[Mesa-dev] [PATCH v2] i965: Fix shadow batches to be the same size as the real BO.

[Lionel Landwerlin]

Reviewed-by: Lionel Landwerlin <lionel.g.landwerlin at intel.com>

On 13/04/18 13:49, Kenneth Graunke wrote:
> brw_bo_alloc may round up our allocation size to the next bucket size.
> In this case, we would malloc a shadow buffer that was the original
> intended size, but use bo->size (the larger size) for all of our checks.
>
> This could cause us to run off the end of the shadow buffer.
>
> v2: Actually use the new BO size (caught by Lionel)
>
> Reported-by: James Xiong <james.xiong at intel.com>
> Fixes: c7dcee58b5fe183e1653c13bff6a212f0d157b29 (i965: Avoid problems from referencing orphaned BOs after growing.)
> ---
>   src/mesa/drivers/dri/i965/intel_batchbuffer.c | 5 ++++-
>   1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/src/mesa/drivers/dri/i965/intel_batchbuffer.c b/src/mesa/drivers/dri/i965/intel_batchbuffer.c
> index 55889be7327..a29159e41ba 100644
> --- a/src/mesa/drivers/dri/i965/intel_batchbuffer.c
> +++ b/src/mesa/drivers/dri/i965/intel_batchbuffer.c
> @@ -360,8 +360,11 @@ grow_buffer(struct brw_context *brw,
>         /* We can't safely use realloc, as it may move the existing buffer,
>          * breaking existing pointers the caller may still be using.  Just
>          * malloc a new copy and memcpy it like the normal BO path.
> +       *
> +       * Use bo->size rather than new_size because the bufmgr may have
> +       * rounded up the size, and we want the shadow size to match.
>          */
> -      grow->map = malloc(new_size);
> +      grow->map = malloc(new_bo->size);
>      } else {
>         grow->map = brw_bo_map(brw, new_bo, MAP_READ | MAP_WRITE);
>      }