Mesa (master): r600g: Drop references to destroyed blend state

[Michel Dänzer]

Module: Mesa
Branch: master
Commit: ae879718c4086fc5905070e7f26dfa2757df0c86
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=ae879718c4086fc5905070e7f26dfa2757df0c86

Author: Michel Dänzer <michel.daenzer at amd.com>
Date:   Tue Oct 21 12:40:15 2014 +0900

r600g: Drop references to destroyed blend state

Fixes use-after-free when the currently bound blend state is destroyed.

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=85267
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=84140

Reviewed-by: Marek Olšák <marek.olsak at amd.com>
Tested-by: Dieter Nützel <Dieter at nuetzel-hh.de>

Cc: mesa-stable at lists.freedesktop.org

---

 src/gallium/drivers/r600/r600_state_common.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/gallium/drivers/r600/r600_state_common.c b/src/gallium/drivers/r600/r600_state_common.c
index 68365f9..879ec35 100644
--- a/src/gallium/drivers/r600/r600_state_common.c
+++ b/src/gallium/drivers/r600/r600_state_common.c
@@ -158,8 +158,10 @@ static void r600_bind_blend_state(struct pipe_context *ctx, void *state)
 	struct r600_context *rctx = (struct r600_context *)ctx;
 	struct r600_blend_state *blend = (struct r600_blend_state *)state;
 
-	if (blend == NULL)
+	if (blend == NULL) {
+		r600_set_cso_state_with_cb(&rctx->blend_state, NULL, NULL);
 		return;
+	}
 
 	r600_bind_blend_state_internal(rctx, blend, rctx->force_blend_disable);
 }
@@ -447,8 +449,13 @@ static void r600_delete_sampler_state(struct pipe_context *ctx, void *state)
 
 static void r600_delete_blend_state(struct pipe_context *ctx, void *state)
 {
+	struct r600_context *rctx = (struct r600_context *)ctx;
 	struct r600_blend_state *blend = (struct r600_blend_state*)state;
 
+	if (rctx->blend_state.cso == state) {
+		ctx->bind_blend_state(ctx, NULL);
+	}
+
 	r600_release_command_buffer(&blend->buffer);
 	r600_release_command_buffer(&blend->buffer_no_blend);
 	FREE(blend);