From 4f9dabc1a65043f329d4bfdfc751be227619b291 Mon Sep 17 00:00:00 2001
From: Jason Ekstrand <jason.ekstrand@collabora.com>
Date: Fri, 20 May 2022 18:05:10 -0500
Subject: radv/meta: Fix a stack use-after-free with sample locations

As soon as the if ends (or possibly before?) the VkSampleLocationsInfoEXT
goes out of scope.  We need it to stay valid until after the
vkCmdPipelineBarrier completes.

Reviewed-by: Samuel Pitoiset <samuel.pitoiset@gmail.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/18084>
---
 src/amd/vulkan/radv_meta_resolve.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/amd/vulkan/radv_meta_resolve.c b/src/amd/vulkan/radv_meta_resolve.c
index 0f6d688ced7..907b9d96ded 100644
--- a/src/amd/vulkan/radv_meta_resolve.c
+++ b/src/amd/vulkan/radv_meta_resolve.c
@@ -822,6 +822,7 @@ radv_decompress_resolve_src(struct radv_cmd_buffer *cmd_buffer, struct radv_imag
       }
    };
 
+   VkSampleLocationsInfoEXT sample_loc_info;
    if (src_image->vk.create_flags & VK_IMAGE_CREATE_SAMPLE_LOCATIONS_COMPATIBLE_DEPTH_BIT_EXT) {
       /* If the depth/stencil image uses different sample
        * locations, we need them during HTILE decompressions.
@@ -829,13 +830,14 @@ radv_decompress_resolve_src(struct radv_cmd_buffer *cmd_buffer, struct radv_imag
       struct radv_sample_locations_state *sample_locs =
          radv_get_resolve_sample_locations(cmd_buffer);
 
-      barrier.pNext = &(VkSampleLocationsInfoEXT){
+      sample_loc_info = (VkSampleLocationsInfoEXT){
          .sType = VK_STRUCTURE_TYPE_SAMPLE_LOCATIONS_INFO_EXT,
          .sampleLocationsPerPixel = sample_locs->per_pixel,
          .sampleLocationGridSize = sample_locs->grid_size,
          .sampleLocationsCount = sample_locs->count,
          .pSampleLocations = sample_locs->locations,
       };
+      barrier.pNext = &sample_loc_info;
    }
 
    VkDependencyInfo dep_info = {
-- 
cgit v1.2.3