[Mesa-dev] [PATCH 1/1] r600: Fix use after free in compute_memory_promote_item.
Tom Stellard
tom at stellard.net
Tue Jun 24 09:08:09 PDT 2014
On Tue, Jun 24, 2014 at 08:39:28AM -0400, Jan Vesely wrote:
> On Mon, 2014-06-23 at 17:15 +0200, Bruno Jimenez wrote:
> > On Mon, 2014-06-23 at 10:39 -0400, Jan Vesely wrote:
> > > The dst pointer needs to be initialized after any calls to
> > > compute_memory_grow_pool, as the function might change the pool->vbo pointer.
> >
> > You are completely right. Good catch.
> >
> > Reviewed-by: Bruno Jiménez <brunojimen at gmail.com>
>
> Thanks for review, now we just need a volunteer to push this...
>
I just pushed this patch, thanks!
-Tom
> > Sorry for any inconvenience this may have caused.
>
> no worries, none caused
>
> >
> > > This fixes crashes and assertion failures in two gegl tests.
> > >
> > > Signed-off-by: Jan Vesely <jan.vesely at rutgers.edu>
> > > CC: Bruno Jimenez <brunojimen at gmail.com>
> > > CC: Tom Stellard <thomas.stellard at amd.com>
> > > ---
> > > src/gallium/drivers/r600/compute_memory_pool.c | 3 ++-
> > > 1 file changed, 2 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/src/gallium/drivers/r600/compute_memory_pool.c b/src/gallium/drivers/r600/compute_memory_pool.c
> > > index a78ff1e..9cb16f8 100644
> > > --- a/src/gallium/drivers/r600/compute_memory_pool.c
> > > +++ b/src/gallium/drivers/r600/compute_memory_pool.c
> > > @@ -308,8 +308,8 @@ int compute_memory_promote_item(struct compute_memory_pool *pool,
> > > {
> > > struct pipe_screen *screen = (struct pipe_screen *)pool->screen;
> > > struct r600_context *rctx = (struct r600_context *)pipe;
> > > - struct pipe_resource *dst = (struct pipe_resource *)pool->bo;
> > > struct pipe_resource *src = (struct pipe_resource *)item->real_buffer;
> > > + struct pipe_resource *dst = NULL;
> > > struct pipe_box box;
> > >
> > > struct list_head *pos;
> > > @@ -339,6 +339,7 @@ int compute_memory_promote_item(struct compute_memory_pool *pool,
> > > if (err == -1)
> > > return -1;
> > > }
> > > + dst = (struct pipe_resource *)pool->bo;
> > > COMPUTE_DBG(pool->screen, " + Found space for Item %p id = %u "
> > > "start_in_dw = %u (%u bytes) size_in_dw = %u (%u bytes)\n",
> > > item, item->id, start_in_dw, start_in_dw * 4,
> >
> >
>
> --
> Jan Vesely <jan.vesely at rutgers.edu>
> _______________________________________________
> mesa-dev mailing list
> mesa-dev at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/mesa-dev
More information about the mesa-dev
mailing list