st/mesa: fix context use-after-free problem in st_renderbuffer_delete()

The use-after-free happened when the renderbuffer was shared by multiple contexts and we tried to delete the renderbuffer using a context which was previously deleted. Note: this is a candidate for the stable branches. Reviewed-by: Jose Fonseca <jfonseca@vmware.com> (cherry picked from commit 4cedb65a43ae81c7ac71e631c854b7404dd2b61b)
author: Brian Paul <brianp@vmware.com> 2012-11-30 10:11:54 -0700
committer: Andreas Boll <andreas.boll.dev@gmail.com> 2013-02-13 18:46:40 +0100
commit: 527b3b8555f695d5b349d00eb1e63208b797bf2c (patch)
tree: eeb119e442dc398b89a1073a44e496619cc80237
parent: 9d4ab9a663d4088ec553edaae0eeafb746d2490d (diff)
1 files changed, 5 insertions, 3 deletions
diff --git a/src/mesa/state_tracker/st_cb_fbo.c b/src/mesa/state_tracker/st_cb_fbo.c
index a4da89e9746..755697c0a9b 100644
--- a/src/mesa/state_tracker/st_cb_fbo.c
+++ b/src/mesa/state_tracker/st_cb_fbo.c
@@ -228,8 +228,10 @@ static void
 st_renderbuffer_delete(struct gl_context *ctx, struct gl_renderbuffer *rb)
 {
    struct st_renderbuffer *strb = st_renderbuffer(rb);
-   ASSERT(strb);
-   pipe_surface_reference(&strb->surface, NULL);
+   struct st_context *st = st_context(ctx);
+   struct pipe_context *pipe = st->pipe;
+
+   pipe_surface_release(pipe, &strb->surface);
    pipe_resource_reference(&strb->texture, NULL);
    free(strb->data);
    _mesa_delete_renderbuffer(ctx, rb);
@@ -434,7 +436,7 @@ st_render_texture(struct gl_context *ctx,
 
    pipe_resource_reference( &strb->texture, pt );
 
-   pipe_surface_reference(&strb->surface, NULL);
+   pipe_surface_release(pipe, &strb->surface);
 
    assert(strb->rtt_level <= strb->texture->last_level);
author	Brian Paul <brianp@vmware.com>	2012-11-30 10:11:54 -0700
committer	Andreas Boll <andreas.boll.dev@gmail.com>	2013-02-13 18:46:40 +0100
commit	527b3b8555f695d5b349d00eb1e63208b797bf2c (patch)
tree	eeb119e442dc398b89a1073a44e496619cc80237
parent	9d4ab9a663d4088ec553edaae0eeafb746d2490d (diff)