From 49aecf0e930e5ac823114ed50a46f5bb1d7bc255 Mon Sep 17 00:00:00 2001 From: Lars-Ivar Hesselberg Simonsen Date: Tue, 5 Aug 2025 13:29:40 +0200 Subject: [PATCH] panvk: Fix IUB decode The buffer is only an IUB if it's within the size of the resource entry. Otherwise, it might just be a buffer that landed just after the descriptor allocation. Fixes: fb38f102406 ("panvk: Handle IUBs in decoder") Reviewed-by: Christoph Pillmayer Part-of: (cherry picked from commit db4bcd48d7a6a775aad608686b865ef584a31861) --- .pick_status.json | 2 +- src/panfrost/genxml/decode.c | 10 ++++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/.pick_status.json b/.pick_status.json index 01d0b004b63..77ee605c298 100644 --- a/.pick_status.json +++ b/.pick_status.json @@ -4554,7 +4554,7 @@ "description": "panvk: Fix IUB decode", "nominated": true, "nomination_type": 2, - "resolution": 0, + "resolution": 1, "main_sha": null, "because_sha": "fb38f10240611319d9bb934c28990f60a4dc0ed2", "notes": null diff --git a/src/panfrost/genxml/decode.c b/src/panfrost/genxml/decode.c index 14c653ecf5a..7003cb7ba39 100644 --- a/src/panfrost/genxml/decode.c +++ b/src/panfrost/genxml/decode.c @@ -565,14 +565,16 @@ GENX(pandecode_shader)(struct pandecode_context *ctx, uint64_t addr, static unsigned pandecode_buffer(struct pandecode_context *ctx, - const struct mali_buffer_packed *cl, uint64_t addr) + const struct mali_buffer_packed *cl, uint64_t addr, + uint64_t entry_size) { pan_unpack(cl, BUFFER, buffer) ; DUMP_UNPACKED(ctx, BUFFER, buffer, "Buffer @%" PRIx64 ":\n", addr); - /* If the address is the following descriptor, this descriptor is an IUB. */ - if (buffer.address == (addr + 0x20)) { + /* If the address is the following descriptor and is within the resource + * entry, this descriptor is an IUB. */ + if (buffer.address == (addr + 0x20) && buffer.address < addr + entry_size) { assert((buffer.size % 0x20) == 0); const uint8_t *cl_bytes = (uint8_t *)cl; @@ -621,7 +623,7 @@ pandecode_resources(struct pandecode_context *ctx, uint64_t addr, unsigned size) break; case MALI_DESCRIPTOR_TYPE_BUFFER: i += pandecode_buffer(ctx, (const struct mali_buffer_packed *)&cl[i], - addr + i); + addr + i, size); break; default: fprintf(ctx->dump_stream, "Unknown descriptor type %X\n", header.type);