summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorIlia Mirkin <[email protected]>2016-03-19 11:43:37 -0400
committerIlia Mirkin <[email protected]>2016-03-19 13:09:49 -0400
commitd1b85dbffa0eec2b44bb2a9f339a2617a39730da (patch)
treec28234809506f7dbac3452a7922ce78ffa409e2d
parent902bbda81b31bacb2a8c60ca6a8ba8ca34ae73d3 (diff)
nv50: reset TFB bufctx when we no longer hold a reference to the buffers
This fix is analogous to commit ff085d014. This fixes some use-after-free situations in dEQP when an xfb state is removed, and then a clear is triggered, which only does a partial validation. It would attempt to read the no-longer-valid buffers, resulting in crashes. Signed-off-by: Ilia Mirkin <[email protected]> Reviewed-by: Samuel Pitoiset <[email protected]> Cc: "11.1 11.2" <[email protected]>
-rw-r--r--src/gallium/drivers/nouveau/nv50/nv50_shader_state.c2
-rw-r--r--src/gallium/drivers/nouveau/nv50/nv50_state.c4
2 files changed, 3 insertions, 3 deletions
diff --git a/src/gallium/drivers/nouveau/nv50/nv50_shader_state.c b/src/gallium/drivers/nouveau/nv50/nv50_shader_state.c
index 56a3df9d578..3d2ebfbcc46 100644
--- a/src/gallium/drivers/nouveau/nv50/nv50_shader_state.c
+++ b/src/gallium/drivers/nouveau/nv50/nv50_shader_state.c
@@ -648,8 +648,6 @@ nv50_stream_output_validate(struct nv50_context *nv50)
BEGIN_NV04(push, NV50_3D(STRMOUT_BUFFERS_CTRL), 1);
PUSH_DATA (push, ctrl);
- nouveau_bufctx_reset(nv50->bufctx_3d, NV50_BIND_3D_SO);
-
for (i = 0; i < nv50->num_so_targets; ++i) {
struct nv50_so_target *targ = nv50_so_target(nv50->so_target[i]);
struct nv04_resource *buf = nv04_resource(targ->pipe.buffer);
diff --git a/src/gallium/drivers/nouveau/nv50/nv50_state.c b/src/gallium/drivers/nouveau/nv50/nv50_state.c
index 4d77bf1f711..86e74d68b11 100644
--- a/src/gallium/drivers/nouveau/nv50/nv50_state.c
+++ b/src/gallium/drivers/nouveau/nv50/nv50_state.c
@@ -1180,8 +1180,10 @@ nv50_set_stream_output_targets(struct pipe_context *pipe,
}
nv50->num_so_targets = num_targets;
- if (nv50->so_targets_dirty)
+ if (nv50->so_targets_dirty) {
+ nouveau_bufctx_reset(nv50->bufctx_3d, NV50_BIND_3D_SO);
nv50->dirty_3d |= NV50_NEW_3D_STRMOUT;
+ }
}
static void