From 54077d989361dd8b2dfb78f8d3cd9821dbe4e439 Mon Sep 17 00:00:00 2001 From: Icenowy Zheng Date: Tue, 18 Nov 2025 18:49:06 +0800 Subject: [PATCH] pvr: fix cleaning up failed CreateDevice When running the Vulkan CTS test dEQP-VK.api.device_init.create_instance_device_intentional_alloc_fail.basic , the driver sometimes crashes because of cleaning up sequences try to do pvr_suballoc_bo_free() on bo's that is never initialized (thus old stale value remains as pointer). Fix the issues that lead to wild pointers access (a wrong cleanup sequence and trying to free bo's that fails to be allocated). The CTS test still fails here with "Allocations still remain, failed on index 4274", but at least it does not crash now. Reviewed-by: Frank Binns Signed-off-by: Icenowy Zheng Part-of: --- src/imagination/vulkan/pvr_device.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/src/imagination/vulkan/pvr_device.c b/src/imagination/vulkan/pvr_device.c index a7b270560e3..16779d7ae6e 100644 --- a/src/imagination/vulkan/pvr_device.c +++ b/src/imagination/vulkan/pvr_device.c @@ -645,8 +645,9 @@ pvr_device_init_view_index_init_programs(struct pvr_device *device) { uint32_t *staging_buffer = NULL; VkResult result; + unsigned i; - for (unsigned i = 0; i < PVR_MAX_MULTIVIEW; ++i) { + for (i = 0; i < PVR_MAX_MULTIVIEW; ++i) { uint32_t staging_buffer_size; struct pvr_pds_view_index_init_program *program = &device->view_index_init_info[i]; @@ -696,7 +697,7 @@ pvr_device_init_view_index_init_programs(struct pvr_device *device) vk_free(&device->vk.alloc, staging_buffer); if (result != VK_SUCCESS) - for (uint32_t u = 0; u < PVR_MAX_MULTIVIEW; ++u) + for (uint32_t u = 0; u < i; ++u) pvr_bo_suballoc_free(device->view_index_init_programs[u].pvr_bo); return result; @@ -984,13 +985,13 @@ err_pvr_finish_compute_idfwdf: err_pvr_destroy_compute_query_programs: pvr_device_destroy_compute_query_programs(device); -err_pvr_free_compute_empty: - pvr_bo_suballoc_free(device->pds_compute_empty_program.pvr_bo); - err_pvr_free_view_index: for (uint32_t u = 0; u < PVR_MAX_MULTIVIEW; ++u) pvr_bo_suballoc_free(device->view_index_init_programs[u].pvr_bo); +err_pvr_free_compute_empty: + pvr_bo_suballoc_free(device->pds_compute_empty_program.pvr_bo); + err_pvr_free_compute_fence: pvr_bo_suballoc_free(device->pds_compute_fence_program.pvr_bo);