nouveau: fix crash during fence emission

Fence emission can flush the push buffer, which through flush_notify
unreferences recently emitted fence. If ref count is increased after
fence emission, unreference deletes the fence, which causes SIGSEGV.

Backtrace:
nouveau_fence_del
nouveau_fence_ref
nouveau_fence_next
nouveau_pushbuf_flush
MARK_RING
nv50_screen_fence_emit
nouveau_fence_emit
nv50_flush

This bug manifested as an assertion failure in nouveau_fence.c, because
SIGSEGV handler tried to shutdown the application and used messed up
fence.

This issue was reported by Maxim Levitsky.

Note: This is a candidate for the 7.11 branch.

1 files changed, 2 insertions, 2 deletions

diff --git a/src/gallium/drivers/nouveau/nouveau_fence.c b/src/gallium/drivers/nouveau/nouveau_fence.c
index ea2038cc7e2..26e4775b12d 100644
--- a/src/gallium/drivers/nouveau/nouveau_fence.c
+++ b/src/gallium/drivers/nouveau/nouveau_fence.c
@@ -93,8 +93,6 @@ nouveau_fence_emit(struct nouveau_fence *fence)
    /* set this now, so that if fence.emit triggers a flush we don't recurse */
    fence->state = NOUVEAU_FENCE_STATE_EMITTED;
 
-   screen->fence.emit(&screen->base, fence->sequence);
-
    ++fence->ref;
 
    if (screen->fence.tail)
@@ -103,6 +101,8 @@ nouveau_fence_emit(struct nouveau_fence *fence)
       screen->fence.head = fence;
 
    screen->fence.tail = fence;
+
+   screen->fence.emit(&screen->base, fence->sequence);
 }
 
 void