diff options
author | Patrick Rudolph <[email protected]> | 2015-12-06 10:11:59 +0100 |
---|---|---|
committer | Ilia Mirkin <[email protected]> | 2015-12-09 13:38:15 -0500 |
commit | 432a798cf5c7fab18a3e32d4073840df7d0d37cb (patch) | |
tree | 5ded13131ba026f0fec46020846fa5b4579a80ff /src/gallium/drivers | |
parent | f876346cdd2e5d0357ed260eec642beaaa389948 (diff) |
nv50,nvc0: fix use-after-free when vertex buffers are unbound
Always reset the vertex bufctx to make sure there's no pointer to
an already freed pipe_resource left after unbinding buffers.
Fixes use after free crash in nvc0_bufctx_fence().
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=93004
Signed-off-by: Patrick Rudolph <[email protected]>
[imirkin: simplify nvc0 fix, apply to nv50]
Signed-off-by: Ilia Mirkin <[email protected]>
Cc: "11.0 11.1" <[email protected]>
Diffstat (limited to 'src/gallium/drivers')
-rw-r--r-- | src/gallium/drivers/nouveau/nv50/nv50_state.c | 7 | ||||
-rw-r--r-- | src/gallium/drivers/nouveau/nvc0/nvc0_state.c | 6 |
2 files changed, 6 insertions, 7 deletions
diff --git a/src/gallium/drivers/nouveau/nv50/nv50_state.c b/src/gallium/drivers/nouveau/nv50/nv50_state.c index fd7c7cdf677..de655971b66 100644 --- a/src/gallium/drivers/nouveau/nv50/nv50_state.c +++ b/src/gallium/drivers/nouveau/nv50/nv50_state.c @@ -994,6 +994,9 @@ nv50_set_vertex_buffers(struct pipe_context *pipe, struct nv50_context *nv50 = nv50_context(pipe); unsigned i; + nouveau_bufctx_reset(nv50->bufctx_3d, NV50_BIND_VERTEX); + nv50->dirty |= NV50_NEW_ARRAYS; + util_set_vertex_buffers_count(nv50->vtxbuf, &nv50->num_vtxbufs, vb, start_slot, count); @@ -1017,10 +1020,6 @@ nv50_set_vertex_buffers(struct pipe_context *pipe, nv50->vbo_constant &= ~(1 << dst_index); } } - - nouveau_bufctx_reset(nv50->bufctx_3d, NV50_BIND_VERTEX); - - nv50->dirty |= NV50_NEW_ARRAYS; } static void diff --git a/src/gallium/drivers/nouveau/nvc0/nvc0_state.c b/src/gallium/drivers/nouveau/nvc0/nvc0_state.c index 5da0ea81a27..41a824a97a0 100644 --- a/src/gallium/drivers/nouveau/nvc0/nvc0_state.c +++ b/src/gallium/drivers/nouveau/nvc0/nvc0_state.c @@ -1000,6 +1000,9 @@ nvc0_set_vertex_buffers(struct pipe_context *pipe, struct nvc0_context *nvc0 = nvc0_context(pipe); unsigned i; + nouveau_bufctx_reset(nvc0->bufctx_3d, NVC0_BIND_VTX); + nvc0->dirty |= NVC0_NEW_ARRAYS; + util_set_vertex_buffers_count(nvc0->vtxbuf, &nvc0->num_vtxbufs, vb, start_slot, count); @@ -1023,9 +1026,6 @@ nvc0_set_vertex_buffers(struct pipe_context *pipe, nvc0->constant_vbos &= ~(1 << dst_index); } } - - nvc0->dirty |= NVC0_NEW_ARRAYS; - nouveau_bufctx_reset(nvc0->bufctx_3d, NVC0_BIND_VTX); } static void |