<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Mon, Jan 16, 2017 at 1:13 AM, Topi Pohjolainen <span dir="ltr"><<a href="mailto:topi.pohjolainen@gmail.com" target="_blank">topi.pohjolainen@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">There exact same check earlier in brw_miptree_layout() which<br>
intel_miptree_create_layout() in turn calls unconditionally.<br>
<br>
Signed-off-by: Topi Pohjolainen <<a href="mailto:topi.pohjolainen@intel.com">topi.pohjolainen@intel.com</a>><br>
---<br>
 src/mesa/drivers/dri/i965/<wbr>intel_mipmap_tree.c | 7 +------<br>
 1 file changed, 1 insertion(+), 6 deletions(-)<br>
<br>
diff --git a/src/mesa/drivers/dri/i965/<wbr>intel_mipmap_tree.c b/src/mesa/drivers/dri/i965/<wbr>intel_mipmap_tree.c<br>
index 25f8f39..9488bec 100644<br>
--- a/src/mesa/drivers/dri/i965/<wbr>intel_mipmap_tree.c<br>
+++ b/src/mesa/drivers/dri/i965/<wbr>intel_mipmap_tree.c<br>
@@ -628,13 +628,8 @@ miptree_create(struct brw_context *brw,<br>
                                     first_level, last_level, width0,<br>
                                     height0, depth0, num_samples,<br>
                                     layout_flags);<br>
-   /*<br>
-    * pitch == 0 || height == 0  indicates the null texture<br>
-    */<br>
-   if (!mt || !mt->total_width || !mt->total_height) {<br>
-      intel_miptree_release(&mt);<br>
+   if (!mt)<br>
       return NULL;<br></blockquote><div><br></div><div>Ugh... Not quite.  More miptree nastiness!  Looking through the code, brw_miptree_layout does do this check and unrefs the miptree but has no way of indicating to higher levels that it has unref'd the miptree!  In other words, if that ever happens, the aux_disable lines at the end of intel_miptree_create_layout will read/write freed memory and intel_miptree_create_layout will a valid-looking (but freed) pointer.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
-   }<br>
<br>
    if (mt->tiling == (I915_TILING_Y | I915_TILING_X))<br>
       mt->tiling = I915_TILING_Y;<br>
<span class="HOEnZb"><font color="#888888">--<br>
2.5.5<br>
<br>
______________________________<wbr>_________________<br>
mesa-dev mailing list<br>
<a href="mailto:mesa-dev@lists.freedesktop.org">mesa-dev@lists.freedesktop.org</a><br>
<a href="https://lists.freedesktop.org/mailman/listinfo/mesa-dev" rel="noreferrer" target="_blank">https://lists.freedesktop.org/<wbr>mailman/listinfo/mesa-dev</a><br>
</font></span></blockquote></div><br></div></div>