From 9b77920452d602f99ae5aafbf50f0e0353a47396 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Marchesin?= <marcheu@chromium.org>
Date: Wed, 21 Feb 2018 21:47:19 -0800
Subject: [PATCH] vrend: Fix use-after-free in bound programs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If we bind a GL program with a given id, then destroy the program and
its id, then immediately create another program which ends up with
the same id, we won't be able to tell that a new program needs to be
bound, and we will access freed data. This results in funny crashes.

We fix this by setting the program to 0 when a different shader is
being bound. This will force the draw code to bind the proper program
later on.

This fixes a lot of semi-random crashes. To debug it I used this
particular deqp test which becomes stable with this change:
dEQP-GLES3.functional.draw.draw_elements.triangle_fan.default_attribute

Signed-off-by: Stéphane Marchesin <marcheu@chromium.org>
Tested-by: Robert Foss <robert.foss@collabora.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
---
 src/vrend_renderer.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
index 167a56c..8432e64 100644
--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
@@ -2382,8 +2382,11 @@ void vrend_bind_shader(struct vrend_context *ctx,
    if (sel->type != type)
       return;
 
-   if (ctx->sub->shaders[sel->type] != sel)
+   if (ctx->sub->shaders[sel->type] != sel) {
       ctx->sub->shader_dirty = true;
+      ctx->sub->prog_ids[sel->type] = 0;
+   }
+
    vrend_shader_state_reference(&ctx->sub->shaders[sel->type], sel);
 }