Re: [Mesa-dev] [PATCH 1/2] nvc0: fix use after free of pipe_resource

2015-12-09 Thread Ilia Mirkin 
I pushed a slightly modified version of this:

http://cgit.freedesktop.org/mesa/mesa/commit/?id=432a798cf5c7fab18a3e32d4073840df7d0d37cb

Thanks for the patch! I hope this will resolve some weird crashes
people have seen with various buffers being null unexpectedly.

On Sun, Dec 6, 2015 at 4:11 AM, Patrick Rudolph  wrote:
> Always reset the vertex bufctx to make sure there's no pointer to
> an already freed pipe_resource left after unbinding buffers.
> Fixes use after free crash in nvc0_bufctx_fence().
>
> Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=93004
>
> Signed-off-by: Patrick Rudolph 
> ---
>  src/gallium/drivers/nouveau/nvc0/nvc0_state.c | 5 -
>  1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/src/gallium/drivers/nouveau/nvc0/nvc0_state.c 
> b/src/gallium/drivers/nouveau/nvc0/nvc0_state.c
> index 5dce5f0..2aa90c9 100644
> --- a/src/gallium/drivers/nouveau/nvc0/nvc0_state.c
> +++ b/src/gallium/drivers/nouveau/nvc0/nvc0_state.c
> @@ -1000,12 +1000,16 @@ nvc0_set_vertex_buffers(struct pipe_context *pipe,
>  struct nvc0_context *nvc0 = nvc0_context(pipe);
>  unsigned i;
>
> +if (nvc0->num_vtxbufs)
> +nouveau_bufctx_reset(nvc0->bufctx_3d, NVC0_BIND_VTX);
> +
>  util_set_vertex_buffers_count(nvc0->vtxbuf, >num_vtxbufs, vb,
>start_slot, count);
>
>  if (!vb) {
> nvc0->vbo_user &= ~(((1ull << count) - 1) << start_slot);
> nvc0->constant_vbos &= ~(((1ull << count) - 1) << start_slot);
> +   nvc0->dirty |= NVC0_NEW_ARRAYS;
> return;
>  }
>
> @@ -1025,7 +1029,6 @@ nvc0_set_vertex_buffers(struct pipe_context *pipe,
>  }
>
>  nvc0->dirty |= NVC0_NEW_ARRAYS;
> -nouveau_bufctx_reset(nvc0->bufctx_3d, NVC0_BIND_VTX);
>  }
>
>  static void
> --
> 2.4.3
>
> ___
> mesa-dev mailing list
> mesa-dev@lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/mesa-dev
___
mesa-dev mailing list
mesa-dev@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/mesa-dev

[Mesa-dev] [PATCH 1/2] nvc0: fix use after free of pipe_resource

2015-12-06 Thread Patrick Rudolph 
Always reset the vertex bufctx to make sure there's no pointer to
an already freed pipe_resource left after unbinding buffers.
Fixes use after free crash in nvc0_bufctx_fence().

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=93004

Signed-off-by: Patrick Rudolph 
---
 src/gallium/drivers/nouveau/nvc0/nvc0_state.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/gallium/drivers/nouveau/nvc0/nvc0_state.c 
b/src/gallium/drivers/nouveau/nvc0/nvc0_state.c
index 5dce5f0..2aa90c9 100644
--- a/src/gallium/drivers/nouveau/nvc0/nvc0_state.c
+++ b/src/gallium/drivers/nouveau/nvc0/nvc0_state.c
@@ -1000,12 +1000,16 @@ nvc0_set_vertex_buffers(struct pipe_context *pipe,
 struct nvc0_context *nvc0 = nvc0_context(pipe);
 unsigned i;
 
+if (nvc0->num_vtxbufs)
+nouveau_bufctx_reset(nvc0->bufctx_3d, NVC0_BIND_VTX);
+
 util_set_vertex_buffers_count(nvc0->vtxbuf, >num_vtxbufs, vb,
   start_slot, count);
 
 if (!vb) {
nvc0->vbo_user &= ~(((1ull << count) - 1) << start_slot);
nvc0->constant_vbos &= ~(((1ull << count) - 1) << start_slot);
+   nvc0->dirty |= NVC0_NEW_ARRAYS;
return;
 }
 
@@ -1025,7 +1029,6 @@ nvc0_set_vertex_buffers(struct pipe_context *pipe,
 }
 
 nvc0->dirty |= NVC0_NEW_ARRAYS;
-nouveau_bufctx_reset(nvc0->bufctx_3d, NVC0_BIND_VTX);
 }
 
 static void
-- 
2.4.3

___
mesa-dev mailing list
mesa-dev@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/mesa-dev