From ba2a4207f91bc5e5af0fdbff72c57fd0c5b8d4e7 Mon Sep 17 00:00:00 2001
From: Kenneth Graunke <kenneth@whitecape.org>
Date: Mon, 22 Oct 2018 14:35:33 -0700
Subject: [PATCH] iris: Clamp UBO and SSBO access to the actual BO size, for
 safety

---
 src/gallium/drivers/iris/iris_state.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/gallium/drivers/iris/iris_state.c b/src/gallium/drivers/iris/iris_state.c
index de4adffce9d..e3ae6a6fceb 100644
--- a/src/gallium/drivers/iris/iris_state.c
+++ b/src/gallium/drivers/iris/iris_state.c
@@ -2112,7 +2112,8 @@ iris_set_constant_buffer(struct pipe_context *ctx,
 
       isl_buffer_fill_state(&screen->isl_dev, map,
                             .address = res->bo->gtt_offset + cbuf->data.offset,
-                            .size_B = input->buffer_size,
+                            .size_B = MIN2(input->buffer_size,
+                                           res->bo->size - cbuf->data.offset),
                             .format = ISL_FORMAT_R32G32B32A32_FLOAT,
                             .stride_B = 1,
                             .mocs = MOCS_WB)
@@ -2169,7 +2170,9 @@ iris_set_shader_buffers(struct pipe_context *ctx,
          isl_buffer_fill_state(&screen->isl_dev, map,
                                .address =
                                   res->bo->gtt_offset + buffer->buffer_offset,
-                               .size_B = buffer->buffer_size,
+                               .size_B =
+                                  MIN2(buffer->buffer_size,
+                                       res->bo->size - buffer->buffer_offset),
                                .format = ISL_FORMAT_RAW,
                                .stride_B = 1,
                                .mocs = MOCS_WB);
-- 
2.30.2