The previous implementation was copying the data using the
aligned length (size_dw). The aligned length could overflow
the original buffer size.
For instance, this issue is triggered with "piglit/bin/draw-batch -auto -fbo":
==5736==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff139c77e8 at pc 0x7f25b350a9a0 bp 0x7fff139c6cb0 sp 0x7fff139c6460
READ of size 8 at 0x7fff139c77e8 thread T0
#0 0x7f25b350a99f in __interceptor_memcpy (/usr/lib64/libasan.so.6+0x3c99f)
#1 0x7f25a8fcdf24 in radeon_emit_array ../src/gallium/include/winsys/radeon_winsys.h:760
#2 0x7f25a8fcdf24 in r600_draw_vbo ../src/gallium/drivers/r600/r600_state_common.c:2448
#3 0x7f25a8ae7ba1 in u_vbuf_draw_vbo ../src/gallium/auxiliary/util/u_vbuf.c:1791
#4 0x7f25a7bc18ca in _mesa_validated_drawrangeelements ../src/mesa/main/draw.c:1696
#5 0x7f25a7bc7e53 in _mesa_DrawElements ../src/mesa/main/draw.c:1824
Fixes: 0cf5d1f226 ("gallium: remove PIPE_CAP_INFO_START_WITH_USER_INDICES and fix all drivers")
Signed-off-by: Patrick Lerda <patrick9876@free.fr>
Reviewed-by: Marek Olšák <marek.olsak@amd.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/23436>
(cherry picked from commit 340311dac9)
if a DS3 pipeline enabling dynamic samples is not bound when samples
are set dynamically, then such a pipeline is later bound, min samples
would have been incorrectly set to 1
instead, flag the update for later and do it just before draw
cc: mesa-stable
Reviewed-by: Roland Scheidegger <sroland@vmware.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/23368>
(cherry picked from commit cc9e958053)
In commit 284f0c9a57 I refactored the
handling of the data source to just call a helper rather than special
casing opcodes with 0 or 2 sources. Unfortunately, I also dropped the
"else return 1", creating a fallthrough for all sources other than
SURFACE_LOGICAL_SRC_ADDRESS and SURFACE_LOGICAL_SRC_DATA.
The case below happened to return the correct value for all cases except
SURFACE_LOGICAL_SRC_SURFACE, which has been returning 2 instead of 1
since that commit.
Restore the else case. Thanks to Marcin Ślusarz for catching this.
Fixes: 284f0c9a57 ("intel/compiler: Add an lsc_op_num_data_values() helper")
Reviewed-by: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
Reviewed-by: Marcin Ślusarz <marcin.slusarz@intel.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/23347>
(cherry picked from commit 2d9a3bb093)
Otherwise this can cause optimizations to fight resulting in infinite
optimization loops with opt_algebraic, constant_folding, and copy_prop.
Fixes: 368be872 ("nir/algebraic: shrink 64-bit bitwise operations with 0/-1 constant half")
Reviewed-by: Emma Anholt <emma@anholt.net>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/23192>
(cherry picked from commit 6c62eaf22d)
For instance, this is triggered with "piglit/bin/ext_direct_state_access-named-program -auto -fbo":
==5695==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000050031 at pc 0x7f78dfca8d46 bp 0x7ffd9043b4a0 sp 0x7ffd9043ac50
READ of size 50 at 0x606000050031 thread T0
#0 0x7f78dfca8d45 (/usr/lib64/libasan.so.6+0x3fd45)
#1 0x7f78d450b18f in set_program_string ../src/mesa/main/arbprogram.c:385
#2 0x7f78d3fdbd3e in execute_list ../src/mesa/main/dlist.c:13025
#3 0x7f78d40c2564 in _mesa_CallList ../src/mesa/main/dlist.c:13451
#4 0x7f78d42f380a in _mesa_unmarshal_CallList ../src/mesa/main/glthread_list.c:43
#5 0x7f78d38e85c5 in glthread_unmarshal_batch ../src/mesa/main/glthread.c:122
#6 0x7f78d38ea20d in _mesa_glthread_finish ../src/mesa/main/glthread.c:382
#7 0x7f78d38ea20d in _mesa_glthread_finish ../src/mesa/main/glthread.c:347
#8 0x7f78d3d73f69 in _mesa_marshal_IsProgramARB src/mapi/glapi/gen/marshal_generated2.c:4256
Fixes: 0b196b40a3 ("mesa: don't compute the same SHA1 twice in glShaderSource")
Signed-off-by: Patrick Lerda <patrick9876@free.fr>
Reviewed-by: Marek Olšák <marek.olsak@amd.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/23295>
(cherry picked from commit 44b960a645)
As Matt Turner pointed out, the commit here fixed breaks in Iris and
ANV in kernel versions without support for DRM_I915_QUERY_ENGINE_INFO.
As compute engines are only present in gfx12 and newer, and support
for DRM_I915_QUERY_ENGINE_INFO was added before any gfx12 platform,
we can check for gfx version before trying to get engine info.
For ANV, this is done by checking if engine_info is not NULL, like in
other places in the ANV source code.
Fixes: a364f23a6c ("intel: Make gen12 URB space reservation dependent on compute engine presence")
Closes: https://gitlab.freedesktop.org/mesa/mesa/-/issues/9099
Signed-off-by: José Roberto de Souza <jose.souza@intel.com>
Tested-by: Matt Turner <mattst88@gmail.com>
Reviewed-by: Matt Turner <mattst88@gmail.com>
Reviewed-by: Marcin Ślusarz <marcin.slusarz@intel.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/23257>
(cherry picked from commit 42f707e459)
This issue is happening on radeonsi. The reference was allocated
via _mesa_get_bufferobj_reference() with setup_arrays().
The same reference was never freed.
For instance, this issue is triggered on radeonsi with
"piglit/bin/gl-1.0-rendermode-feedback -auto -fbo"
while setting GALLIUM_REFCNT_LOG=refcnt.log.
Fixes: ff8c2a1748 ("mesa/bufferobj: rename bufferobj functions to be more consistent.")
Signed-off-by: Patrick Lerda <patrick9876@free.fr>
Reviewed-by: Marek Olšák <marek.olsak@amd.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/22921>
(cherry picked from commit dc07e0d3fe)
When in an msaa feedback loop and when the image does not have tc-compat
cmask, we have to decompress and expand fmask. This can happen on gfx9
when sample count > 2 or when RADV_DEBUG=notccompatcmask is specified.
Fixes: a38de4c011 ("radv: disable tc_compatible_cmask on GFX9 in some cases")
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/23331>
(cherry picked from commit 6cb5185916)
==10199== Conditional jump or move depends on uninitialised value(s)
==10199== at 0xA107B13: radv_resume_queries (radv_meta.c:93)
==10199== by 0xA108097: radv_meta_restore (radv_meta.c:225)
==10199== Uninitialised value was created by a stack allocation
==10199== at 0xA1145B2: fill_buffer_shader (radv_meta_buffer.c:171)
saved_state is never memset, so the value should be inited.
Cc: mesa-stable
Reviewed-by: Samuel Pitoiset <samuel.pitoiset@gmail.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/23327>
(cherry picked from commit 54ceec8d9e)
The GS and the FS needs to agree on the driver_location. But we just
used the num_outputs variable for the GS instead of matching the logic
from lower_aaline_instr in nir_draw_helpers.c.
This does that, but cleans up our copy slightly to avoid computing the
needless location, as well as using unsigned values.
This used to *mostly* work before, but only because we were lucky and
not too much crazy stuff went on with the inputs / outputs in
smooth-line cases.
Fixes: edecb66b01 ("nir: avoid generating conflicting output variables")
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/23316>
(cherry picked from commit ffc77d5262)
global load/store (or A64 messages) need the NIR bound checking which
is enabled by "robust" behavior even when robust behavior is disabled.
Many thanks to Christopher Snowhill for pointing out the pushed
constant related issue with the initial version of this patch.
Signed-off-by: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
Cc: mesa-stable
Reviewed-by: Kenneth Graunke <kenneth@whitecape.org>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/21645>
(cherry picked from commit efcda1c530)
This seems to be the best compromise I can come up with so far.
I can't figure out to get the tier2 programming to match between
264 and 265, maybe they are just programmed different here, good
old firmware.
Fixes: 1693c03a39 ("radv/video: add initial h264 decoder for VCN")
Reviewed-by: Lynne <dev@lynne.ee>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/23227>
(cherry picked from commit b5963fc1f0)
radv_destroy_shader_upload_queue waits for a semaphore, which will in turn
call query_reset_status on hw_ctx that will fail due to being already
destroyed.
Fix radv/amdgpu: amdgpu_cs_query_reset_state2 failed. (-9) spam in the logs
with RADV_PERFTEST=dmashaders.
Cc: mesa-stable
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/23276>
(cherry picked from commit 978d80fbe2)
The existing guardband region calculation was mixing up x/y_min with
x/y_max in cmd_buffer_emit_viewport(), causing the calculated viewport
area to always be an empty region. Luckily intel_calculate_guardband_size()
returns a non-empty but bogus guardband region in that case, so this
doesn't seem to have led to conformance regressions, but the
off-center guardbands could potentially impact performance in
geometry-heavy rendering.
Fixes: 893fa30afe ("anv: Include scissors in viewport calculations")
Reviewed-by: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
Reviewed-by: Kenneth Graunke <kenneth@whitecape.org>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/23174>
(cherry picked from commit 9c26a6b3bb)
We don't need to add an offset in the buffer, because we submit
the offset where the data was written to to the host. The
correction of this offset is also not needed and results in draw
errors.
Fixes: 0cf5d1f226
gallium: remove PIPE_CAP_INFO_START_WITH_USER_INDICES and fix all drivers
Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/23196>
(cherry picked from commit d4fc359748)
