Mesa (master): r600: Fix use after free in compute_memory_promote_item.

[Tom Stellard]

Module: Mesa
Branch: master
Commit: 0c181cdc6c0efdd98927b010239e0376399cecbf
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=0c181cdc6c0efdd98927b010239e0376399cecbf

Author: Jan Vesely <jan.vesely at rutgers.edu>
Date:   Mon Jun 23 10:39:00 2014 -0400

r600: Fix use after free in compute_memory_promote_item.

The dst pointer needs to be initialized after any calls to
 compute_memory_grow_pool, as the function might change the pool->vbo pointer.

This fixes crashes and assertion failures in two gegl tests.

Reviewed-by: Bruno Jiménez <brunojimen at gmail.com>
Signed-off-by: Jan Vesely <jan.vesely at rutgers.edu>

---

 src/gallium/drivers/r600/compute_memory_pool.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/gallium/drivers/r600/compute_memory_pool.c b/src/gallium/drivers/r600/compute_memory_pool.c
index 518ea65..691c938 100644
--- a/src/gallium/drivers/r600/compute_memory_pool.c
+++ b/src/gallium/drivers/r600/compute_memory_pool.c
@@ -308,8 +308,8 @@ int compute_memory_promote_item(struct compute_memory_pool *pool,
 {
 	struct pipe_screen *screen = (struct pipe_screen *)pool->screen;
 	struct r600_context *rctx = (struct r600_context *)pipe;
-	struct pipe_resource *dst = (struct pipe_resource *)pool->bo;
 	struct pipe_resource *src = (struct pipe_resource *)item->real_buffer;
+	struct pipe_resource *dst = NULL;
 	struct pipe_box box;
 
 	struct list_head *pos;
@@ -336,6 +336,7 @@ int compute_memory_promote_item(struct compute_memory_pool *pool,
 		if (err == -1)
 			return -1;
 	}
+	dst = (struct pipe_resource *)pool->bo;
 	COMPUTE_DBG(pool->screen, "  + Found space for Item %p id = %u "
 			"start_in_dw = %u (%u bytes) size_in_dw = %u (%u bytes)\n",
 			item, item->id, start_in_dw, start_in_dw * 4,