Marcin Slusarz
2010-Jan-20 22:27 UTC
[Nouveau] [mesa PATCH] nv50: fix crash in nv50_pre_pipebuffer_map (nv50_screen->cur_ctx)
nv50_pre_pipebuffer_map references screen->cur_ctx which points to freed memory after the context is destroyed. This crash is easily triggerable by progs/xdemos/glxcontexts. --- src/gallium/drivers/nv50/nv50_context.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/src/gallium/drivers/nv50/nv50_context.c b/src/gallium/drivers/nv50/nv50_context.c index d598f0e..952741c 100644 --- a/src/gallium/drivers/nv50/nv50_context.c +++ b/src/gallium/drivers/nv50/nv50_context.c @@ -82,6 +82,10 @@ nv50_destroy(struct pipe_context *pipe) so_ref(NULL, &nv50->state.vtxattr); draw_destroy(nv50->draw); + + if (nv50->screen->cur_ctx == nv50) + nv50->screen->cur_ctx = NULL; + FREE(nv50); } -- 1.6.6
Marcin Slusarz
2010-Jan-24 18:24 UTC
[Nouveau] [mesa PATCH] nv50: fix crash in nv50_pre_pipebuffer_map (nv50_screen->cur_ctx)
On Wed, Jan 20, 2010 at 11:27:07PM +0100, Marcin Slusarz wrote:> nv50_pre_pipebuffer_map references screen->cur_ctx which points > to freed memory after the context is destroyed. > This crash is easily triggerable by progs/xdemos/glxcontexts.ping