From b2ac03a8fc91953aa6a4fccbcd7aa5ef447e0736 Mon Sep 17 00:00:00 2001 From: Ilia Mirkin Date: Tue, 16 Feb 2016 01:02:52 -0500 Subject: [PATCH] nvc0: reset TFB bufctx when we no longer hold a reference to the buffers This fixes some use-after-free situations in dEQP when an xfb state is removed, and then a clear is triggered, which only does a partial validation. It would attempt to read the no-longer-valid buffers, resulting in crashes. Signed-off-by: Ilia Mirkin Cc: "11.1 11.2" (cherry picked from commit ff085d014ed8ccce230769575e50924561218d98) [Emil Velikov: macro names do not need 3D_ ] Signed-off-by: Emil Velikov Conflicts: src/gallium/drivers/nouveau/nvc0/nvc0_shader_state.c src/gallium/drivers/nouveau/nvc0/nvc0_state.c --- src/gallium/drivers/nouveau/nvc0/nvc0_shader_state.c | 1 - src/gallium/drivers/nouveau/nvc0/nvc0_state.c | 4 +++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/gallium/drivers/nouveau/nvc0/nvc0_shader_state.c b/src/gallium/drivers/nouveau/nvc0/nvc0_shader_state.c index 09c43581fa0..d5d667cbea8 100644 --- a/src/gallium/drivers/nouveau/nvc0/nvc0_shader_state.c +++ b/src/gallium/drivers/nouveau/nvc0/nvc0_shader_state.c @@ -297,7 +297,6 @@ nvc0_tfb_validate(struct nvc0_context *nvc0) if (!(nvc0->dirty & NVC0_NEW_TFB_TARGETS)) return; - nouveau_bufctx_reset(nvc0->bufctx_3d, NVC0_BIND_TFB); for (b = 0; b < nvc0->num_tfbbufs; ++b) { struct nvc0_so_target *targ = nvc0_so_target(nvc0->tfbbuf[b]); diff --git a/src/gallium/drivers/nouveau/nvc0/nvc0_state.c b/src/gallium/drivers/nouveau/nvc0/nvc0_state.c index 3d5816dedce..764e29e2e87 100644 --- a/src/gallium/drivers/nouveau/nvc0/nvc0_state.c +++ b/src/gallium/drivers/nouveau/nvc0/nvc0_state.c @@ -1157,8 +1157,10 @@ nvc0_set_transform_feedback_targets(struct pipe_context *pipe, } nvc0->num_tfbbufs = num_targets; - if (nvc0->tfbbuf_dirty) + if (nvc0->tfbbuf_dirty) { + nouveau_bufctx_reset(nvc0->bufctx_3d, NVC0_BIND_TFB); nvc0->dirty |= NVC0_NEW_TFB_TARGETS; + } } static void