On 13/04/18 13:49, Kenneth Graunke wrote:
brw_bo_alloc may round up our allocation size to the next bucket size.
In this case, we would malloc a shadow buffer that was the original
intended size, but use bo->size (the larger size) for all of our checks.

This could cause us to run off the end of the shadow buffer.

v2: Actually use the new BO size (caught by Lionel)

Reported-by: James Xiong <>
Fixes: c7dcee58b5fe183e1653c13bff6a212f0d157b29 (i965: Avoid problems from 
referencing orphaned BOs after growing.)
  src/mesa/drivers/dri/i965/intel_batchbuffer.c | 5 ++++-
  1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/mesa/drivers/dri/i965/intel_batchbuffer.c 
index 55889be7327..a29159e41ba 100644
--- a/src/mesa/drivers/dri/i965/intel_batchbuffer.c
+++ b/src/mesa/drivers/dri/i965/intel_batchbuffer.c
@@ -360,8 +360,11 @@ grow_buffer(struct brw_context *brw,
        /* We can't safely use realloc, as it may move the existing buffer,
         * breaking existing pointers the caller may still be using.  Just
         * malloc a new copy and memcpy it like the normal BO path.
+       *
+       * Use bo->size rather than new_size because the bufmgr may have
+       * rounded up the size, and we want the shadow size to match.
-      grow->map = malloc(new_size);
+      grow->map = malloc(new_bo->size);
     } else {
        grow->map = brw_bo_map(brw, new_bo, MAP_READ | MAP_WRITE);

