nvc0: reset TFB bufctx when we no longer hold a reference to the buffers

This fixes some use-after-free situations in dEQP when an xfb state is
removed, and then a clear is triggered, which only does a partial
validation. It would attempt to read the no-longer-valid buffers,
resulting in crashes.

Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu>
Cc: "11.1 11.2" <mesa-stable@lists.freedesktop.org>
(cherry picked from commit ff085d014e)
[Emil Velikov: macro names do not need 3D_ ]
Signed-off-by: Emil Velikov <emil.velikov@collabora.com>

Conflicts:
    src/gallium/drivers/nouveau/nvc0/nvc0_shader_state.c
    src/gallium/drivers/nouveau/nvc0/nvc0_state.c

src/gallium/drivers/nouveau/nvc0/nvc0_shader_state.c

@@ -297,7 +297,6 @@ nvc0_tfb_validate(struct nvc0_context *nvc0)
 
    if (!(nvc0->dirty & NVC0_NEW_TFB_TARGETS))
       return;
-   nouveau_bufctx_reset(nvc0->bufctx_3d, NVC0_BIND_TFB);
 
    for (b = 0; b < nvc0->num_tfbbufs; ++b) {
       struct nvc0_so_target *targ = nvc0_so_target(nvc0->tfbbuf[b]);

src/gallium/drivers/nouveau/nvc0/nvc0_state.c

@@ -1157,8 +1157,10 @@ nvc0_set_transform_feedback_targets(struct pipe_context *pipe,
    }
    nvc0->num_tfbbufs = num_targets;
 
-   if (nvc0->tfbbuf_dirty)
+   if (nvc0->tfbbuf_dirty) {
+      nouveau_bufctx_reset(nvc0->bufctx_3d, NVC0_BIND_TFB);
       nvc0->dirty |= NVC0_NEW_TFB_TARGETS;
+   }
 }
 
 static void