summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKenneth Graunke <[email protected]>2018-04-13 11:48:06 -0700
committerKenneth Graunke <[email protected]>2018-04-18 13:55:08 -0700
commitda25ae92bebb8921003c0df30820d06a5f5e3fef (patch)
tree0cabf88c35ba87f19d3d2849d918a31210f48870
parent7bd24d951a69292b5a8090000541ece2142591ef (diff)
i965: Fix shadow batches to be the same size as the real BO.
brw_bo_alloc may round up our allocation size to the next bucket size. In this case, we would malloc a shadow buffer that was the original intended size, but use bo->size (the larger size) for all of our checks. This could cause us to run off the end of the shadow buffer. v2: Actually use the new BO size (caught by Lionel) Reported-by: James Xiong <[email protected]> Reviewed-by: Lionel Landwerlin <[email protected]> Fixes: c7dcee58b5fe183e1653c13bff6a212f0d157b29 (i965: Avoid problems from referencing orphaned BOs after growing.)
-rw-r--r--src/mesa/drivers/dri/i965/intel_batchbuffer.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/src/mesa/drivers/dri/i965/intel_batchbuffer.c b/src/mesa/drivers/dri/i965/intel_batchbuffer.c
index 55889be7327..a29159e41ba 100644
--- a/src/mesa/drivers/dri/i965/intel_batchbuffer.c
+++ b/src/mesa/drivers/dri/i965/intel_batchbuffer.c
@@ -360,8 +360,11 @@ grow_buffer(struct brw_context *brw,
/* We can't safely use realloc, as it may move the existing buffer,
* breaking existing pointers the caller may still be using. Just
* malloc a new copy and memcpy it like the normal BO path.
+ *
+ * Use bo->size rather than new_size because the bufmgr may have
+ * rounded up the size, and we want the shadow size to match.
*/
- grow->map = malloc(new_size);
+ grow->map = malloc(new_bo->size);
} else {
grow->map = brw_bo_map(brw, new_bo, MAP_READ | MAP_WRITE);
}