Mesa (7.11): nouveau: fix crash during fence emission

[Marcin Åšlusarz]

Module: Mesa
Branch: 7.11
Commit: 8d1f1eae93a873fae3639134581de6ac1f6d413e
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=8d1f1eae93a873fae3639134581de6ac1f6d413e

Author: Marcin Slusarz <marcin.slusarz at gmail.com>
Date:   Sun Sep 25 16:01:19 2011 +0200

nouveau: fix crash during fence emission

Fence emission can flush the push buffer, which through flush_notify
unreferences recently emitted fence. If ref count is increased after
fence emission, unreference deletes the fence, which causes SIGSEGV.

Backtrace:
nouveau_fence_del
nouveau_fence_ref
nouveau_fence_next
nouveau_pushbuf_flush
MARK_RING
nv50_screen_fence_emit
nouveau_fence_emit
nv50_flush

This bug manifested as an assertion failure in nouveau_fence.c, because
SIGSEGV handler tried to shutdown the application and used messed up
fence.

This issue was reported by Maxim Levitsky.

(commit e1e03ce4928edf4ea0ef43d853cb869f70b126aa in master)

---

 src/gallium/drivers/nouveau/nouveau_fence.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/gallium/drivers/nouveau/nouveau_fence.c b/src/gallium/drivers/nouveau/nouveau_fence.c
index ea2038c..26e4775 100644
--- a/src/gallium/drivers/nouveau/nouveau_fence.c
+++ b/src/gallium/drivers/nouveau/nouveau_fence.c
@@ -93,8 +93,6 @@ nouveau_fence_emit(struct nouveau_fence *fence)
    /* set this now, so that if fence.emit triggers a flush we don't recurse */
    fence->state = NOUVEAU_FENCE_STATE_EMITTED;
 
-   screen->fence.emit(&screen->base, fence->sequence);
-
    ++fence->ref;
 
    if (screen->fence.tail)
@@ -103,6 +101,8 @@ nouveau_fence_emit(struct nouveau_fence *fence)
       screen->fence.head = fence;
 
    screen->fence.tail = fence;
+
+   screen->fence.emit(&screen->base, fence->sequence);
 }
 
 void