From db4bcd48d7a6a775aad608686b865ef584a31861 Mon Sep 17 00:00:00 2001 From: Lars-Ivar Hesselberg Simonsen Date: Tue, 5 Aug 2025 13:29:40 +0200 Subject: [PATCH] panvk: Fix IUB decode The buffer is only an IUB if it's within the size of the resource entry. Otherwise, it might just be a buffer that landed just after the descriptor allocation. Fixes: fb38f102406 ("panvk: Handle IUBs in decoder") Reviewed-by: Christoph Pillmayer Part-of: --- src/panfrost/genxml/decode.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/panfrost/genxml/decode.c b/src/panfrost/genxml/decode.c index fbfaa056baf..67717ddbef9 100644 --- a/src/panfrost/genxml/decode.c +++ b/src/panfrost/genxml/decode.c @@ -565,14 +565,16 @@ GENX(pandecode_shader)(struct pandecode_context *ctx, uint64_t addr, static unsigned pandecode_buffer(struct pandecode_context *ctx, - const struct mali_buffer_packed *cl, uint64_t addr) + const struct mali_buffer_packed *cl, uint64_t addr, + uint64_t entry_size) { pan_unpack(cl, BUFFER, buffer) ; DUMP_UNPACKED(ctx, BUFFER, buffer, "Buffer @%" PRIx64 ":\n", addr); - /* If the address is the following descriptor, this descriptor is an IUB. */ - if (buffer.address == (addr + 0x20)) { + /* If the address is the following descriptor and is within the resource + * entry, this descriptor is an IUB. */ + if (buffer.address == (addr + 0x20) && buffer.address < addr + entry_size) { assert((buffer.size % 0x20) == 0); const uint8_t *cl_bytes = (uint8_t *)cl; @@ -621,7 +623,7 @@ pandecode_resources(struct pandecode_context *ctx, uint64_t addr, unsigned size) break; case MALI_DESCRIPTOR_TYPE_BUFFER: i += pandecode_buffer(ctx, (const struct mali_buffer_packed *)&cl[i], - addr + i); + addr + i, size); break; default: fprintf(ctx->dump_stream, "Unknown descriptor type %X\n", header.type);