[Mesa-dev] [PATCH 1/6] cso: Don't restore nr_samplers in cso_restore_fragment_samplers
Nicolai Hähnle
nhaehnle at gmail.com
Fri Dec 16 11:16:51 UTC 2016
On 16.12.2016 10:52, Michel Dänzer wrote:
> From: Michel Dänzer <michel.daenzer at amd.com>
>
> If info->nr_samplers > ctx->nr_fragment_samplers_saved, the assignment
> would prevent cso_single_sampler_done from unbinding the no longer used
> samplers from the driver, which could result in use-after-free. This is
> probably unlikely to happen in practice though.
I'm confused. We never set the entries of info->samplers in the range
[ctx->nr_fragment_samplers_saved, info->nr_samplers) to NULL, so I think
they still aren't unbound despite this patch. Am I missing something?
Nicolai
>
> Cc: "12.0 13.0" <mesa-stable at lists.freedesktop.org>
> Signed-off-by: Michel Dänzer <michel.daenzer at amd.com>
> ---
> src/gallium/auxiliary/cso_cache/cso_context.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/src/gallium/auxiliary/cso_cache/cso_context.c b/src/gallium/auxiliary/cso_cache/cso_context.c
> index 127e0711c2..2ee87f9184 100644
> --- a/src/gallium/auxiliary/cso_cache/cso_context.c
> +++ b/src/gallium/auxiliary/cso_cache/cso_context.c
> @@ -1275,7 +1275,6 @@ cso_restore_fragment_samplers(struct cso_context *ctx)
> {
> struct sampler_info *info = &ctx->samplers[PIPE_SHADER_FRAGMENT];
>
> - info->nr_samplers = ctx->nr_fragment_samplers_saved;
> memcpy(info->samplers, ctx->fragment_samplers_saved,
> sizeof(info->samplers));
> cso_single_sampler_done(ctx, PIPE_SHADER_FRAGMENT);
>
More information about the mesa-dev
mailing list