From ae879718c4086fc5905070e7f26dfa2757df0c86 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Michel=20D=C3=A4nzer?= Date: Tue, 21 Oct 2014 12:40:15 +0900 Subject: [PATCH] r600g: Drop references to destroyed blend state MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Fixes use-after-free when the currently bound blend state is destroyed. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=85267 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=84140 Reviewed-by: Marek Olšák Tested-by: Dieter Nützel Cc: mesa-stable@lists.freedesktop.org --- src/gallium/drivers/r600/r600_state_common.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/gallium/drivers/r600/r600_state_common.c b/src/gallium/drivers/r600/r600_state_common.c index 68365f9d9af..879ec3522ee 100644 --- a/src/gallium/drivers/r600/r600_state_common.c +++ b/src/gallium/drivers/r600/r600_state_common.c @@ -158,8 +158,10 @@ static void r600_bind_blend_state(struct pipe_context *ctx, void *state) struct r600_context *rctx = (struct r600_context *)ctx; struct r600_blend_state *blend = (struct r600_blend_state *)state; - if (blend == NULL) + if (blend == NULL) { + r600_set_cso_state_with_cb(&rctx->blend_state, NULL, NULL); return; + } r600_bind_blend_state_internal(rctx, blend, rctx->force_blend_disable); } @@ -447,8 +449,13 @@ static void r600_delete_sampler_state(struct pipe_context *ctx, void *state) static void r600_delete_blend_state(struct pipe_context *ctx, void *state) { + struct r600_context *rctx = (struct r600_context *)ctx; struct r600_blend_state *blend = (struct r600_blend_state*)state; + if (rctx->blend_state.cso == state) { + ctx->bind_blend_state(ctx, NULL); + } + r600_release_command_buffer(&blend->buffer); r600_release_command_buffer(&blend->buffer_no_blend); FREE(blend); -- 2.30.2