From: Kenneth Graunke <kenneth@whitecape.org>
Date: Fri, 13 Apr 2018 18:48:06 +0000 (-0700)
Subject: i965: Fix shadow batches to be the same size as the real BO.
X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=da25ae92bebb8921003c0df30820d06a5f5e3fef;p=mesa.git

i965: Fix shadow batches to be the same size as the real BO.

brw_bo_alloc may round up our allocation size to the next bucket size.
In this case, we would malloc a shadow buffer that was the original
intended size, but use bo->size (the larger size) for all of our checks.

This could cause us to run off the end of the shadow buffer.

v2: Actually use the new BO size (caught by Lionel)

Reported-by: James Xiong <james.xiong@intel.com>
Reviewed-by: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
Fixes: c7dcee58b5fe183e1653c13bff6a212f0d157b29 (i965: Avoid problems from referencing orphaned BOs after growing.)
---

diff --git a/src/mesa/drivers/dri/i965/intel_batchbuffer.c b/src/mesa/drivers/dri/i965/intel_batchbuffer.c
index 55889be7327..a29159e41ba 100644
--- a/src/mesa/drivers/dri/i965/intel_batchbuffer.c
+++ b/src/mesa/drivers/dri/i965/intel_batchbuffer.c
@@ -360,8 +360,11 @@ grow_buffer(struct brw_context *brw,
       /* We can't safely use realloc, as it may move the existing buffer,
        * breaking existing pointers the caller may still be using.  Just
        * malloc a new copy and memcpy it like the normal BO path.
+       *
+       * Use bo->size rather than new_size because the bufmgr may have
+       * rounded up the size, and we want the shadow size to match.
        */
-      grow->map = malloc(new_size);
+      grow->map = malloc(new_bo->size);
    } else {
       grow->map = brw_bo_map(brw, new_bo, MAP_READ | MAP_WRITE);
    }