diff --git a/SPECS/mesa/CVE-2026-40393.patch b/SPECS/mesa/CVE-2026-40393.patch new file mode 100644 index 00000000000..f9764693466 --- /dev/null +++ b/SPECS/mesa/CVE-2026-40393.patch @@ -0,0 +1,187 @@ +From 3da828d2dd12e20ba2afc152db8d7236c7a48c13 Mon Sep 17 00:00:00 2001 +From: Ian Romanick +Date: Fri, 23 Jan 2026 09:58:26 -0800 +Subject: [PATCH 1/2] spirv: Use STACK_ARRAY instead of NIR_VLA + +The number of fields comes from the shader, so it could be a value large +enough that using alloca would be problematic. + +Fixes: 2a023f30a64 ("nir/spirv: Add basic support for types") +Reviewed-by: Caio Oliveira +Reviewed-by: Ryan Neph +Reviewed-by: Lionel Landwerlin +Part-of: + +Upstream-reference: https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/39866.patch +--- + src/compiler/nir/nir_functions.c | 5 ++-- + src/compiler/spirv/spirv_to_nir.c | 27 ++++++++++++------- + src/util/stack_array.h | 45 +++++++++++++++++++++++++++++++ + 3 files changed, 65 insertions(+), 12 deletions(-) + create mode 100644 src/util/stack_array.h + +diff --git a/src/compiler/nir/nir_functions.c b/src/compiler/nir/nir_functions.c +index d17ebd8..abd5e8a 100644 +--- a/src/compiler/nir/nir_functions.c ++++ b/src/compiler/nir/nir_functions.c +@@ -21,10 +21,10 @@ + * IN THE SOFTWARE. + */ + ++#include "util/stack_array.h" + #include "nir.h" + #include "nir_builder.h" + #include "nir_control_flow.h" +-#include "nir_vla.h" + + /* + * TODO: write a proper inliner for GPUs. +@@ -177,12 +177,13 @@ static bool inline_functions_pass(nir_builder *b, + * to an SSA value first. + */ + const unsigned num_params = call->num_params; +- NIR_VLA(nir_def *, params, num_params); ++ STACK_ARRAY(nir_def *, params, num_params); + for (unsigned i = 0; i < num_params; i++) { + params[i] = call->params[i].ssa; + } + + nir_inline_function_impl(b, call->callee->impl, params, NULL); ++ STACK_ARRAY_FINISH(params); + return true; + } + +diff --git a/src/compiler/spirv/spirv_to_nir.c b/src/compiler/spirv/spirv_to_nir.c +index ed2a003..428adea 100644 +--- a/src/compiler/spirv/spirv_to_nir.c ++++ b/src/compiler/spirv/spirv_to_nir.c +@@ -27,7 +27,6 @@ + + #include "glsl_types.h" + #include "vtn_private.h" +-#include "nir/nir_vla.h" + #include "nir/nir_control_flow.h" + #include "nir/nir_constant_expressions.h" + #include "nir/nir_deref.h" +@@ -38,6 +37,7 @@ + #include "util/u_string.h" + #include "util/u_debug.h" + ++#include "util/stack_array.h" + #include + + #ifndef NDEBUG +@@ -1013,7 +1013,7 @@ vtn_type_get_nir_type(struct vtn_builder *b, struct vtn_type *type, + case vtn_base_type_struct: { + bool need_new_struct = false; + const uint32_t num_fields = type->length; +- NIR_VLA(struct glsl_struct_field, fields, num_fields); ++ STACK_ARRAY(struct glsl_struct_field, fields, num_fields); + for (unsigned i = 0; i < num_fields; i++) { + fields[i] = *glsl_get_struct_field_data(type->type, i); + const struct glsl_type *field_nir_type = +@@ -1023,20 +1023,25 @@ vtn_type_get_nir_type(struct vtn_builder *b, struct vtn_type *type, + need_new_struct = true; + } + } ++ ++ const struct glsl_type *result; + if (need_new_struct) { + if (glsl_type_is_interface(type->type)) { +- return glsl_interface_type(fields, num_fields, +- /* packing */ 0, false, +- glsl_get_type_name(type->type)); ++ result = glsl_interface_type(fields, num_fields, ++ /* packing */ 0, false, ++ glsl_get_type_name(type->type)); + } else { +- return glsl_struct_type(fields, num_fields, +- glsl_get_type_name(type->type), +- glsl_struct_type_is_packed(type->type)); ++ result = glsl_struct_type(fields, num_fields, ++ glsl_get_type_name(type->type), ++ glsl_struct_type_is_packed(type->type)); + } + } else { + /* No changes, just pass it on */ +- return type->type; ++ result = type->type; + } ++ ++ STACK_ARRAY_FINISH(fields); ++ return result; + } + + case vtn_base_type_image: +@@ -1647,7 +1652,7 @@ vtn_handle_type(struct vtn_builder *b, SpvOp opcode, + val->type->offsets = vtn_alloc_array(b, unsigned, num_fields); + val->type->packed = false; + +- NIR_VLA(struct glsl_struct_field, fields, count); ++ STACK_ARRAY(struct glsl_struct_field, fields, count); + for (unsigned i = 0; i < num_fields; i++) { + val->type->members[i] = vtn_get_type(b, w[i + 2]); + const char *name = NULL; +@@ -1703,6 +1708,8 @@ vtn_handle_type(struct vtn_builder *b, SpvOp opcode, + name ? name : "struct", + val->type->packed); + } ++ ++ STACK_ARRAY_FINISH(fields); + break; + } + +diff --git a/src/util/stack_array.h b/src/util/stack_array.h +new file mode 100644 +index 0000000..e2133bd +--- /dev/null ++++ b/src/util/stack_array.h +@@ -0,0 +1,45 @@ ++/* ++ * Copyright © 2025 Collabora, Ltd. ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a ++ * copy of this software and associated documentation files (the "Software"), ++ * to deal in the Software without restriction, including without limitation ++ * the rights to use, copy, modify, merge, publish, distribute, sublicense, ++ * and/or sell copies of the Software, and to permit persons to whom the ++ * Software is furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice (including the next ++ * paragraph) shall be included in all copies or substantial portions of the ++ * Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL ++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING ++ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS ++ * IN THE SOFTWARE. ++ */ ++ ++#include ++ ++#ifndef UTIL_STACK_ARRAY_H ++#define UTIL_STACK_ARRAY_H ++ ++#define STACK_ARRAY_SIZE 8 ++ ++/* Sometimes gcc may claim -Wmaybe-uninitialized for the stack array in some ++ * places it can't verify that when size is 0 nobody down the call chain reads ++ * the array. Please don't try to fix it by zero-initializing the array here ++ * since it's used in a lot of different places. An "if (size == 0) return;" ++ * may work for you. ++ */ ++#define STACK_ARRAY(type, name, size) \ ++ type _stack_##name[STACK_ARRAY_SIZE]; \ ++ type *const name = \ ++ ((size) <= STACK_ARRAY_SIZE ? _stack_##name : (type *)malloc((size) * sizeof(type))) ++ ++#define STACK_ARRAY_FINISH(name) \ ++ if (name != _stack_##name) free(name) ++ ++#endif /* UTIL_STACK_ARRAY_H */ +-- +2.45.4 + diff --git a/SPECS/mesa/mesa.spec b/SPECS/mesa/mesa.spec index 3ba4051b275..3ca92d56224 100644 --- a/SPECS/mesa/mesa.spec +++ b/SPECS/mesa/mesa.spec @@ -67,7 +67,7 @@ Name: mesa Summary: Mesa graphics libraries Version: 24.0.1 -Release: 7%{?dist} +Release: 8%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Azure Linux @@ -82,6 +82,7 @@ Source1: Mesa-MLAA-License-Clarification-Email.txt Source2: LICENSE.PTR Patch10: gnome-shell-glthread-disable.patch +Patch11: CVE-2026-40393.patch BuildRequires: meson >= 1.3.0 BuildRequires: gcc @@ -494,8 +495,7 @@ done popd %files filesystem -%license LICENSE.PTR -%doc docs/Mesa-MLAA-License-Clarification-Email.txt +%license LICENSE.PTR docs/Mesa-MLAA-License-Clarification-Email.txt %dir %{_libdir}/dri %if 0%{?with_hardware} %if 0%{?with_vdpau} @@ -741,6 +741,9 @@ popd %endif %changelog +* Mon Apr 13 2026 Azure Linux Security Servicing Account - 24.0.1-8 +- Patch for CVE-2026-40393 + * Tue Apr 07 2026 BinduSri Adabala - 24.0.1-7 - Bump release to rebuild with rust