From d3a49f36395d737698616fe8ba9da7b74cd2d89a Mon Sep 17 00:00:00 2001
From: Chris Wilson <chris@chris-wilson.co.uk>
Date: Wed, 21 Nov 2012 18:41:00 +0000
Subject: [PATCH] sna/gen3+: Clear the render.vbo when replacing it for vertex
 upload

As we may trigger a flush and a retire when searching for a vertex
buffer for the new vertices, we need to be careful to decouple the
destroyed vbo in order to avoid a use-after-free when inspecting the
state.

Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
---
 src/sna/gen3_render.c | 1 +
 src/sna/gen4_render.c | 1 +
 src/sna/gen5_render.c | 1 +
 src/sna/gen6_render.c | 1 +
 src/sna/gen7_render.c | 1 +
 5 files changed, 5 insertions(+)

diff --git a/src/sna/gen3_render.c b/src/sna/gen3_render.c
index 232d33fc..f0f0a487 100644
--- a/src/sna/gen3_render.c
+++ b/src/sna/gen3_render.c
@@ -1640,6 +1640,7 @@ static int gen3_vertex_finish(struct sna *sna)
 		sna->render.vertex_reloc[0] = 0;
 		sna->render.vertex_used = 0;
 		sna->render.vertex_index = 0;
+		sna->render.vbo = NULL;
 
 		kgem_bo_destroy(&sna->kgem, bo);
 	}
diff --git a/src/sna/gen4_render.c b/src/sna/gen4_render.c
index 387dd855..f4ddb825 100644
--- a/src/sna/gen4_render.c
+++ b/src/sna/gen4_render.c
@@ -295,6 +295,7 @@ static int gen4_vertex_finish(struct sna *sna)
 					       0);
 		}
 
+		sna->render.vbo = NULL;
 		sna->render.nvertex_reloc = 0;
 		sna->render.vertex_used = 0;
 		sna->render.vertex_index = 0;
diff --git a/src/sna/gen5_render.c b/src/sna/gen5_render.c
index 54d7c86b..0e3aec67 100644
--- a/src/sna/gen5_render.c
+++ b/src/sna/gen5_render.c
@@ -274,6 +274,7 @@ static int gen5_vertex_finish(struct sna *sna)
 		sna->render.nvertex_reloc = 0;
 		sna->render.vertex_used = 0;
 		sna->render.vertex_index = 0;
+		sna->render.vbo = NULL;
 		sna->render_state.gen5.vb_id = 0;
 
 		kgem_bo_destroy(&sna->kgem, bo);
diff --git a/src/sna/gen6_render.c b/src/sna/gen6_render.c
index 16d5d903..fbe0951d 100644
--- a/src/sna/gen6_render.c
+++ b/src/sna/gen6_render.c
@@ -999,6 +999,7 @@ static int gen6_vertex_finish(struct sna *sna)
 		sna->render.nvertex_reloc = 0;
 		sna->render.vertex_used = 0;
 		sna->render.vertex_index = 0;
+		sna->render.vbo = NULL;
 		sna->render_state.gen6.vb_id = 0;
 
 		kgem_bo_destroy(&sna->kgem, bo);
diff --git a/src/sna/gen7_render.c b/src/sna/gen7_render.c
index a329112e..3bec5df8 100644
--- a/src/sna/gen7_render.c
+++ b/src/sna/gen7_render.c
@@ -1142,6 +1142,7 @@ static int gen7_vertex_finish(struct sna *sna)
 		sna->render.nvertex_reloc = 0;
 		sna->render.vertex_used = 0;
 		sna->render.vertex_index = 0;
+		sna->render.vbo = NULL;
 		sna->render_state.gen7.vb_id = 0;
 
 		kgem_bo_destroy(&sna->kgem, bo);