r600: Fix use after free in compute_memory_promote_item.

The dst pointer needs to be initialized after any calls to
 compute_memory_grow_pool, as the function might change the pool->vbo pointer.

This fixes crashes and assertion failures in two gegl tests.

Reviewed-by: Bruno Jiménez <brunojimen@gmail.com>
Signed-off-by: Jan Vesely <jan.vesely@rutgers.edu>

diff --git a/src/gallium/drivers/r600/compute_memory_pool.c b/src/gallium/drivers/r600/compute_memory_pool.c
index 518ea654e402117928dffa93418ee0e367412c53..691c9383f15b2ddde14e7a48b61837e572ad3b2b 100644 (file)
--- a/src/gallium/drivers/r600/compute_memory_pool.c
+++ b/src/gallium/drivers/r600/compute_memory_pool.c
@@ -308,8 +308,8 @@ int compute_memory_promote_item(struct compute_memory_pool *pool,
 {
        struct pipe_screen *screen = (struct pipe_screen *)pool->screen;
        struct r600_context *rctx = (struct r600_context *)pipe;
-       struct pipe_resource *dst = (struct pipe_resource *)pool->bo;
        struct pipe_resource *src = (struct pipe_resource *)item->real_buffer;
+       struct pipe_resource *dst = NULL;
        struct pipe_box box;
 
        struct list_head *pos;
@@ -336,6 +336,7 @@ int compute_memory_promote_item(struct compute_memory_pool *pool,
                if (err == -1)
                        return -1;
        }
+       dst = (struct pipe_resource *)pool->bo;
        COMPUTE_DBG(pool->screen, "  + Found space for Item %p id = %u "
                        "start_in_dw = %u (%u bytes) size_in_dw = %u (%u bytes)\n",
                        item, item->id, start_in_dw, start_in_dw * 4,