[Mesa-dev] [PATCH 03/12] r600g: fix possible crashes in destroy_context when failing in create_context

Marek Olšák maraeo at gmail.com
Tue Feb 21 16:55:54 PST 2012


---
 src/gallium/drivers/r600/r600_hw_context.c |   36 ++++++++++++++++-----------
 src/gallium/drivers/r600/r600_pipe.c       |   27 +++++++++++++-------
 2 files changed, 38 insertions(+), 25 deletions(-)

diff --git a/src/gallium/drivers/r600/r600_hw_context.c b/src/gallium/drivers/r600/r600_hw_context.c
index 5738b48..fb0923d 100644
--- a/src/gallium/drivers/r600/r600_hw_context.c
+++ b/src/gallium/drivers/r600/r600_hw_context.c
@@ -625,6 +625,11 @@ static void r600_free_resource_range(struct r600_context *ctx, struct r600_range
 {
 	struct r600_block *block;
 	int i;
+
+	if (!range->blocks) {
+		return; /* nothing to do */
+	}
+
 	for (i = 0; i < nblocks; i++) {
 		block = range->blocks[i];
 		if (block) {
@@ -634,7 +639,6 @@ static void r600_free_resource_range(struct r600_context *ctx, struct r600_range
 		}
 	}
 	free(range->blocks);
-
 }
 
 /* initialize */
@@ -643,23 +647,25 @@ void r600_context_fini(struct r600_context *ctx)
 	struct r600_block *block;
 	struct r600_range *range;
 
-	for (int i = 0; i < NUM_RANGES; i++) {
-		if (!ctx->range[i].blocks)
-			continue;
-		for (int j = 0; j < (1 << HASH_SHIFT); j++) {
-			block = ctx->range[i].blocks[j];
-			if (block) {
-				for (int k = 0, offset = block->start_offset; k < block->nreg; k++, offset += 4) {
-					range = &ctx->range[CTX_RANGE_ID(offset)];
-					range->blocks[CTX_BLOCK_ID(offset)] = NULL;
-				}
-				for (int k = 1; k <= block->nbo; k++) {
-					pipe_resource_reference((struct pipe_resource**)&block->reloc[k].bo, NULL);
+	if (ctx->range) {
+		for (int i = 0; i < NUM_RANGES; i++) {
+			if (!ctx->range[i].blocks)
+				continue;
+			for (int j = 0; j < (1 << HASH_SHIFT); j++) {
+				block = ctx->range[i].blocks[j];
+				if (block) {
+					for (int k = 0, offset = block->start_offset; k < block->nreg; k++, offset += 4) {
+						range = &ctx->range[CTX_RANGE_ID(offset)];
+						range->blocks[CTX_BLOCK_ID(offset)] = NULL;
+					}
+					for (int k = 1; k <= block->nbo; k++) {
+						pipe_resource_reference((struct pipe_resource**)&block->reloc[k].bo, NULL);
+					}
+					free(block);
 				}
-				free(block);
 			}
+			free(ctx->range[i].blocks);
 		}
-		free(ctx->range[i].blocks);
 	}
 	r600_free_resource_range(ctx, &ctx->ps_resources, ctx->num_ps_resources);
 	r600_free_resource_range(ctx, &ctx->vs_resources, ctx->num_vs_resources);
diff --git a/src/gallium/drivers/r600/r600_pipe.c b/src/gallium/drivers/r600/r600_pipe.c
index e7ba971..b2b79cd 100644
--- a/src/gallium/drivers/r600/r600_pipe.c
+++ b/src/gallium/drivers/r600/r600_pipe.c
@@ -191,25 +191,32 @@ static void r600_destroy_context(struct pipe_context *context)
 {
 	struct r600_context *rctx = (struct r600_context *)context;
 
-	rctx->context.delete_depth_stencil_alpha_state(&rctx->context, rctx->custom_dsa_flush);
+	if (rctx->custom_dsa_flush) {
+		rctx->context.delete_depth_stencil_alpha_state(&rctx->context, rctx->custom_dsa_flush);
+	}
 	util_unreference_framebuffer_state(&rctx->framebuffer);
 
 	r600_context_fini(rctx);
 
-	util_blitter_destroy(rctx->blitter);
-
+	if (rctx->blitter) {
+		util_blitter_destroy(rctx->blitter);
+	}
 	for (int i = 0; i < R600_PIPE_NSTATES; i++) {
 		free(rctx->states[i]);
 	}
 
-	u_vbuf_destroy(rctx->vbuf_mgr);
+	if (rctx->vbuf_mgr) {
+		u_vbuf_destroy(rctx->vbuf_mgr);
+	}
 	util_slab_destroy(&rctx->pool_transfers);
 
 	r600_update_num_contexts(rctx->screen, -1);
 
 	r600_release_command_buffer(&rctx->atom_start_cs);
 
-	rctx->ws->cs_destroy(rctx->cs);
+	if (rctx->cs) {
+		rctx->ws->cs_destroy(rctx->cs);
+	}
 
 	FREE(rctx->range);
 	FREE(rctx);
@@ -223,6 +230,10 @@ static struct pipe_context *r600_create_context(struct pipe_screen *screen, void
 	if (rctx == NULL)
 		return NULL;
 
+	util_slab_create(&rctx->pool_transfers,
+			 sizeof(struct pipe_transfer), 64,
+			 UTIL_SLAB_SINGLETHREADED);
+
 	r600_update_num_contexts(rscreen, 1);
 
 	rctx->context.screen = screen;
@@ -244,7 +255,7 @@ static struct pipe_context *r600_create_context(struct pipe_screen *screen, void
 
 	rctx->range = CALLOC(NUM_RANGES, sizeof(struct r600_range));
 	if (!rctx->range) {
-		FREE(rctx);
+		r600_destroy_context(&rctx->context);
 		return NULL;
 	}
 
@@ -290,10 +301,6 @@ static struct pipe_context *r600_create_context(struct pipe_screen *screen, void
 	rctx->ws->cs_set_flush_callback(rctx->cs, r600_flush_from_winsys, rctx);
 	r600_emit_atom(rctx, &rctx->atom_start_cs.atom);
 
-	util_slab_create(&rctx->pool_transfers,
-			 sizeof(struct pipe_transfer), 64,
-			 UTIL_SLAB_SINGLETHREADED);
-
 	rctx->vbuf_mgr = u_vbuf_create(&rctx->context, 1024 * 1024, 256,
 					   PIPE_BIND_VERTEX_BUFFER |
 					   PIPE_BIND_INDEX_BUFFER |
-- 
1.7.5.4



More information about the mesa-dev mailing list