OpenHarmony/third_party_mesa3d
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

nvc0: reset TFB bufctx when we no longer hold a reference to the buffers

Browse Source 
This fixes some use-after-free situations in dEQP when an xfb state is
removed, and then a clear is triggered, which only does a partial
validation. It would attempt to read the no-longer-valid buffers,
resulting in crashes.

Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu>
Cc: "11.1 11.2" <mesa-stable@lists.freedesktop.org>
This commit is contained in:
Ilia Mirkin
2016-02-16 01:02:52 -05:00
parent fa43c4bd99
commit ff085d014e
2 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/gallium/drivers/nouveau/nvc0/nvc0_shader_state.c
View File

@@ -309,7 +309,6 @@ nvc0_tfb_validate(struct nvc0_context *nvc0)
if (!(nvc0->dirty_3d & NVC0_NEW_3D_TFB_TARGETS)) if (!(nvc0->dirty_3d & NVC0_NEW_3D_TFB_TARGETS))
return; return;
nouveau_bufctx_reset(nvc0->bufctx_3d, NVC0_BIND_3D_TFB);
for (b = 0; b < nvc0->num_tfbbufs; ++b) { for (b = 0; b < nvc0->num_tfbbufs; ++b) {
struct nvc0_so_target *targ = nvc0_so_target(nvc0->tfbbuf[b]); struct nvc0_so_target *targ = nvc0_so_target(nvc0->tfbbuf[b]);

4
src/gallium/drivers/nouveau/nvc0/nvc0_state.c
View File

@@ -1184,8 +1184,10 @@ nvc0_set_transform_feedback_targets(struct pipe_context *pipe,
} }
nvc0->num_tfbbufs = num_targets; nvc0->num_tfbbufs = num_targets;
if (nvc0->tfbbuf_dirty) if (nvc0->tfbbuf_dirty) {
nouveau_bufctx_reset(nvc0->bufctx_3d, NVC0_BIND_3D_TFB);
nvc0->dirty_3d |= NVC0_NEW_3D_TFB_TARGETS; nvc0->dirty_3d |= NVC0_NEW_3D_TFB_TARGETS;
}
} }
static void static void