From ff085d014ed8ccce230769575e50924561218d98 Mon Sep 17 00:00:00 2001 From: Ilia Mirkin Date: Tue, 16 Feb 2016 01:02:52 -0500 Subject: [PATCH] nvc0: reset TFB bufctx when we no longer hold a reference to the buffers This fixes some use-after-free situations in dEQP when an xfb state is removed, and then a clear is triggered, which only does a partial validation. It would attempt to read the no-longer-valid buffers, resulting in crashes. Signed-off-by: Ilia Mirkin Cc: "11.1 11.2" --- src/gallium/drivers/nouveau/nvc0/nvc0_shader_state.c | 1 - src/gallium/drivers/nouveau/nvc0/nvc0_state.c | 4 +++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/gallium/drivers/nouveau/nvc0/nvc0_shader_state.c b/src/gallium/drivers/nouveau/nvc0/nvc0_shader_state.c index 6b02ed5680a..01fe7ce9bfc 100644 --- a/src/gallium/drivers/nouveau/nvc0/nvc0_shader_state.c +++ b/src/gallium/drivers/nouveau/nvc0/nvc0_shader_state.c @@ -309,7 +309,6 @@ nvc0_tfb_validate(struct nvc0_context *nvc0) if (!(nvc0->dirty_3d & NVC0_NEW_3D_TFB_TARGETS)) return; - nouveau_bufctx_reset(nvc0->bufctx_3d, NVC0_BIND_3D_TFB); for (b = 0; b < nvc0->num_tfbbufs; ++b) { struct nvc0_so_target *targ = nvc0_so_target(nvc0->tfbbuf[b]); diff --git a/src/gallium/drivers/nouveau/nvc0/nvc0_state.c b/src/gallium/drivers/nouveau/nvc0/nvc0_state.c index 7ccce9ff6bf..f679578028f 100644 --- a/src/gallium/drivers/nouveau/nvc0/nvc0_state.c +++ b/src/gallium/drivers/nouveau/nvc0/nvc0_state.c @@ -1184,8 +1184,10 @@ nvc0_set_transform_feedback_targets(struct pipe_context *pipe, } nvc0->num_tfbbufs = num_targets; - if (nvc0->tfbbuf_dirty) + if (nvc0->tfbbuf_dirty) { + nouveau_bufctx_reset(nvc0->bufctx_3d, NVC0_BIND_3D_TFB); nvc0->dirty_3d |= NVC0_NEW_3D_TFB_TARGETS; + } } static void -- 2.30.2