virgl: Stack overflow in virgl_bind_sampler_states on hosts with more than 32 samplers
As of 63c4c559 (virgl: obtain supported number of shader sampler views from host) the number of samplers is passed from the host upto a maximum of PIPE_MAX_SHADER_SAMPLER_VIEWS
(128).
virgl_bind_sampler_states
uses an array handles[32]
with a fixed size of 32, causing stack corruption and crashes when the host supports more than 32 samplers.
Backtrace:
#0 virgl_bind_sampler_states (ctx=0x5556a47f60, shader=MESA_SHADER_VERTEX, start_slot=0, num_samplers=64, samplers=0x7f7be4f550 <zeros>) at ../src/gallium/drivers/virgl/virgl_context.c:1183
#1 0x0000007f7ad4801c in cso_unbind_context (ctx=ctx@entry=0x5556a59960) at ../src/gallium/auxiliary/cso_cache/cso_context.c:378
#2 0x0000007f7ad48364 in cso_destroy_context (ctx=0x5556a59960) at ../src/gallium/auxiliary/cso_cache/cso_context.c:449
#3 0x0000007f7a92e10c in st_destroy_context_priv (st=st@entry=0x5556a57f70, destroy_pipe=destroy_pipe@entry=true) at ../src/mesa/state_tracker/st_context.c:388
#4 0x0000007f7a92f73c in st_destroy_context (st=0x5556a57f70) at ../src/mesa/state_tracker/st_context.c:1009
#5 0x0000007f7a88533c in dri_destroy_context (cPriv=cPriv@entry=0x5556a47ed0) at ../src/gallium/frontends/dri/dri_context.c:262
#6 0x0000007f7a8892f8 in driDestroyContext (pcp=0x5556a47ed0) at ../src/gallium/frontends/dri/dri_util.c:682
#7 driDestroyContext (pcp=0x5556a47ed0) at ../src/gallium/frontends/dri/dri_util.c:679
#8 0x0000007fe014c3f4 in dri2_destroy_context (disp=<optimized out>, ctx=0x5555b797c0) at ../src/egl/drivers/dri2/egl_dri2.c:1688
#9 0x0000007fe013f6ac in eglDestroyContext (dpy=<optimized out>, ctx=0x5555b797c0) at ../src/egl/main/eglapi.c:926
#10 0x0000007ff52f9060 in WebCore::GLContextEGL::~GLContextEGL () at ./Source/WebCore/platform/graphics/egl/GLContextEGL.cpp:441
#11 0x0000007ff52f90e4 in WebCore::GLContextEGL::~GLContextEGL () at ./Source/WebCore/platform/graphics/egl/GLContextEGL.cpp:453
#12 0x0000007ff38191a0 in std::default_delete<WebCore::GLContext>::operator() () at /usr/include/c++/12/bits/unique_ptr.h:95
#13 std::unique_ptr<WebCore::GLContext, std::default_delete<WebCore::GLContext> >::~unique_ptr () at /usr/include/c++/12/bits/unique_ptr.h:396
#14 tryInitializeEGL () at ./Source/WebKit/UIProcess/gtk/AcceleratedBackingStoreWayland.cpp:133
#15 WebKit::AcceleratedBackingStoreWayland::checkRequirements () at ./Source/WebKit/UIProcess/gtk/AcceleratedBackingStoreWayland.cpp:153
#16 0x0000007ff38229e0 in WebKit::HardwareAccelerationManager::HardwareAccelerationManager () at ./Source/WebKit/UIProcess/gtk/HardwareAccelerationManager.cpp:55
#17 0x0000007ff3822a80 in WTF::NeverDestroyed<WebKit::HardwareAccelerationManager, WTF::AnyThreadsAccessTraits>::NeverDestroyed<>() () at WTF/Headers/wtf/NeverDestroyed.h:67
#18 WebKit::HardwareAccelerationManager::singleton () at ./Source/WebKit/UIProcess/gtk/HardwareAccelerationManager.cpp:36
#19 0x0000007ff3831040 in WebKit::WebPreferences::platformInitializeStore () at ./Source/WebKit/UIProcess/gtk/WebPreferencesGtk.cpp:42
#20 0x0000007ff366c1e4 in WebKit::WebPreferences::create () at ./Source/WebKit/UIProcess/WebPreferences.cpp:45
#21 0x0000007ff3752760 in _WebKitSettingsPrivate::_WebKitSettingsPrivate () at ./Source/WebKit/UIProcess/API/glib/WebKitSettings.cpp:60
#22 0x0000007ff6ef9d48 in g_type_create_instance (type=<optimized out>) at ../../../gobject/gtype.c:1931
#23 0x0000007ff6edd3e4 in g_object_new_internal (class=class@entry=0x555603e650, params=params@entry=0x7fffffc5c8, n_params=n_params@entry=14) at ../../../gobject/gobject.c:2228
#24 0x0000007ff6edf288 in g_object_new_valist (object_type=<optimized out>, first_property_name=<optimized out>, var_args=...) at ../../../gobject/gobject.c:2567
#25 0x0000007ff374acfc in webkit_settings_new_with_settings () at ./Source/WebKit/UIProcess/API/glib/WebKitSettings.cpp:1661
#26 0x0000007ff2a912d4 in e_web_view_get_default_webkit_settings () at ./src/e-util/e-web-view.c:3625
#27 0x0000007ff2a913b4 in web_view_constructor (type=366506266112, n_construct_properties=12, construct_properties=0x7fffffcbd0) at ./src/e-util/e-web-view.c:1058
#28 0x0000007ff6edcff8 in g_object_new_with_custom_constructor (class=class@entry=0x5555fbf320, params=params@entry=0x7fffffcea8, n_params=n_params@entry=2) at ../../../gobject/gobject.c:2146
#29 0x0000007ff6edd3b8 in g_object_new_internal (class=class@entry=0x5555fbf320, params=params@entry=0x7fffffcea8, n_params=n_params@entry=2) at ../../../gobject/gobject.c:2226
#30 0x0000007ff6edf288 in g_object_new_valist (object_type=object_type@entry=366506266112, first_property_name=first_property_name@entry=0x7fe2665278 "headers-collapsable", var_args=...) at ../../../gobject/gobject.c:2567
#31 0x0000007ff6edf8d0 in g_object_new (object_type=object_type@entry=366506266112, first_property_name=first_property_name@entry=0x7fe2665278 "headers-collapsable") at ../../../gobject/gobject.c:2040
#32 0x0000007fe25eecd4 in mail_paned_view_constructed (object=0x5555e417a0) at ./src/mail/e-mail-paned-view.c:827
#33 0x0000007ff6edd49c in g_object_new_internal (class=class@entry=0x5555fb3980, params=params@entry=0x7fffffd498, n_params=n_params@entry=1) at ../../../gobject/gobject.c:2279
#34 0x0000007ff6edf288 in g_object_new_valist (object_type=<optimized out>, first_property_name=first_property_name@entry=0x7fe2667660 "shell-view", var_args=...) at ../../../gobject/gobject.c:2567
#35 0x0000007ff6edf8d0 in g_object_new (object_type=<optimized out>, first_property_name=first_property_name@entry=0x7fe2667660 "shell-view") at ../../../gobject/gobject.c:2040
#36 0x0000007fe25ef58c in e_mail_paned_view_new (shell_view=shell_view@entry=0x5555e207c0) at ./src/mail/e-mail-paned-view.c:1329
#37 0x0000007fe1a7decc in mail_shell_content_constructed (object=0x5555e20ad0) at ./src/modules/mail/e-mail-shell-content.c:287
#38 0x0000007ff6edd49c in g_object_new_internal (class=class@entry=0x5555ea9000, params=params@entry=0x7fffffda78, n_params=n_params@entry=1) at ../../../gobject/gobject.c:2279
#39 0x0000007ff6edf288 in g_object_new_valist (object_type=<optimized out>, first_property_name=<optimized out>, var_args=...) at ../../../gobject/gobject.c:2567
#40 0x0000007ff6edf8d0 in g_object_new (object_type=<optimized out>, first_property_name=<optimized out>) at ../../../gobject/gobject.c:2040
#41 0x0000007ff7f88088 in shell_view_constructed (object=0x5555e207c0) at ./src/shell/e-shell-view.c:630
#42 0x0000007fe1a81994 in mail_shell_view_constructed (object=0x5555e207c0) at ./src/modules/mail/e-mail-shell-view.c:532
#43 0x0000007ff6edd49c in g_object_new_internal (class=class@entry=0x5555986000, params=params@entry=0x7fffffe0f8, n_params=n_params@entry=3) at ../../../gobject/gobject.c:2279
#44 0x0000007ff6edf288 in g_object_new_valist (object_type=object_type@entry=366506306880, first_property_name=first_property_name@entry=0x7ff7f92f18 "action", var_args=...) at ../../../gobject/gobject.c:2567
#45 0x0000007ff6edf8d0 in g_object_new (object_type=object_type@entry=366506306880, first_property_name=first_property_name@entry=0x7ff7f92f18 "action") at ../../../gobject/gobject.c:2040
#46 0x0000007ff7f8ad48 in shell_window_create_shell_view (shell_window=0x5555e9e560, view_name=<optimized out>) at ./src/shell/e-shell-window.c:753
#47 0x0000007ff7f8a5bc in e_shell_window_get_shell_view (shell_window=shell_window@entry=0x5555e9e560, view_name=view_name@entry=0x5555e3ee30 "mail") at ./src/shell/e-shell-window.c:1306
#48 0x0000007ff7f8b6e0 in e_shell_window_set_active_view (shell_window=0x5555e9e560, view_name=0x5555e3ee30 "mail") at ./src/shell/e-shell-window.c:1543
#49 0x0000007ff6edcc44 in object_set_property (object=object@entry=0x5555e9e560, pspec=0x7fc000b580, value=value@entry=0x7fffffe660, nqueue=nqueue@entry=0x555563a6c0, user_specified=user_specified@entry=1) at ../../../gobject/gobject.c:1794
#50 0x0000007ff6edfa90 in g_object_setv (values=<optimized out>, names=<optimized out>, n_properties=<optimized out>, object=0x5555e9e560) at ../../../gobject/gobject.c:2705
#51 g_object_setv (object=0x5555e9e560, n_properties=<optimized out>, names=<optimized out>, values=<optimized out>) at ../../../gobject/gobject.c:2676
#52 0x0000007ff6ee0bcc in g_object_set_property (object=<optimized out>, property_name=<optimized out>, value=value@entry=0x7fffffe660) at ../../../gobject/gobject.c:3005
#53 0x0000007ff7048a50 in g_settings_binding_key_changed (settings=settings@entry=0x55558876a0, key=<optimized out>, user_data=user_data@entry=0x555597de60) at ../../../gio/gsettings.c:2696
#54 0x0000007ff704bcd4 in g_settings_bind_with_mapping (settings=0x55558876a0, key=0x7ff7f91ba8 "default-component-id", object=0x5555e9e560, property=<optimized out>,
flags=(G_SETTINGS_BIND_GET | G_SETTINGS_BIND_SET | G_SETTINGS_BIND_GET_NO_CHANGES), get_mapping=<optimized out>, set_mapping=0x0, user_data=<optimized out>, destroy=0x0) at ../../../gio/gsettings.c:3007
#55 0x0000007ff704c2e0 in g_settings_bind (settings=settings@entry=0x55558876a0, key=key@entry=0x7ff7f91ba8 "default-component-id", object=object@entry=0x5555e9e560, property=property@entry=0x7ff7f95818 "active-view",
flags=flags@entry=G_SETTINGS_BIND_GET_NO_CHANGES) at ../../../gio/gsettings.c:2831
#56 0x0000007ff7f8df00 in e_shell_window_private_constructed (shell_window=0x5555e9e560) at ./src/shell/e-shell-window-private.c:492
#57 0x0000007ff7f89e28 in shell_window_constructed (object=0x5555e9e560) at ./src/shell/e-shell-window.c:419
#58 0x0000007ff6edd49c in g_object_new_internal (class=class@entry=0x5555bb5400, params=params@entry=0x7fffffe9c8, n_params=n_params@entry=3) at ../../../gobject/gobject.c:2279
#59 0x0000007ff6edf288 in g_object_new_valist (object_type=<optimized out>, first_property_name=first_property_name@entry=0x7ff7f95618 "shell", var_args=...) at ../../../gobject/gobject.c:2567
#60 0x0000007ff6edf8d0 in g_object_new (object_type=<optimized out>, first_property_name=first_property_name@entry=0x7ff7f95618 "shell") at ../../../gobject/gobject.c:2040
#61 0x0000007ff7f89f68 in e_shell_window_new (shell=shell@entry=0x55556bc1f0, safe_mode=<optimized out>, geometry=<optimized out>) at ./src/shell/e-shell-window.c:1230
#62 0x0000007ff7f775a0 in e_shell_create_shell_window (shell=shell@entry=0x55556bc1f0, view_name=<optimized out>) at ./src/shell/e-shell.c:2495
#63 0x0000005555554b98 in idle_cb (uris=0x0) at ./src/shell/main.c:354
#64 0x0000007ff7cd7614 in g_main_dispatch (context=0x55555e65e0) at ../../../glib/gmain.c:3454
#65 g_main_context_dispatch (context=context@entry=0x55555e65e0) at ../../../glib/gmain.c:4172
#66 0x0000007ff7cd79e0 in g_main_context_iterate (context=0x55555e65e0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../../../glib/gmain.c:4248
#67 0x0000007ff7cd7d04 in g_main_loop_run (loop=loop@entry=0x55558e54a0) at ../../../glib/gmain.c:4448
#68 0x0000007ff7642020 in gtk_main () at ../../../gtk/gtkmain.c:1329
#69 0x0000005555554840 in main (argc=<optimized out>, argv=<optimized out>) at ./src/shell/main.c:789