Reviewed-by: Marek Olšák <marek.ol...@amd.com> Marek
On Tue, Oct 21, 2014 at 11:52 AM, Michel Dänzer <mic...@daenzer.net> wrote: > From: Michel Dänzer <michel.daen...@amd.com> > > Fixes use-after-free when the currently bound blend state is destroyed. > > Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=85267 > Signed-off-by: Michel Dänzer <michel.daen...@amd.com> > --- > src/gallium/drivers/r600/r600_state_common.c | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > diff --git a/src/gallium/drivers/r600/r600_state_common.c > b/src/gallium/drivers/r600/r600_state_common.c > index 68365f9..879ec35 100644 > --- a/src/gallium/drivers/r600/r600_state_common.c > +++ b/src/gallium/drivers/r600/r600_state_common.c > @@ -158,8 +158,10 @@ static void r600_bind_blend_state(struct pipe_context > *ctx, void *state) > struct r600_context *rctx = (struct r600_context *)ctx; > struct r600_blend_state *blend = (struct r600_blend_state *)state; > > - if (blend == NULL) > + if (blend == NULL) { > + r600_set_cso_state_with_cb(&rctx->blend_state, NULL, NULL); > return; > + } > > r600_bind_blend_state_internal(rctx, blend, > rctx->force_blend_disable); > } > @@ -447,8 +449,13 @@ static void r600_delete_sampler_state(struct > pipe_context *ctx, void *state) > > static void r600_delete_blend_state(struct pipe_context *ctx, void *state) > { > + struct r600_context *rctx = (struct r600_context *)ctx; > struct r600_blend_state *blend = (struct r600_blend_state*)state; > > + if (rctx->blend_state.cso == state) { > + ctx->bind_blend_state(ctx, NULL); > + } > + > r600_release_command_buffer(&blend->buffer); > r600_release_command_buffer(&blend->buffer_no_blend); > FREE(blend); > -- > 2.1.1 > > _______________________________________________ > mesa-dev mailing list > mesa-dev@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/mesa-dev _______________________________________________ mesa-dev mailing list mesa-dev@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/mesa-dev
