017 21:52:32 +0000 (-0700)
Subject: broadcom/vc4: Fix use-after-free for flushing when writing to a texture.
X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=d88a75182d5fccb956fbfccddf627aa1831465be;p=mesa.git

broadcom/vc4: Fix use-after-free for flushing when writing to a texture.

I was trying to continue the hash table loop, not the inner loop.  This
tended to work out, because we would have *just* freed the job struct.
Fixes some valgrind failures in fbo-depthtex.

Fixes: f597ac396640 ("vc4: Implement job shuffling")
---

diff --git a/src/gallium/drivers/vc4/vc4_job.c b/src/gallium/drivers/vc4/vc4_job.c
index 1dab4bedd32..6a1d1a4cebf 100644
--- a/src/gallium/drivers/vc4/vc4_job.c
+++ b/src/gallium/drivers/vc4/vc4_job.c
@@ -118,12 +118,17 @@ vc4_flush_jobs_reading_resource(struct vc4_context *vc4,
                 struct vc4_job *job = entry->data;
 
                 struct vc4_bo **referenced_bos = job->bo_pointers.base;
+                bool found = false;
                 for (int i = 0; i < cl_offset(&job->bo_handles) / 4; i++) {
                         if (referenced_bos[i] == rsc->bo) {
-                                vc4_job_submit(vc4, job);
-                                continue;
+                                found = true;
+                                break;
                         }
                 }
+                if (found) {
+                        vc4_job_submit(vc4, job);
+                        continue;
+                }
 
                 /* Also check for the Z/color buffers, since the references to
                  * those are only added immediately before submit.