diff options
| author | Patrick Rudolph <siro@das-labor.org> | 2015-12-06 10:11:59 +0100 |
|---|---|---|
| committer | Emil Velikov <emil.l.velikov@gmail.com> | 2016-01-07 12:25:19 +0200 |
| commit | 47fa06c839e647a0eb0236daec5f96e4a2441ed1 (patch) | |
| tree | 91eef6616d3fb00fa7ff4429a1174ef5ce209490 | |
| parent | 525f3c2c28cd083b37e1f6a27f503af1c4781141 (diff) | |
nv50,nvc0: fix use-after-free when vertex buffers are unbound
Always reset the vertex bufctx to make sure there's no pointer to
an already freed pipe_resource left after unbinding buffers.
Fixes use after free crash in nvc0_bufctx_fence().
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=93004
Signed-off-by: Patrick Rudolph <siro@das-labor.org>
[imirkin: simplify nvc0 fix, apply to nv50]
Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu>
Cc: "11.0 11.1" <mesa-stable@lists.freedesktop.org>
(cherry picked from commit 432a798cf5c7fab18a3e32d4073840df7d0d37cb)
| -rw-r--r-- | src/gallium/drivers/nouveau/nv50/nv50_state.c | 7 | ||||
| -rw-r--r-- | src/gallium/drivers/nouveau/nvc0/nvc0_state.c | 6 |
2 files changed, 6 insertions, 7 deletions
diff --git a/src/gallium/drivers/nouveau/nv50/nv50_state.c b/src/gallium/drivers/nouveau/nv50/nv50_state.c index b4ea08d4d1..26af842c76 100644 --- a/src/gallium/drivers/nouveau/nv50/nv50_state.c +++ b/src/gallium/drivers/nouveau/nv50/nv50_state.c @@ -994,6 +994,9 @@ nv50_set_vertex_buffers(struct pipe_context *pipe, struct nv50_context *nv50 = nv50_context(pipe); unsigned i; + nouveau_bufctx_reset(nv50->bufctx_3d, NV50_BIND_VERTEX); + nv50->dirty |= NV50_NEW_ARRAYS; + util_set_vertex_buffers_count(nv50->vtxbuf, &nv50->num_vtxbufs, vb, start_slot, count); @@ -1017,10 +1020,6 @@ nv50_set_vertex_buffers(struct pipe_context *pipe, nv50->vbo_constant &= ~(1 << dst_index); } } - - nouveau_bufctx_reset(nv50->bufctx_3d, NV50_BIND_VERTEX); - - nv50->dirty |= NV50_NEW_ARRAYS; } static void diff --git a/src/gallium/drivers/nouveau/nvc0/nvc0_state.c b/src/gallium/drivers/nouveau/nvc0/nvc0_state.c index 5dce5f0e65..3d5816dedc 100644 --- a/src/gallium/drivers/nouveau/nvc0/nvc0_state.c +++ b/src/gallium/drivers/nouveau/nvc0/nvc0_state.c @@ -1000,6 +1000,9 @@ nvc0_set_vertex_buffers(struct pipe_context *pipe, struct nvc0_context *nvc0 = nvc0_context(pipe); unsigned i; + nouveau_bufctx_reset(nvc0->bufctx_3d, NVC0_BIND_VTX); + nvc0->dirty |= NVC0_NEW_ARRAYS; + util_set_vertex_buffers_count(nvc0->vtxbuf, &nvc0->num_vtxbufs, vb, start_slot, count); @@ -1023,9 +1026,6 @@ nvc0_set_vertex_buffers(struct pipe_context *pipe, nvc0->constant_vbos &= ~(1 << dst_index); } } - - nvc0->dirty |= NVC0_NEW_ARRAYS; - nouveau_bufctx_reset(nvc0->bufctx_3d, NVC0_BIND_VTX); } static void |