From c247de37bbcbfeb92971ce91ef774abe46afd815 Mon Sep 17 00:00:00 2001
From: Asahi Lina <lina@asahilina.net>
Date: Fri, 11 Aug 2023 17:04:00 +0900
Subject: [PATCH] asahi: Fix incorrect BO bitmap reallocations

If the BO handle is greater than 2x what fits inside the current bitmap
size, then we end up overflowing. Make sure to always reallocate to a
large enough bitmap, not just 2x the previous size.

Found while replaying firefox apitraces with looping (which apparently
leaks a ton of objects, but that might just be apitrace).

Signed-off-by: Asahi Lina <lina@asahilina.net>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/24635>
---
 src/gallium/drivers/asahi/agx_state.h | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/gallium/drivers/asahi/agx_state.h b/src/gallium/drivers/asahi/agx_state.h
index 06c49ed37ec..8aaa9e98e8a 100644
--- a/src/gallium/drivers/asahi/agx_state.h
+++ b/src/gallium/drivers/asahi/agx_state.h
@@ -707,10 +707,14 @@ agx_batch_add_bo(struct agx_batch *batch, struct agx_bo *bo)
 {
    /* Double the size of the BO list if we run out, this is amortized O(1) */
    if (unlikely(bo->handle > agx_batch_bo_list_bits(batch))) {
+      unsigned word_count =
+         MAX2(batch->bo_list.word_count * 2,
+              util_next_power_of_two(BITSET_WORDS(bo->handle + 1)));
+
       batch->bo_list.set =
          rerzalloc(batch->ctx, batch->bo_list.set, BITSET_WORD,
-                   batch->bo_list.word_count, batch->bo_list.word_count * 2);
-      batch->bo_list.word_count *= 2;
+                   batch->bo_list.word_count, word_count);
+      batch->bo_list.word_count = word_count;
    }
 
    /* The batch holds a single reference to each BO in the batch, released when