Always reset the vertex bufctx to make sure there's no pointer to an already freed pipe_resource left after unbinding buffers. Fixes use after free crash in nvc0_bufctx_fence().
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=93004 Signed-off-by: Patrick Rudolph <s...@das-labor.org> --- src/gallium/drivers/nouveau/nvc0/nvc0_state.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/gallium/drivers/nouveau/nvc0/nvc0_state.c b/src/gallium/drivers/nouveau/nvc0/nvc0_state.c index 5dce5f0..2aa90c9 100644 --- a/src/gallium/drivers/nouveau/nvc0/nvc0_state.c +++ b/src/gallium/drivers/nouveau/nvc0/nvc0_state.c @@ -1000,12 +1000,16 @@ nvc0_set_vertex_buffers(struct pipe_context *pipe, struct nvc0_context *nvc0 = nvc0_context(pipe); unsigned i; + if (nvc0->num_vtxbufs) + nouveau_bufctx_reset(nvc0->bufctx_3d, NVC0_BIND_VTX); + util_set_vertex_buffers_count(nvc0->vtxbuf, &nvc0->num_vtxbufs, vb, start_slot, count); if (!vb) { nvc0->vbo_user &= ~(((1ull << count) - 1) << start_slot); nvc0->constant_vbos &= ~(((1ull << count) - 1) << start_slot); + nvc0->dirty |= NVC0_NEW_ARRAYS; return; } @@ -1025,7 +1029,6 @@ nvc0_set_vertex_buffers(struct pipe_context *pipe, } nvc0->dirty |= NVC0_NEW_ARRAYS; - nouveau_bufctx_reset(nvc0->bufctx_3d, NVC0_BIND_VTX); } static void -- 2.4.3 _______________________________________________ mesa-dev mailing list mesa-dev@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/mesa-dev
