r600: Fix use after free in compute_memory_promote_item.

The dst pointer needs to be initialized after any calls to
 compute_memory_grow_pool, as the function might change the pool->vbo pointer.

This fixes crashes and assertion failures in two gegl tests.

Reviewed-by: Bruno Jiménez <[email protected]>
Signed-off-by: Jan Vesely <[email protected]>

1 files changed, 2 insertions, 1 deletions

diff --git a/src/gallium/drivers/r600/compute_memory_pool.c b/src/gallium/drivers/r600/compute_memory_pool.c
index 518ea654e40..691c9383f15 100644
--- a/src/gallium/drivers/r600/compute_memory_pool.c
+++ b/src/gallium/drivers/r600/compute_memory_pool.c
@@ -308,8 +308,8 @@ int compute_memory_promote_item(struct compute_memory_pool *pool,
 {
 	struct pipe_screen *screen = (struct pipe_screen *)pool->screen;
 	struct r600_context *rctx = (struct r600_context *)pipe;
-	struct pipe_resource *dst = (struct pipe_resource *)pool->bo;
 	struct pipe_resource *src = (struct pipe_resource *)item->real_buffer;
+	struct pipe_resource *dst = NULL;
 	struct pipe_box box;
 
 	struct list_head *pos;
@@ -336,6 +336,7 @@ int compute_memory_promote_item(struct compute_memory_pool *pool,
 		if (err == -1)
 			return -1;
 	}
+	dst = (struct pipe_resource *)pool->bo;
 	COMPUTE_DBG(pool->screen, "  + Found space for Item %p id = %u "
 			"start_in_dw = %u (%u bytes) size_in_dw = %u (%u bytes)\n",
 			item, item->id, start_in_dw, start_in_dw * 4,