diff options
| author | Ilia Mirkin <imirkin@alum.mit.edu> | 2016-03-19 11:43:37 -0400 |
|---|---|---|
| committer | Emil Velikov <emil.l.velikov@gmail.com> | 2016-04-14 22:35:05 +0100 |
| commit | 6771e866d030b7d8556618276260ef59ca606820 (patch) | |
| tree | 2d222aba5d3c17b3b80c1185f111a2f3e3a0f025 | |
| parent | 5d8ba0232e60e72eb55f02dcd090672ef5c2b7e4 (diff) | |
nv50: reset TFB bufctx when we no longer hold a reference to the buffers
This fix is analogous to commit ff085d014.
This fixes some use-after-free situations in dEQP when an xfb state is
removed, and then a clear is triggered, which only does a partial
validation. It would attempt to read the no-longer-valid buffers,
resulting in crashes.
Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu>
Reviewed-by: Samuel Pitoiset <samuel.pitoiset@gmail.com>
Cc: "11.1 11.2" <mesa-stable@lists.freedesktop.org>
(cherry picked from commit d1b85dbffa0eec2b44bb2a9f339a2617a39730da)
[Emil Velikov: macro names do not need 3D_ ]
Signed-off-by: Emil Velikov <emil.velikov@collabora.com>
Conflicts:
src/gallium/drivers/nouveau/nv50/nv50_shader_state.c
src/gallium/drivers/nouveau/nv50/nv50_state.c
| -rw-r--r-- | src/gallium/drivers/nouveau/nv50/nv50_shader_state.c | 2 | ||||
| -rw-r--r-- | src/gallium/drivers/nouveau/nv50/nv50_state.c | 4 |
2 files changed, 3 insertions, 3 deletions
diff --git a/src/gallium/drivers/nouveau/nv50/nv50_shader_state.c b/src/gallium/drivers/nouveau/nv50/nv50_shader_state.c index 8e4b2b42bda..69115ba0c27 100644 --- a/src/gallium/drivers/nouveau/nv50/nv50_shader_state.c +++ b/src/gallium/drivers/nouveau/nv50/nv50_shader_state.c @@ -633,8 +633,6 @@ nv50_stream_output_validate(struct nv50_context *nv50) BEGIN_NV04(push, NV50_3D(STRMOUT_BUFFERS_CTRL), 1); PUSH_DATA (push, ctrl); - nouveau_bufctx_reset(nv50->bufctx_3d, NV50_BIND_SO); - for (i = 0; i < nv50->num_so_targets; ++i) { struct nv50_so_target *targ = nv50_so_target(nv50->so_target[i]); struct nv04_resource *buf = nv04_resource(targ->pipe.buffer); diff --git a/src/gallium/drivers/nouveau/nv50/nv50_state.c b/src/gallium/drivers/nouveau/nv50/nv50_state.c index 26af842c764..deed6326108 100644 --- a/src/gallium/drivers/nouveau/nv50/nv50_state.c +++ b/src/gallium/drivers/nouveau/nv50/nv50_state.c @@ -1158,8 +1158,10 @@ nv50_set_stream_output_targets(struct pipe_context *pipe, } nv50->num_so_targets = num_targets; - if (nv50->so_targets_dirty) + if (nv50->so_targets_dirty) { + nouveau_bufctx_reset(nv50->bufctx_3d, NV50_BIND_SO); nv50->dirty |= NV50_NEW_STRMOUT; + } } static void |