Module: Mesa Branch: master Commit: 432a798cf5c7fab18a3e32d4073840df7d0d37cb URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=432a798cf5c7fab18a3e32d4073840df7d0d37cb
Author: Patrick Rudolph <[email protected]> Date: Sun Dec 6 10:11:59 2015 +0100 nv50,nvc0: fix use-after-free when vertex buffers are unbound Always reset the vertex bufctx to make sure there's no pointer to an already freed pipe_resource left after unbinding buffers. Fixes use after free crash in nvc0_bufctx_fence(). Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=93004 Signed-off-by: Patrick Rudolph <[email protected]> [imirkin: simplify nvc0 fix, apply to nv50] Signed-off-by: Ilia Mirkin <[email protected]> Cc: "11.0 11.1" <[email protected]> --- src/gallium/drivers/nouveau/nv50/nv50_state.c | 7 +++---- src/gallium/drivers/nouveau/nvc0/nvc0_state.c | 6 +++--- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/src/gallium/drivers/nouveau/nv50/nv50_state.c b/src/gallium/drivers/nouveau/nv50/nv50_state.c index fd7c7cd..de65597 100644 --- a/src/gallium/drivers/nouveau/nv50/nv50_state.c +++ b/src/gallium/drivers/nouveau/nv50/nv50_state.c @@ -994,6 +994,9 @@ nv50_set_vertex_buffers(struct pipe_context *pipe, struct nv50_context *nv50 = nv50_context(pipe); unsigned i; + nouveau_bufctx_reset(nv50->bufctx_3d, NV50_BIND_VERTEX); + nv50->dirty |= NV50_NEW_ARRAYS; + util_set_vertex_buffers_count(nv50->vtxbuf, &nv50->num_vtxbufs, vb, start_slot, count); @@ -1017,10 +1020,6 @@ nv50_set_vertex_buffers(struct pipe_context *pipe, nv50->vbo_constant &= ~(1 << dst_index); } } - - nouveau_bufctx_reset(nv50->bufctx_3d, NV50_BIND_VERTEX); - - nv50->dirty |= NV50_NEW_ARRAYS; } static void diff --git a/src/gallium/drivers/nouveau/nvc0/nvc0_state.c b/src/gallium/drivers/nouveau/nvc0/nvc0_state.c index 5da0ea8..41a824a 100644 --- a/src/gallium/drivers/nouveau/nvc0/nvc0_state.c +++ b/src/gallium/drivers/nouveau/nvc0/nvc0_state.c @@ -1000,6 +1000,9 @@ nvc0_set_vertex_buffers(struct pipe_context *pipe, struct nvc0_context *nvc0 = nvc0_context(pipe); unsigned i; + nouveau_bufctx_reset(nvc0->bufctx_3d, NVC0_BIND_VTX); + nvc0->dirty |= NVC0_NEW_ARRAYS; + util_set_vertex_buffers_count(nvc0->vtxbuf, &nvc0->num_vtxbufs, vb, start_slot, count); @@ -1023,9 +1026,6 @@ nvc0_set_vertex_buffers(struct pipe_context *pipe, nvc0->constant_vbos &= ~(1 << dst_index); } } - - nvc0->dirty |= NVC0_NEW_ARRAYS; - nouveau_bufctx_reset(nvc0->bufctx_3d, NVC0_BIND_VTX); } static void _______________________________________________ mesa-commit mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/mesa-commit
