[Mesa-dev] [PATCH 1/1] r600: Fix use after free in compute_memory_promote_item.

[Bruno Jimenez]

On Mon, 2014-06-23 at 10:39 -0400, Jan Vesely wrote:
> The dst pointer needs to be initialized after any calls to
>  compute_memory_grow_pool, as the function might change the pool->vbo pointer.

You are completely right. Good catch.

Reviewed-by: Bruno Jiménez <brunojimen at gmail.com>

Sorry for any inconvenience this may have caused.

> This fixes crashes and assertion failures in two gegl tests.
> 
> Signed-off-by: Jan Vesely <jan.vesely at rutgers.edu>
> CC: Bruno Jimenez <brunojimen at gmail.com>
> CC: Tom Stellard <thomas.stellard at amd.com>
> ---
>  src/gallium/drivers/r600/compute_memory_pool.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/src/gallium/drivers/r600/compute_memory_pool.c b/src/gallium/drivers/r600/compute_memory_pool.c
> index a78ff1e..9cb16f8 100644
> --- a/src/gallium/drivers/r600/compute_memory_pool.c
> +++ b/src/gallium/drivers/r600/compute_memory_pool.c
> @@ -308,8 +308,8 @@ int compute_memory_promote_item(struct compute_memory_pool *pool,
>  {
>  	struct pipe_screen *screen = (struct pipe_screen *)pool->screen;
>  	struct r600_context *rctx = (struct r600_context *)pipe;
> -	struct pipe_resource *dst = (struct pipe_resource *)pool->bo;
>  	struct pipe_resource *src = (struct pipe_resource *)item->real_buffer;
> +	struct pipe_resource *dst = NULL;
>  	struct pipe_box box;
>  
>  	struct list_head *pos;
> @@ -339,6 +339,7 @@ int compute_memory_promote_item(struct compute_memory_pool *pool,
>  		if (err == -1)
>  			return -1;
>  	}
> +	dst = (struct pipe_resource *)pool->bo;
>  	COMPUTE_DBG(pool->screen, "  + Found space for Item %p id = %u "
>  			"start_in_dw = %u (%u bytes) size_in_dw = %u (%u bytes)\n",
>  			item, item->id, start_in_dw, start_in_dw * 4,