[Mesa-dev] [PATCH 1/3] nv50: reset TFB bufctx when we no longer hold a reference to the buffers

Samuel Pitoiset samuel.pitoiset at gmail.com
Sat Mar 19 16:24:24 UTC 2016 

Patches 1-2 are:

Reviewed-by: Samuel Pitoiset <samuel.pitoiset at gmail.com>

For patch 3, I don't enough know this part to have a look.

On 03/19/2016 05:04 PM, Ilia Mirkin wrote:
> This fix is analogous to commit ff085d014.
>
> This fixes some use-after-free situations in dEQP when an xfb state is
> removed, and then a clear is triggered, which only does a partial
> validation. It would attempt to read the no-longer-valid buffers,
> resulting in crashes.
>
> Signed-off-by: Ilia Mirkin <imirkin at alum.mit.edu>
> Cc: "11.1 11.2" <mesa-stable at lists.freedesktop.org>
> ---
>   src/gallium/drivers/nouveau/nv50/nv50_shader_state.c | 2 --
>   src/gallium/drivers/nouveau/nv50/nv50_state.c        | 4 +++-
>   2 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/src/gallium/drivers/nouveau/nv50/nv50_shader_state.c b/src/gallium/drivers/nouveau/nv50/nv50_shader_state.c
> index 8e4b2b4..69115ba 100644
> --- a/src/gallium/drivers/nouveau/nv50/nv50_shader_state.c
> +++ b/src/gallium/drivers/nouveau/nv50/nv50_shader_state.c
> @@ -633,8 +633,6 @@ nv50_stream_output_validate(struct nv50_context *nv50)
>      BEGIN_NV04(push, NV50_3D(STRMOUT_BUFFERS_CTRL), 1);
>      PUSH_DATA (push, ctrl);
>
> -   nouveau_bufctx_reset(nv50->bufctx_3d, NV50_BIND_SO);
> -
>      for (i = 0; i < nv50->num_so_targets; ++i) {
>         struct nv50_so_target *targ = nv50_so_target(nv50->so_target[i]);
>         struct nv04_resource *buf = nv04_resource(targ->pipe.buffer);
> diff --git a/src/gallium/drivers/nouveau/nv50/nv50_state.c b/src/gallium/drivers/nouveau/nv50/nv50_state.c
> index 8504ba4..f8b8478 100644
> --- a/src/gallium/drivers/nouveau/nv50/nv50_state.c
> +++ b/src/gallium/drivers/nouveau/nv50/nv50_state.c
> @@ -1180,8 +1180,10 @@ nv50_set_stream_output_targets(struct pipe_context *pipe,
>      }
>      nv50->num_so_targets = num_targets;
>
> -   if (nv50->so_targets_dirty)
> +   if (nv50->so_targets_dirty) {
> +      nouveau_bufctx_reset(nv50->bufctx_3d, NV50_BIND_SO);
>         nv50->dirty |= NV50_NEW_STRMOUT;
> +   }
>   }
>
>   static void
>

More information about the mesa-dev mailing list