From 0f4f98ea502954b1d8ed9926eec6e501da0cbe62 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Ol=C5=A1=C3=A1k?= <marek.olsak@amd.com>
Date: Fri, 3 Jun 2022 17:38:09 -0400
Subject: [PATCH] radeonsi: fix a crash in gfx10_sh_query_get_result_resource

If tmp_buffer (in ssbo[1]) is NULL, setting the writable bit causes
the called function to access the NULL buffer.

Reviewed-by: Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer@amd.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/16885>
---
 src/gallium/drivers/radeonsi/gfx10_query.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/gallium/drivers/radeonsi/gfx10_query.c b/src/gallium/drivers/radeonsi/gfx10_query.c
index f27cec22e88..febabf7967e 100644
--- a/src/gallium/drivers/radeonsi/gfx10_query.c
+++ b/src/gallium/drivers/radeonsi/gfx10_query.c
@@ -403,9 +403,11 @@ static void gfx10_sh_query_get_result_resource(struct si_context *sctx, struct s
          si_cp_wait_mem(sctx, &sctx->gfx_cs, va, 0x00000001, 0x00000001, 0);
       }
 
+      /* ssbo[2] is either tmp_buffer or resource */
+      assert(ssbo[2].buffer);
       si_launch_grid_internal_ssbos(sctx, &grid, sctx->sh_query_result_shader,
                                     SI_OP_SYNC_PS_BEFORE | SI_OP_SYNC_AFTER, SI_COHERENCY_SHADER,
-                                    3, ssbo, 0x6);
+                                    3, ssbo, (1 << 2) | (ssbo[1].buffer ? 1 << 1 : 0));
 
       if (qbuf == query->last)
          break;