aboutsummaryrefslogtreecommitdiffstats
path: root/src/gallium/drivers/r600
diff options
context:
space:
mode:
authorMichel Dänzer <[email protected]>2014-10-21 12:40:15 +0900
committerMichel Dänzer <[email protected]>2014-10-22 17:09:43 +0900
commitae879718c4086fc5905070e7f26dfa2757df0c86 (patch)
tree7251e5c37089a8ba46696fbab8e5b2b5243e82b9 /src/gallium/drivers/r600
parent6dc6e6e0d979aa666e2934ae40477195e4d37ceb (diff)
r600g: Drop references to destroyed blend state
Fixes use-after-free when the currently bound blend state is destroyed. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=85267 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=84140 Reviewed-by: Marek Olšák <[email protected]> Tested-by: Dieter Nützel <[email protected]> Cc: [email protected]
Diffstat (limited to 'src/gallium/drivers/r600')
-rw-r--r--src/gallium/drivers/r600/r600_state_common.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/src/gallium/drivers/r600/r600_state_common.c b/src/gallium/drivers/r600/r600_state_common.c
index 68365f9d9af..879ec3522ee 100644
--- a/src/gallium/drivers/r600/r600_state_common.c
+++ b/src/gallium/drivers/r600/r600_state_common.c
@@ -158,8 +158,10 @@ static void r600_bind_blend_state(struct pipe_context *ctx, void *state)
struct r600_context *rctx = (struct r600_context *)ctx;
struct r600_blend_state *blend = (struct r600_blend_state *)state;
- if (blend == NULL)
+ if (blend == NULL) {
+ r600_set_cso_state_with_cb(&rctx->blend_state, NULL, NULL);
return;
+ }
r600_bind_blend_state_internal(rctx, blend, rctx->force_blend_disable);
}
@@ -447,8 +449,13 @@ static void r600_delete_sampler_state(struct pipe_context *ctx, void *state)
static void r600_delete_blend_state(struct pipe_context *ctx, void *state)
{
+ struct r600_context *rctx = (struct r600_context *)ctx;
struct r600_blend_state *blend = (struct r600_blend_state*)state;
+ if (rctx->blend_state.cso == state) {
+ ctx->bind_blend_state(ctx, NULL);
+ }
+
r600_release_command_buffer(&blend->buffer);
r600_release_command_buffer(&blend->buffer_no_blend);
FREE(blend);