fdo-mirrors/mesa
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/mesa/mesa.git synced 2026-05-07 04:58:05 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

panvk: Fix IUB decode

Browse source 
The buffer is only an IUB if it's within the size of the resource entry.
Otherwise, it might just be a buffer that landed just after the
descriptor allocation.

Fixes: fb38f10240 ("panvk: Handle IUBs in decoder")
Reviewed-by: Christoph Pillmayer <christoph.pillmayer@arm.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/36519>
(cherry picked from commit db4bcd48d7)
This commit is contained in:
Lars-Ivar Hesselberg Simonsen 2025-08-05 13:29:40 +02:00 committed by Eric Engestrom
parent 9429399bc8
commit 49aecf0e93
2 changed files with 7 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.pick_status.json
View file

@ -4554,7 +4554,7 @@
"description": "panvk: Fix IUB decode",
"nominated": true,
"nomination_type": 2,
"resolution": 0,
"resolution": 1,
"main_sha": null,
"because_sha": "fb38f10240611319d9bb934c28990f60a4dc0ed2",
"notes": null

10
src/panfrost/genxml/decode.c
View file

@ -565,14 +565,16 @@ GENX(pandecode_shader)(struct pandecode_context *ctx, uint64_t addr,
static unsigned
pandecode_buffer(struct pandecode_context *ctx,
const struct mali_buffer_packed *cl, uint64_t addr)
const struct mali_buffer_packed *cl, uint64_t addr,
uint64_t entry_size)
{
pan_unpack(cl, BUFFER, buffer)
;
DUMP_UNPACKED(ctx, BUFFER, buffer, "Buffer @%" PRIx64 ":\n", addr);
/* If the address is the following descriptor, this descriptor is an IUB. */
if (buffer.address == (addr + 0x20)) {
/* If the address is the following descriptor and is within the resource
* entry, this descriptor is an IUB. */
if (buffer.address == (addr + 0x20) && buffer.address < addr + entry_size) {
assert((buffer.size % 0x20) == 0);
const uint8_t *cl_bytes = (uint8_t *)cl;
@ -621,7 +623,7 @@ pandecode_resources(struct pandecode_context *ctx, uint64_t addr, unsigned size)
break;
case MALI_DESCRIPTOR_TYPE_BUFFER:
i += pandecode_buffer(ctx, (const struct mali_buffer_packed *)&cl[i],
addr + i);
addr + i, size);
break;
default:
fprintf(ctx->dump_stream, "Unknown descriptor type %X\n", header.type);