Module: Mesa Branch: staging/22.1 Commit: 659e41fe794026634d65717a27585e9bbcb4eb91 URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=659e41fe794026634d65717a27585e9bbcb4eb91
Author: Mike Blumenkrantz <[email protected]> Date: Fri Apr 22 13:52:22 2022 -0400 gallivm: fix ssbo oob reads this was checking (offset < size) when really it needs to be (offset < size && extent < size && offset >= 0) Fixes: 591899eedd2 ("gallivm/nir: Add a short circuit uniform-offset mode for load_ssbo/load_shared.") Reviewed-by: Dave Airlie <[email protected]> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/16137> (cherry picked from commit aa98a90265ca9ec844f07b4b2a1d1e07fe33511a) --- .pick_status.json | 2 +- src/gallium/auxiliary/gallivm/lp_bld_nir_soa.c | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.pick_status.json b/.pick_status.json index 26f6e1dca0f..ea72a44baab 100644 --- a/.pick_status.json +++ b/.pick_status.json @@ -391,7 +391,7 @@ "description": "gallivm: fix ssbo oob reads", "nominated": true, "nomination_type": 1, - "resolution": 0, + "resolution": 1, "main_sha": null, "because_sha": "591899eedd2d797bfdb7dbb6b3e2169d50d42109" }, diff --git a/src/gallium/auxiliary/gallivm/lp_bld_nir_soa.c b/src/gallium/auxiliary/gallivm/lp_bld_nir_soa.c index 5a8fd02561b..fb509bfb685 100644 --- a/src/gallium/auxiliary/gallivm/lp_bld_nir_soa.c +++ b/src/gallium/auxiliary/gallivm/lp_bld_nir_soa.c @@ -1181,9 +1181,12 @@ static void emit_load_mem(struct lp_build_nir_context *bld_base, LLVMValueRef res_store = lp_build_alloca(gallivm, LLVMTypeOf(zero), ""); LLVMBuildStore(builder, zero, res_store); - LLVMValueRef fetch_cond = LLVMBuildICmp(gallivm->builder, LLVMIntUGE, ssbo_limit, chan_offset, ""); + LLVMValueRef fetch_extent = LLVMBuildAdd(builder, chan_offset, lp_build_const_int32(gallivm, 1), ""); + LLVMValueRef fetch_cond = LLVMBuildICmp(gallivm->builder, LLVMIntUGE, ssbo_limit, fetch_extent, ""); + LLVMValueRef fetch_cond2 = LLVMBuildICmp(gallivm->builder, LLVMIntSGE, chan_offset, lp_build_const_int32(gallivm, 0), ""); + LLVMValueRef fetch_cond_final = LLVMBuildAnd(gallivm->builder, fetch_cond, fetch_cond2, ""); struct lp_build_if_state ifthen; - lp_build_if(&ifthen, gallivm, fetch_cond); + lp_build_if(&ifthen, gallivm, fetch_cond_final); LLVMBuildStore(builder, lp_build_pointer_get(builder, mem_ptr, chan_offset), res_store); lp_build_endif(&ifthen);
