Skip to content

i915: fix emit_hw_vertex() unbounded memory access

Patrick Lerda requested to merge noblock/mesa:i915fixemithwvertexunboundedmemoryaccess into main

What does this MR do and why?

i915: fix emit_hw_vertex() unbounded memory access

This change adds the DRAW_ATTR_NONEXIST functionality
which fixes the memory access issue.

For instance, this issue is triggered with "piglit/bin/glsl-routing -auto -fbo":
==8384==ERROR: AddressSanitizer: heap-use-after-free on address 0xa11dfd84 at pc 0xae573fbd bp 0xbf87f688 sp 0xbf87f67c
READ of size 4 at 0xa11dfd84 thread T0
    #0 0xae573fbc in emit_hw_vertex ../src/gallium/drivers/i915/i915_prim_emit.c:92
    #1 0xae574ab0 in emit_prim ../src/gallium/drivers/i915/i915_prim_emit.c:154
    #2 0xae574ab0 in setup_tri ../src/gallium/drivers/i915/i915_prim_emit.c:160
    #3 0xad65d322 in do_triangle ../src/gallium/auxiliary/draw/draw_pipe.c:173
    #4 0xad65d322 in pipe_run_linear ../src/gallium/auxiliary/draw/draw_decompose_tmp.h:181
    #5 0xad663375 in draw_pipeline_run_linear ../src/gallium/auxiliary/draw/draw_pipe.c:337
    #6 0xad86d9ac in pipeline ../src/gallium/auxiliary/draw/draw_pt_fetch_shade_pipeline_llvm.c:476
    #7 0xad86d9ac in llvm_pipeline_generic ../src/gallium/auxiliary/draw/draw_pt_fetch_shade_pipeline_llvm.c:701
    #8 0xad86ed75 in llvm_middle_end_linear_run ../src/gallium/auxiliary/draw/draw_pt_fetch_shade_pipeline_llvm.c:784
    #9 0xad6aaaee in vsplit_segment_simple_linear ../src/gallium/auxiliary/draw/draw_pt_vsplit_tmp.h:223
    #10 0xad6aaaee in vsplit_run_linear ../src/gallium/auxiliary/draw/draw_split_tmp.h:64
    #11 0xad68a74b in draw_pt_arrays ../src/gallium/auxiliary/draw/draw_pt.c:161
    #12 0xad68b7ca in draw_pt_arrays_restart ../src/gallium/auxiliary/draw/draw_pt.c:430
    #13 0xad68b7ca in draw_instances ../src/gallium/auxiliary/draw/draw_pt.c:491
    #14 0xad68ce0a in draw_vbo ../src/gallium/auxiliary/draw/draw_pt.c:628
    #15 0xae5651d4 in i915_draw_vbo ../src/gallium/drivers/i915/i915_context.c:115
    #16 0xae5651d4 in i915_draw_vbo ../src/gallium/drivers/i915/i915_context.c:51
    #17 0xac7f50d3 in _mesa_draw_arrays ../src/mesa/main/draw.c:1204

Fixes: 247cee92df0e ("i915g: replace "uint" with normal uint32_t.")
Signed-off-by: Patrick Lerda <patrick9876@free.fr>

Merge request reports