From b0ea4f7a482539ed9e0a0c3e11849f0cfcd2b10f Mon Sep 17 00:00:00 2001 From: Chih-Wei Huang Date: Wed, 28 Mar 2018 11:22:31 +0800 Subject: [PATCH] i965/miptree: fix segfaults due to null pointer The code seems to assume the pointer mt is always not null, but there must be some race condition, because applying changes the Google Play crashes are now fixed. Signed-off-by: Chih-Wei Huang --- src/mesa/drivers/dri/i965/brw_blorp.c | 1 + src/mesa/drivers/dri/i965/brw_draw.c | 2 +- src/mesa/drivers/dri/i965/brw_wm_surface_state.c | 3 +++ src/mesa/drivers/dri/i965/intel_mipmap_tree.c | 2 ++ 4 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/mesa/drivers/dri/i965/brw_blorp.c b/src/mesa/drivers/dri/i965/brw_blorp.c index 5dcd95e..178b0b0 100644 --- a/src/mesa/drivers/dri/i965/brw_blorp.c +++ b/src/mesa/drivers/dri/i965/brw_blorp.c @@ -1196,6 +1196,7 @@ do_single_blorp_clear(struct brw_context *brw, struct gl_framebuffer *fb, * during resolves because the resolve operations only know about the * miptree and not the renderbuffer. */ + if (!irb->mt) return; if (irb->Base.Base.Format != irb->mt->format) can_fast_clear = false; diff --git a/src/mesa/drivers/dri/i965/brw_draw.c b/src/mesa/drivers/dri/i965/brw_draw.c index f51f083..1b8327c 100644 --- a/src/mesa/drivers/dri/i965/brw_draw.c +++ b/src/mesa/drivers/dri/i965/brw_draw.c @@ -624,7 +624,7 @@ brw_postdraw_set_buffers_need_resolve(struct brw_context *brw) struct intel_renderbuffer *irb = intel_renderbuffer(fb->_ColorDrawBuffers[i]); - if (!irb) + if (!irb || !irb->mt) continue; mesa_format mesa_format = diff --git a/src/mesa/drivers/dri/i965/brw_wm_surface_state.c b/src/mesa/drivers/dri/i965/brw_wm_surface_state.c index 3fb101b..f21f8e5 100644 --- a/src/mesa/drivers/dri/i965/brw_wm_surface_state.c +++ b/src/mesa/drivers/dri/i965/brw_wm_surface_state.c @@ -258,6 +258,7 @@ gen6_update_renderbuffer_surface(struct brw_context *brw, struct intel_renderbuffer *irb = intel_renderbuffer(rb); struct intel_mipmap_tree *mt = irb->mt; + if (!mt) return 0; assert(brw_render_target_supported(brw, rb)); mesa_format rb_format = _mesa_get_render_format(ctx, intel_rb_format(irb)); @@ -906,6 +907,8 @@ gen4_update_renderbuffer_surface(struct brw_context *brw, uint32_t tile_x, tile_y; enum isl_format format; uint32_t offset; + + if (!mt) return 0; /* _NEW_BUFFERS */ mesa_format rb_format = _mesa_get_render_format(ctx, intel_rb_format(irb)); /* BRW_NEW_FS_PROG_DATA */ diff --git a/src/mesa/drivers/dri/i965/intel_mipmap_tree.c b/src/mesa/drivers/dri/i965/intel_mipmap_tree.c index d95128d..cc7df9b 100644 --- a/src/mesa/drivers/dri/i965/intel_mipmap_tree.c +++ b/src/mesa/drivers/dri/i965/intel_mipmap_tree.c @@ -3662,6 +3662,7 @@ intel_miptree_map(struct brw_context *brw, { struct intel_miptree_map *map; + if (!mt) return; assert(mt->surf.samples == 1); map = intel_miptree_attach_map(mt, level, slice, x, y, w, h, mode); @@ -3706,6 +3707,7 @@ intel_miptree_unmap(struct brw_context *brw, unsigned int level, unsigned int slice) { + if (!mt) return; struct intel_miptree_map *map = mt->level[level].slice[slice].map; assert(mt->surf.samples == 1); -- 2.1.4