Hi Mesa maintainers, I'm working on backporting the fix for CVE-2026-40393 as part of the LTS Team to fix bullseye to trixie.
I'm offering to so the (o-)s-p-u handling to get the fixes into the next (old-)stable-point-release. Note that there is a (unreleased) deb13u1 from josch, adressing #1116427, however this seems to have stalled and I've decided not to include this fix but only have a targeted fix for the CVE only. Attached are debdiffs, some feedback/review would be very welcome! Thanks, tobi
diff -Nru mesa-25.0.7/debian/changelog mesa-25.0.7/debian/changelog --- mesa-25.0.7/debian/changelog 2025-06-17 11:07:43.000000000 +0200 +++ mesa-25.0.7/debian/changelog 2026-06-04 17:31:57.000000000 +0200 @@ -1,3 +1,12 @@ +mesa (25.0.7-2+deb13u1) trixie; urgency=high + + * Non-maintainer upload by the LTS Team. + * Backport patch for CVE-2026-40393: + - backport support function STACK_ARRAY, cherry-pick file from upstream. + - backport commits fixing the issue + + -- Tobias Frost <[email protected]> Thu, 04 Jun 2026 17:31:57 +0200 + mesa (25.0.7-2) unstable; urgency=medium * patches: Revert a commit to fix mobian vm's. (Closes: #1107895) diff -Nru mesa-25.0.7/debian/patches/backport_STACK_ARRAY.patch mesa-25.0.7/debian/patches/backport_STACK_ARRAY.patch --- mesa-25.0.7/debian/patches/backport_STACK_ARRAY.patch 1970-01-01 01:00:00.000000000 +0100 +++ mesa-25.0.7/debian/patches/backport_STACK_ARRAY.patch 2026-06-04 17:31:57.000000000 +0200 @@ -0,0 +1,54 @@ +Description: backport macro STACK_ARRAY, needed for fix for CVE-226-40393 +Origin: https://gitlab.freedesktop.org/mesa/mesa/-/blob/f43cff3728e58c377d1e03b13db62514217abfe1/src/util/stack_array.h +Forwarded: not-needed +Last-Update: 2026-05-25 <YYYY-MM-DD, last update of the meta-information, optional> +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- /dev/null ++++ b/src/util/stack_array.h +@@ -0,0 +1,45 @@ ++/* ++ * Copyright © 2025 Collabora, Ltd. ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a ++ * copy of this software and associated documentation files (the "Software"), ++ * to deal in the Software without restriction, including without limitation ++ * the rights to use, copy, modify, merge, publish, distribute, sublicense, ++ * and/or sell copies of the Software, and to permit persons to whom the ++ * Software is furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice (including the next ++ * paragraph) shall be included in all copies or substantial portions of the ++ * Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL ++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING ++ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS ++ * IN THE SOFTWARE. ++ */ ++ ++#include <stdlib.h> ++ ++#ifndef UTIL_STACK_ARRAY_H ++#define UTIL_STACK_ARRAY_H ++ ++#define STACK_ARRAY_SIZE 8 ++ ++/* Sometimes gcc may claim -Wmaybe-uninitialized for the stack array in some ++ * places it can't verify that when size is 0 nobody down the call chain reads ++ * the array. Please don't try to fix it by zero-initializing the array here ++ * since it's used in a lot of different places. An "if (size == 0) return;" ++ * may work for you. ++ */ ++#define STACK_ARRAY(type, name, size) \ ++ type _stack_##name[STACK_ARRAY_SIZE]; \ ++ type *const name = \ ++ ((size) <= STACK_ARRAY_SIZE ? _stack_##name : (type *)malloc((size) * sizeof(type))) ++ ++#define STACK_ARRAY_FINISH(name) \ ++ if (name != _stack_##name) free(name) ++ ++#endif /* UTIL_STACK_ARRAY_H */ diff -Nru mesa-25.0.7/debian/patches/CVE-2026-40393-part1.patch mesa-25.0.7/debian/patches/CVE-2026-40393-part1.patch --- mesa-25.0.7/debian/patches/CVE-2026-40393-part1.patch 1970-01-01 01:00:00.000000000 +0100 +++ mesa-25.0.7/debian/patches/CVE-2026-40393-part1.patch 2026-06-04 17:31:57.000000000 +0200 @@ -0,0 +1,94 @@ +From 978fd42b4b7d1e9c0435ffa7e1a4d339cba9b76e Mon Sep 17 00:00:00 2001 +From: Ian Romanick <[email protected]> +Date: Fri, 23 Jan 2026 09:58:26 -0800 +Subject: [PATCH] spirv: Use STACK_ARRAY instead of NIR_VLA + +The number of fields comes from the shader, so it could be a value large +enough that using alloca would be problematic. + +Fixes: 2a023f30a64 ("nir/spirv: Add basic support for types") +Reviewed-by: Caio Oliveira <[email protected]> +Reviewed-by: Ryan Neph <[email protected]> +Reviewed-by: Lionel Landwerlin <[email protected]> +(cherry picked from commit 3da828d2dd12e20ba2afc152db8d7236c7a48c13) + +Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/40092> +--- +--- a/src/compiler/spirv/spirv_to_nir.c ++++ b/src/compiler/spirv/spirv_to_nir.c +@@ -27,7 +27,6 @@ + + #include "glsl_types.h" + #include "vtn_private.h" +-#include "nir/nir_vla.h" + #include "nir/nir_control_flow.h" + #include "nir/nir_constant_expressions.h" + #include "nir/nir_deref.h" +@@ -38,6 +37,7 @@ + #include "util/u_string.h" + #include "util/u_debug.h" + #include "util/mesa-blake3.h" ++#include "util/stack_array.h" + + #include <stdio.h> + +@@ -1228,7 +1228,7 @@ + case vtn_base_type_struct: { + bool need_new_struct = false; + const uint32_t num_fields = type->length; +- NIR_VLA(struct glsl_struct_field, fields, num_fields); ++ STACK_ARRAY(struct glsl_struct_field, fields, num_fields); + for (unsigned i = 0; i < num_fields; i++) { + fields[i] = *glsl_get_struct_field_data(type->type, i); + const struct glsl_type *field_nir_type = +@@ -1238,20 +1238,25 @@ + need_new_struct = true; + } + } ++ ++ const struct glsl_type *result; + if (need_new_struct) { + if (glsl_type_is_interface(type->type)) { +- return glsl_interface_type(fields, num_fields, +- /* packing */ 0, false, +- glsl_get_type_name(type->type)); ++ result = glsl_interface_type(fields, num_fields, ++ /* packing */ 0, false, ++ glsl_get_type_name(type->type)); + } else { +- return glsl_struct_type(fields, num_fields, +- glsl_get_type_name(type->type), +- glsl_struct_type_is_packed(type->type)); ++ result = glsl_struct_type(fields, num_fields, ++ glsl_get_type_name(type->type), ++ glsl_struct_type_is_packed(type->type)); + } + } else { + /* No changes, just pass it on */ +- return type->type; ++ result = type->type; + } ++ ++ STACK_ARRAY_FINISH(fields); ++ return result; + } + + case vtn_base_type_image: +@@ -1868,7 +1873,7 @@ + val->type->offsets = vtn_alloc_array(b, unsigned, num_fields); + val->type->packed = false; + +- NIR_VLA(struct glsl_struct_field, fields, count); ++ STACK_ARRAY(struct glsl_struct_field, fields, count); + for (unsigned i = 0; i < num_fields; i++) { + val->type->members[i] = vtn_get_type(b, w[i + 2]); + const char *name = NULL; +@@ -1924,6 +1929,8 @@ + name ? name : "struct", + val->type->packed); + } ++ ++ STACK_ARRAY_FINISH(fields); + break; + } + diff -Nru mesa-25.0.7/debian/patches/CVE-2026-40393-part2.patch mesa-25.0.7/debian/patches/CVE-2026-40393-part2.patch --- mesa-25.0.7/debian/patches/CVE-2026-40393-part2.patch 1970-01-01 01:00:00.000000000 +0100 +++ mesa-25.0.7/debian/patches/CVE-2026-40393-part2.patch 2026-06-04 17:31:57.000000000 +0200 @@ -0,0 +1,49 @@ +From 45ce75f3bcd638dcf7daae09f9bf0b7c015b81c4 Mon Sep 17 00:00:00 2001 +From: Ian Romanick <[email protected]> +Date: Fri, 23 Jan 2026 10:07:27 -0800 +Subject: [PATCH] nir: Use STACK_ARRAY instead of NIR_VLA + +The number of fields comes from the shader, so it could be a value large +enough that using alloca would be problematic. + +Fixes: c11833ab24d ("nir,spirv: Rework function calls") +Reviewed-by: Caio Oliveira <[email protected]> +Reviewed-by: Ryan Neph <[email protected]> +Reviewed-by: Lionel Landwerlin <[email protected]> +(cherry picked from commit 9017d37e84771f921a63676dd8b955df9ef20f29) + +Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/40092> +--- + .pick_status.json | 2 +- + src/compiler/nir/nir_functions.c | 5 +++-- + 2 files changed, 4 insertions(+), 3 deletions(-) + +--- a/src/compiler/nir/nir_functions.c ++++ b/src/compiler/nir/nir_functions.c +@@ -21,10 +21,10 @@ + * IN THE SOFTWARE. + */ + ++#include "util/stack_array.h" + #include "nir.h" + #include "nir_builder.h" + #include "nir_control_flow.h" +-#include "nir_vla.h" + + /* + * TODO: write a proper inliner for GPUs. +@@ -228,12 +228,13 @@ + * to an SSA value first. + */ + const unsigned num_params = call->num_params; +- NIR_VLA(nir_def *, params, num_params); ++ STACK_ARRAY(nir_def *, params, num_params); + for (unsigned i = 0; i < num_params; i++) { + params[i] = call->params[i].ssa; + } + + nir_inline_function_impl(b, call->callee->impl, params, NULL); ++ STACK_ARRAY_FINISH(params); + return true; + } + diff -Nru mesa-25.0.7/debian/patches/series mesa-25.0.7/debian/patches/series --- mesa-25.0.7/debian/patches/series 2025-06-17 09:05:41.000000000 +0200 +++ mesa-25.0.7/debian/patches/series 2026-06-04 17:31:57.000000000 +0200 @@ -4,3 +4,6 @@ etnaviv-add-support-for-texelfetch.patch Revert-hasvk-elk-stop-turning-load_push_constants-in.patch kopper-Revert-kopper-Explicitly-choose-zink.patch +backport_STACK_ARRAY.patch +CVE-2026-40393-part1.patch +CVE-2026-40393-part2.patch
diff -Naur mesa-20.3.5/debian/changelog mesa-bullseye/debian/changelog --- mesa-20.3.5/debian/changelog 2026-05-18 20:24:03.000000000 +0200 +++ mesa-bullseye/debian/changelog 2026-06-04 16:37:17.275807821 +0200 @@ -1,3 +1,14 @@ +mesa (20.3.5-1+deb11u1) bullseye-security; urgency=high + + * Non-maintainer upload by the LTS Security Team. + * Convert to source format 3.0 (quilt), caused issues when packaging from + git. + * Backport patch for CVE-2026-40393: + - backport support function STACK_ARRAY, cherry-pick file from upstream. + - backport commits fixing the issue + + -- Tobias Frost <[email protected]> Mon, 25 May 2026 15:37:47 +0200 + mesa (20.3.5-1) unstable; urgency=medium * New upstream release. diff -Naur mesa-20.3.5/debian/patches/backport_STACK_ARRAY.patch mesa-bullseye/debian/patches/backport_STACK_ARRAY.patch --- mesa-20.3.5/debian/patches/backport_STACK_ARRAY.patch 1970-01-01 01:00:00.000000000 +0100 +++ mesa-bullseye/debian/patches/backport_STACK_ARRAY.patch 2026-06-04 16:37:17.275981830 +0200 @@ -0,0 +1,54 @@ +Description: backport macro STACK_ARRAY, needed for fix for CVE-226-40393 +Origin: https://gitlab.freedesktop.org/mesa/mesa/-/blob/f43cff3728e58c377d1e03b13db62514217abfe1/src/util/stack_array.h +Forwarded: not-needed +Last-Update: 2026-05-25 <YYYY-MM-DD, last update of the meta-information, optional> +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- /dev/null ++++ b/src/util/stack_array.h +@@ -0,0 +1,45 @@ ++/* ++ * Copyright © 2025 Collabora, Ltd. ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a ++ * copy of this software and associated documentation files (the "Software"), ++ * to deal in the Software without restriction, including without limitation ++ * the rights to use, copy, modify, merge, publish, distribute, sublicense, ++ * and/or sell copies of the Software, and to permit persons to whom the ++ * Software is furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice (including the next ++ * paragraph) shall be included in all copies or substantial portions of the ++ * Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL ++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING ++ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS ++ * IN THE SOFTWARE. ++ */ ++ ++#include <stdlib.h> ++ ++#ifndef UTIL_STACK_ARRAY_H ++#define UTIL_STACK_ARRAY_H ++ ++#define STACK_ARRAY_SIZE 8 ++ ++/* Sometimes gcc may claim -Wmaybe-uninitialized for the stack array in some ++ * places it can't verify that when size is 0 nobody down the call chain reads ++ * the array. Please don't try to fix it by zero-initializing the array here ++ * since it's used in a lot of different places. An "if (size == 0) return;" ++ * may work for you. ++ */ ++#define STACK_ARRAY(type, name, size) \ ++ type _stack_##name[STACK_ARRAY_SIZE]; \ ++ type *const name = \ ++ ((size) <= STACK_ARRAY_SIZE ? _stack_##name : (type *)malloc((size) * sizeof(type))) ++ ++#define STACK_ARRAY_FINISH(name) \ ++ if (name != _stack_##name) free(name) ++ ++#endif /* UTIL_STACK_ARRAY_H */ diff -Naur mesa-20.3.5/debian/patches/CVE-2026-40393-part1.patch mesa-bullseye/debian/patches/CVE-2026-40393-part1.patch --- mesa-20.3.5/debian/patches/CVE-2026-40393-part1.patch 1970-01-01 01:00:00.000000000 +0100 +++ mesa-bullseye/debian/patches/CVE-2026-40393-part1.patch 2026-06-04 16:37:17.275981830 +0200 @@ -0,0 +1,100 @@ +Description: CVE-2026-40393 part 1 - out-of-bounds memory access in WebGPU +Origin: https://gitlab.freedesktop.org/mesa/mesa/-/commit/978fd42b4b7d1e9c0435ffa7e1a4d339cba9b76e +From 978fd42b4b7d1e9c0435ffa7e1a4d339cba9b76e Mon Sep 17 00:00:00 2001 +From: Ian Romanick <[email protected]> +Date: Fri, 23 Jan 2026 09:58:26 -0800 +Subject: [PATCH] spirv: Use STACK_ARRAY instead of NIR_VLA + +The number of fields comes from the shader, so it could be a value large +enough that using alloca would be problematic. + +Fixes: 2a023f30a64 ("nir/spirv: Add basic support for types") +Reviewed-by: Caio Oliveira <[email protected]> +Reviewed-by: Ryan Neph <[email protected]> +Reviewed-by: Lionel Landwerlin <[email protected]> +(cherry picked from commit 3da828d2dd12e20ba2afc152db8d7236c7a48c13) + +Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/40092> +--- + .pick_status.json | 2 +- + src/compiler/spirv/spirv_to_nir.c | 27 +++++++++++++++++---------- + 2 files changed, 18 insertions(+), 11 deletions(-) + +--- a/src/compiler/spirv/spirv_to_nir.c ++++ b/src/compiler/spirv/spirv_to_nir.c +@@ -26,7 +26,6 @@ + */ + + #include "vtn_private.h" +-#include "nir/nir_vla.h" + #include "nir/nir_control_flow.h" + #include "nir/nir_constant_expressions.h" + #include "nir/nir_deref.h" +@@ -35,6 +34,7 @@ + #include "util/format/u_format.h" + #include "util/u_math.h" + ++#include "util/stack_array.h" + #include <stdio.h> + + void +@@ -878,7 +878,7 @@ + case vtn_base_type_struct: { + bool need_new_struct = false; + const uint32_t num_fields = type->length; +- NIR_VLA(struct glsl_struct_field, fields, num_fields); ++ STACK_ARRAY(struct glsl_struct_field, fields, num_fields); + for (unsigned i = 0; i < num_fields; i++) { + fields[i] = *glsl_get_struct_field_data(type->type, i); + const struct glsl_type *field_nir_type = +@@ -888,20 +888,25 @@ + need_new_struct = true; + } + } ++ ++ const struct glsl_type *result; + if (need_new_struct) { + if (glsl_type_is_interface(type->type)) { +- return glsl_interface_type(fields, num_fields, +- /* packing */ 0, false, +- glsl_get_type_name(type->type)); ++ result = glsl_interface_type(fields, num_fields, ++ /* packing */ 0, false, ++ glsl_get_type_name(type->type)); + } else { +- return glsl_struct_type(fields, num_fields, +- glsl_get_type_name(type->type), +- glsl_struct_type_is_packed(type->type)); ++ result = glsl_struct_type(fields, num_fields, ++ glsl_get_type_name(type->type), ++ glsl_struct_type_is_packed(type->type)); + } + } else { + /* No changes, just pass it on */ +- return type->type; ++ result = type->type; + } ++ ++ STACK_ARRAY_FINISH(fields); ++ return result; + } + + case vtn_base_type_image: +@@ -1460,7 +1465,7 @@ + val->type->offsets = ralloc_array(b, unsigned, num_fields); + val->type->packed = false; + +- NIR_VLA(struct glsl_struct_field, fields, count); ++ STACK_ARRAY(struct glsl_struct_field, fields, count); + for (unsigned i = 0; i < num_fields; i++) { + val->type->members[i] = vtn_get_type(b, w[i + 2]); + fields[i] = (struct glsl_struct_field) { +@@ -1498,6 +1503,8 @@ + name ? name : "struct", + val->type->packed); + } ++ ++ STACK_ARRAY_FINISH(fields); + break; + } + diff -Naur mesa-20.3.5/debian/patches/CVE-2026-40393-part2.patch mesa-bullseye/debian/patches/CVE-2026-40393-part2.patch --- mesa-20.3.5/debian/patches/CVE-2026-40393-part2.patch 1970-01-01 01:00:00.000000000 +0100 +++ mesa-bullseye/debian/patches/CVE-2026-40393-part2.patch 2026-06-04 16:37:17.275981830 +0200 @@ -0,0 +1,53 @@ +Description: CVE-2026-40393 part 2 - out-of-bounds memory access in WebGPU +Origin: https://gitlab.freedesktop.org/mesa/mesa/-/commit/978fd42b4b7d1e9c0435ffa7e1a4d339cba9b76e + +From 45ce75f3bcd638dcf7daae09f9bf0b7c015b81c4 Mon Sep 17 00:00:00 2001 +From: Ian Romanick <[email protected]> +Date: Fri, 23 Jan 2026 10:07:27 -0800 +Subject: [PATCH] nir: Use STACK_ARRAY instead of NIR_VLA + +The number of fields comes from the shader, so it could be a value large +enough that using alloca would be problematic. + +Fixes: c11833ab24d ("nir,spirv: Rework function calls") +Reviewed-by: Caio Oliveira <[email protected]> +Reviewed-by: Ryan Neph <[email protected]> +Reviewed-by: Lionel Landwerlin <[email protected]> +(cherry picked from commit 9017d37e84771f921a63676dd8b955df9ef20f29) + +Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/40092> +--- + .pick_status.json | 2 +- + src/compiler/nir/nir_functions.c | 5 +++-- + 2 files changed, 4 insertions(+), 3 deletions(-) + +--- a/src/compiler/nir/nir_inline_functions.c ++++ b/src/compiler/nir/nir_inline_functions.c +@@ -21,10 +21,10 @@ + * IN THE SOFTWARE. + */ + ++#include "util/stack_array.h" + #include "nir.h" + #include "nir_builder.h" + #include "nir_control_flow.h" +-#include "nir_vla.h" + + void nir_inline_function_impl(struct nir_builder *b, + const nir_function_impl *impl, +@@ -148,13 +148,14 @@ + * to an SSA value first. + */ + const unsigned num_params = call->num_params; +- NIR_VLA(nir_ssa_def *, params, num_params); ++ STACK_ARRAY(nir_ssa_def *, params, num_params); + for (unsigned i = 0; i < num_params; i++) { + params[i] = nir_ssa_for_src(b, call->params[i], + call->callee->params[i].num_components); + } + + nir_inline_function_impl(b, call->callee->impl, params, NULL); ++ STACK_ARRAY_FINISH(params); + } + + return progress; diff -Naur mesa-20.3.5/debian/patches/series mesa-bullseye/debian/patches/series --- mesa-20.3.5/debian/patches/series 2026-05-18 20:24:03.000000000 +0200 +++ mesa-bullseye/debian/patches/series 2026-06-04 16:37:17.275981830 +0200 @@ -2,3 +2,6 @@ fix-python-shebang.diff path_max.diff src_glx_dri_common.h.diff +backport_STACK_ARRAY.patch +CVE-2026-40393-part1.patch +CVE-2026-40393-part2.patch
diff -Naur mesa-22.3.6/debian/changelog mesa-bookworm/debian/changelog --- mesa-22.3.6/debian/changelog 2026-06-04 18:42:51.000000000 +0200 +++ mesa-bookworm/debian/changelog 2026-06-04 17:02:50.190991345 +0200 @@ -1,3 +1,12 @@ +mesa (22.3.6-1+deb12u2) bookworm-UNRELEASED; urgency=high + + * Non-maintainer upload by the LTS team + * Backport patch for CVE-2026-40393: + - backport support function STACK_ARRAY, cherry-pick file from upstream. + - backport commits fixing the issue + + -- Tobias Frost <[email protected]> Thu, 04 Jun 2026 16:25:49 +0200 + mesa (22.3.6-1+deb12u1) testing-proposed-updates; urgency=medium * Upload to testing. diff -Naur mesa-22.3.6/debian/patches/backport_STACK_ARRAY.patch mesa-bookworm/debian/patches/backport_STACK_ARRAY.patch --- mesa-22.3.6/debian/patches/backport_STACK_ARRAY.patch 1970-01-01 01:00:00.000000000 +0100 +++ mesa-bookworm/debian/patches/backport_STACK_ARRAY.patch 2026-06-04 17:02:50.194991330 +0200 @@ -0,0 +1,54 @@ +Description: backport macro STACK_ARRAY, needed for fix for CVE-226-40393 +Origin: https://gitlab.freedesktop.org/mesa/mesa/-/blob/f43cff3728e58c377d1e03b13db62514217abfe1/src/util/stack_array.h +Forwarded: not-needed +Last-Update: 2026-05-25 <YYYY-MM-DD, last update of the meta-information, optional> +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- /dev/null ++++ b/src/util/stack_array.h +@@ -0,0 +1,45 @@ ++/* ++ * Copyright © 2025 Collabora, Ltd. ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a ++ * copy of this software and associated documentation files (the "Software"), ++ * to deal in the Software without restriction, including without limitation ++ * the rights to use, copy, modify, merge, publish, distribute, sublicense, ++ * and/or sell copies of the Software, and to permit persons to whom the ++ * Software is furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice (including the next ++ * paragraph) shall be included in all copies or substantial portions of the ++ * Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL ++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING ++ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS ++ * IN THE SOFTWARE. ++ */ ++ ++#include <stdlib.h> ++ ++#ifndef UTIL_STACK_ARRAY_H ++#define UTIL_STACK_ARRAY_H ++ ++#define STACK_ARRAY_SIZE 8 ++ ++/* Sometimes gcc may claim -Wmaybe-uninitialized for the stack array in some ++ * places it can't verify that when size is 0 nobody down the call chain reads ++ * the array. Please don't try to fix it by zero-initializing the array here ++ * since it's used in a lot of different places. An "if (size == 0) return;" ++ * may work for you. ++ */ ++#define STACK_ARRAY(type, name, size) \ ++ type _stack_##name[STACK_ARRAY_SIZE]; \ ++ type *const name = \ ++ ((size) <= STACK_ARRAY_SIZE ? _stack_##name : (type *)malloc((size) * sizeof(type))) ++ ++#define STACK_ARRAY_FINISH(name) \ ++ if (name != _stack_##name) free(name) ++ ++#endif /* UTIL_STACK_ARRAY_H */ diff -Naur mesa-22.3.6/debian/patches/CVE-2026-40393-part1.patch mesa-bookworm/debian/patches/CVE-2026-40393-part1.patch --- mesa-22.3.6/debian/patches/CVE-2026-40393-part1.patch 1970-01-01 01:00:00.000000000 +0100 +++ mesa-bookworm/debian/patches/CVE-2026-40393-part1.patch 2026-06-04 17:02:50.194991330 +0200 @@ -0,0 +1,97 @@ +Description: CVE-2026-40393 part 1 - out-of-bounds memory access in WebGPU +Origin: https://gitlab.freedesktop.org/mesa/mesa/-/commit/978fd42b4b7d1e9c0435ffa7e1a4d339cba9b76e + +From 978fd42b4b7d1e9c0435ffa7e1a4d339cba9b76e Mon Sep 17 00:00:00 2001 +From: Ian Romanick <[email protected]> +Date: Fri, 23 Jan 2026 09:58:26 -0800 +Subject: [PATCH] spirv: Use STACK_ARRAY instead of NIR_VLA + +The number of fields comes from the shader, so it could be a value large +enough that using alloca would be problematic. + +Fixes: 2a023f30a64 ("nir/spirv: Add basic support for types") +Reviewed-by: Caio Oliveira <[email protected]> +Reviewed-by: Ryan Neph <[email protected]> +Reviewed-by: Lionel Landwerlin <[email protected]> +(cherry picked from commit 3da828d2dd12e20ba2afc152db8d7236c7a48c13) + +Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/40092> + +--- a/src/compiler/spirv/spirv_to_nir.c ++++ b/src/compiler/spirv/spirv_to_nir.c +@@ -26,7 +26,6 @@ + */ + + #include "vtn_private.h" +-#include "nir/nir_vla.h" + #include "nir/nir_control_flow.h" + #include "nir/nir_constant_expressions.h" + #include "nir/nir_deref.h" +@@ -35,6 +34,7 @@ + #include "util/format/u_format.h" + #include "util/u_math.h" + #include "util/u_string.h" ++#include "util/stack_array.h" + + #include <stdio.h> + +@@ -927,7 +927,7 @@ + case vtn_base_type_struct: { + bool need_new_struct = false; + const uint32_t num_fields = type->length; +- NIR_VLA(struct glsl_struct_field, fields, num_fields); ++ STACK_ARRAY(struct glsl_struct_field, fields, num_fields); + for (unsigned i = 0; i < num_fields; i++) { + fields[i] = *glsl_get_struct_field_data(type->type, i); + const struct glsl_type *field_nir_type = +@@ -937,20 +937,25 @@ + need_new_struct = true; + } + } ++ ++ const struct glsl_type *result; + if (need_new_struct) { + if (glsl_type_is_interface(type->type)) { +- return glsl_interface_type(fields, num_fields, +- /* packing */ 0, false, +- glsl_get_type_name(type->type)); ++ result = glsl_interface_type(fields, num_fields, ++ /* packing */ 0, false, ++ glsl_get_type_name(type->type)); + } else { +- return glsl_struct_type(fields, num_fields, +- glsl_get_type_name(type->type), +- glsl_struct_type_is_packed(type->type)); ++ result = glsl_struct_type(fields, num_fields, ++ glsl_get_type_name(type->type), ++ glsl_struct_type_is_packed(type->type)); + } + } else { + /* No changes, just pass it on */ +- return type->type; ++ result = type->type; + } ++ ++ STACK_ARRAY_FINISH(fields); ++ return result; + } + + case vtn_base_type_image: +@@ -1527,7 +1532,7 @@ + val->type->offsets = ralloc_array(b, unsigned, num_fields); + val->type->packed = false; + +- NIR_VLA(struct glsl_struct_field, fields, count); ++ STACK_ARRAY(struct glsl_struct_field, fields, count); + for (unsigned i = 0; i < num_fields; i++) { + val->type->members[i] = vtn_get_type(b, w[i + 2]); + const char *name = NULL; +@@ -1583,6 +1588,8 @@ + name ? name : "struct", + val->type->packed); + } ++ ++ STACK_ARRAY_FINISH(fields); + break; + } + diff -Naur mesa-22.3.6/debian/patches/CVE-2026-40393-part2.patch mesa-bookworm/debian/patches/CVE-2026-40393-part2.patch --- mesa-22.3.6/debian/patches/CVE-2026-40393-part2.patch 1970-01-01 01:00:00.000000000 +0100 +++ mesa-bookworm/debian/patches/CVE-2026-40393-part2.patch 2026-06-04 17:02:50.194991330 +0200 @@ -0,0 +1,53 @@ +Description: CVE-2026-40393 part 2 - out-of-bounds memory access in WebGPU +Origin: https://gitlab.freedesktop.org/mesa/mesa/-/commit/978fd42b4b7d1e9c0435ffa7e1a4d339cba9b76e + +From 45ce75f3bcd638dcf7daae09f9bf0b7c015b81c4 Mon Sep 17 00:00:00 2001 +From: Ian Romanick <[email protected]> +Date: Fri, 23 Jan 2026 10:07:27 -0800 +Subject: [PATCH] nir: Use STACK_ARRAY instead of NIR_VLA + +The number of fields comes from the shader, so it could be a value large +enough that using alloca would be problematic. + +Fixes: c11833ab24d ("nir,spirv: Rework function calls") +Reviewed-by: Caio Oliveira <[email protected]> +Reviewed-by: Ryan Neph <[email protected]> +Reviewed-by: Lionel Landwerlin <[email protected]> +(cherry picked from commit 9017d37e84771f921a63676dd8b955df9ef20f29) + +Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/40092> +--- + .pick_status.json | 2 +- + src/compiler/nir/nir_functions.c | 5 +++-- + 2 files changed, 4 insertions(+), 3 deletions(-) + +--- a/src/compiler/nir/nir_inline_functions.c ++++ b/src/compiler/nir/nir_inline_functions.c +@@ -22,9 +22,10 @@ + */ + + #include "nir.h" ++#include "util/stack_array.h" + #include "nir_builder.h" + #include "nir_control_flow.h" +-#include "nir_vla.h" ++ + + static bool function_ends_in_jump(nir_function_impl *impl) + { +@@ -159,13 +160,14 @@ + * to an SSA value first. + */ + const unsigned num_params = call->num_params; +- NIR_VLA(nir_ssa_def *, params, num_params); ++ STACK_ARRAY(nir_ssa_def *, params, num_params); + for (unsigned i = 0; i < num_params; i++) { + params[i] = nir_ssa_for_src(b, call->params[i], + call->callee->params[i].num_components); + } + + nir_inline_function_impl(b, call->callee->impl, params, NULL); ++ STACK_ARRAY_FINISH(params); + } + + return progress; diff -Naur mesa-22.3.6/debian/patches/series mesa-bookworm/debian/patches/series --- mesa-22.3.6/debian/patches/series 2026-06-04 18:42:51.000000000 +0200 +++ mesa-bookworm/debian/patches/series 2026-06-04 17:02:50.194991330 +0200 @@ -1,3 +1,6 @@ 07_gallium-fix-build-failure-on-powerpcspe.diff path_max.diff src_glx_dri_common.h.diff +backport_STACK_ARRAY.patch +CVE-2026-40393-part1.patch +CVE-2026-40393-part2.patch
signature.asc
Description: PGP signature
