From ee320276cd72f33742ef425952f2ae280232e422 Mon Sep 17 00:00:00 2001
From: Ian Romanick <ian.d.romanick@intel.com>
Date: Tue, 20 Aug 2024 16:43:59 -0700
Subject: [PATCH] anv: Protect against OOB access to anv_state_pool::buckets

Suggested-by: Paulo Zanoni
Reviewed-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
Cc: mesa-stable
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/30751>
(cherry picked from commit 0921dfa04476c8c93e3caa7587905edf1b623749)
---
 .pick_status.json                |  2 +-
 src/intel/vulkan/anv_allocator.c | 10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/.pick_status.json b/.pick_status.json
index 397323161ac..a2644e1b7fd 100644
--- a/.pick_status.json
+++ b/.pick_status.json
@@ -54,7 +54,7 @@
         "description": "anv: Protect against OOB access to anv_state_pool::buckets",
         "nominated": true,
         "nomination_type": 0,
-        "resolution": 0,
+        "resolution": 1,
         "main_sha": null,
         "because_sha": null,
         "notes": null
diff --git a/src/intel/vulkan/anv_allocator.c b/src/intel/vulkan/anv_allocator.c
index 7ea37ebe4df..277ba3b40a3 100644
--- a/src/intel/vulkan/anv_allocator.c
+++ b/src/intel/vulkan/anv_allocator.c
@@ -777,6 +777,10 @@ anv_state_pool_return_blocks(struct anv_state_pool *pool,
    }
 
    uint32_t block_bucket = anv_state_pool_get_bucket(block_size);
+
+   if (block_bucket >= ARRAY_SIZE(pool->buckets))
+      return;
+
    anv_free_list_push(&pool->buckets[block_bucket].free_list,
                       &pool->table, st_idx, count);
 }
@@ -839,6 +843,9 @@ anv_state_pool_alloc_no_vg(struct anv_state_pool *pool,
 {
    uint32_t bucket = anv_state_pool_get_bucket(MAX2(size, align));
 
+   if (bucket >= ARRAY_SIZE(pool->buckets))
+      return ANV_STATE_NULL;
+
    struct anv_state *state;
    uint32_t alloc_size = anv_state_pool_get_bucket_size(bucket);
    int64_t offset;
@@ -949,6 +956,9 @@ anv_state_pool_free_no_vg(struct anv_state_pool *pool, struct anv_state state)
 
    assert(state.offset >= pool->start_offset);
 
+   if (bucket >= ARRAY_SIZE(pool->buckets))
+      return;
+
    anv_free_list_push(&pool->buckets[bucket].free_list,
                       &pool->table, state.idx, 1);
 }