From 3c129d440da7e11a40a4c511a7cf47bdae4ef3f2 Mon Sep 17 00:00:00 2001
From: zhangxingrong <zhangxingrong@uniontech.com>
Date: Thu, 1 Aug 2024 17:12:30 +0800
Subject: [PATCH] add some upstream patchs

---
 ...en-gem-close-and-gem-handle-tracking.patch | 42 ++++++++++++++++++
 backport-fix-double-free-of-BBitmap.patch     | 43 +++++++++++++++++++
 mesa.spec                                     |  8 +++-
 3 files changed, 92 insertions(+), 1 deletion(-)
 create mode 100644 backport-fix-a-race-condition-between-gem-close-and-gem-handle-tracking.patch
 create mode 100644 backport-fix-double-free-of-BBitmap.patch

diff --git a/backport-fix-a-race-condition-between-gem-close-and-gem-handle-tracking.patch b/backport-fix-a-race-condition-between-gem-close-and-gem-handle-tracking.patch
new file mode 100644
index 0000000..da20a14
--- /dev/null
+++ b/backport-fix-a-race-condition-between-gem-close-and-gem-handle-tracking.patch
@@ -0,0 +1,42 @@
+From 2e70757dc0b5adb854c2911081e670d753d6a524 Mon Sep 17 00:00:00 2001
+From: X512 <danger_mail@list.ru>
+Date: Thu, 25 Jul 2024 22:26:25 +0900
+Subject: [PATCH] egl/haiku: fix double free of BBitmap
+
+Cc: mesa-stable
+Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/30364>
+---
+ src/egl/drivers/haiku/egl_haiku.cpp | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/egl/drivers/haiku/egl_haiku.cpp b/src/egl/drivers/haiku/egl_haiku.cpp
+index 1541776740625..62d2fb5c3cd14 100644
+--- a/src/egl/drivers/haiku/egl_haiku.cpp
++++ b/src/egl/drivers/haiku/egl_haiku.cpp
+@@ -115,6 +115,9 @@ haiku_create_window_surface(_EGLDisplay *disp, _EGLConfig *conf,
+       return NULL;
+    }
+ 
++   // Unset and delete previously set bitmap if any.
++   delete ((BitmapHook *)native_window)->SetBitmap(NULL);
++
+    return &wgl_surf->base;
+ }
+ 
+@@ -168,6 +171,13 @@ haiku_destroy_surface(_EGLDisplay *disp, _EGLSurface *surf)
+       struct haiku_egl_surface *hgl_surf = haiku_egl_surface(surf);
+       struct pipe_screen *screen = hgl_dpy->disp->fscreen->screen;
+       screen->fence_reference(screen, &hgl_surf->throttle_fence, NULL);
++
++      // Unset bitmap to release ownership. Bitmap will be deleted later
++      // when destroying framebuffer.
++      BitmapHook *bitmapHook = (BitmapHook*)hgl_surf->fb->winsysContext;
++      if (bitmapHook != NULL)
++         bitmapHook->SetBitmap(NULL);
++
+       hgl_destroy_st_framebuffer(hgl_surf->fb);
+       free(surf);
+    }
+-- 
+GitLab
+
diff --git a/backport-fix-double-free-of-BBitmap.patch b/backport-fix-double-free-of-BBitmap.patch
new file mode 100644
index 0000000..ce13d71
--- /dev/null
+++ b/backport-fix-double-free-of-BBitmap.patch
@@ -0,0 +1,43 @@
+From f788c87d02b3814964afc17db5dca086d2a84071 Mon Sep 17 00:00:00 2001
+From: Yiwei Zhang <zzyiwei@chromium.org>
+Date: Wed, 24 Jul 2024 22:17:00 -0700
+Subject: [PATCH] venus: fix a race condition between gem close and gem handle
+ tracking
+
+After using sparse array to manager virtgpu bo, we set gem_handle to 0
+to indicate that the bo is invalid. However, the gem handle gets closed
+before that and can be reused by another newly created bo, leading to
+the tracked gem handle being unexpectedly zero'ed out.
+
+Fixes: 88f481dd742 ("venus: make sure gem_handle and vn_renderer_bo are 1:1")
+Signed-off-by: Yiwei Zhang <zzyiwei@chromium.org>
+Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/30362>
+---
+ src/virtio/vulkan/vn_renderer_virtgpu.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/virtio/vulkan/vn_renderer_virtgpu.c b/src/virtio/vulkan/vn_renderer_virtgpu.c
+index df231a1aaefca..5aaae2a89115d 100644
+--- a/src/virtio/vulkan/vn_renderer_virtgpu.c
++++ b/src/virtio/vulkan/vn_renderer_virtgpu.c
+@@ -1111,10 +1111,15 @@ virtgpu_bo_destroy(struct vn_renderer *renderer, struct vn_renderer_bo *_bo)
+ 
+    if (bo->base.mmap_ptr)
+       munmap(bo->base.mmap_ptr, bo->base.mmap_size);
+-   virtgpu_ioctl_gem_close(gpu, bo->gem_handle);
+ 
+-   /* set gem_handle to 0 to indicate that the bo is invalid */
++   /* Set gem_handle to 0 to indicate that the bo is invalid. Must be set
++    * before closing gem handle. Otherwise the same gem handle can be reused
++    * by another newly created bo and unexpectedly gotten zero'ed out the
++    * tracked gem handle.
++    */
++   const uint32_t gem_handle = bo->gem_handle;
+    bo->gem_handle = 0;
++   virtgpu_ioctl_gem_close(gpu, gem_handle);
+ 
+    mtx_unlock(&gpu->dma_buf_import_mutex);
+ 
+-- 
+GitLab
+
diff --git a/mesa.spec b/mesa.spec
index bba6a3e..853dade 100644
--- a/mesa.spec
+++ b/mesa.spec
@@ -52,7 +52,7 @@
 Name:           mesa
 Summary:        Mesa graphics libraries
 Version:        24.0.3
-Release:        2
+Release:        3
 
 License:        MIT
 URL:            http://www.mesa3d.org
@@ -62,6 +62,8 @@ Patch1:         backport-fix-build-err-on-arm.patch
 Patch2:         0001-changed_by_upstream_26018_orcjit_patch.patch
 Patch3:         0001-llvmpipe-add-loongarch64-basic-support.patch
 Patch4:         0002-llvmpipe-support-loongarch64-orcjit.patch
+Patch5:         backport-fix-double-free-of-BBitmap.patch
+Patch6:         backport-fix-a-race-condition-between-gem-close-and-gem-handle-tracking.patch
 
 BuildRequires:  gcc
 BuildRequires:  gcc-c++
@@ -580,6 +582,10 @@ done
 %endif
 
 %changelog
+* Thu Aug 1 2024 zhangxingrong <zhangxingrong@uniontech.cn> - 24.0.3-3
+- egl/haiku: fix double free of BBitmap
+- venus: fix a race condition between gem close and gem handle tracking
+
 * Mon May 20 2024 zhaojiale <zhaojiale@loongson.cn> - 24.0.3-2
 - add upstream orcjit patch and support loongarch64 orcjit
 
-- 
Gitee