This atom tries to unbind cb0 when it's not used any more (the params &&
params->NumParameters check), but if you transitioned to not having a
gs/tess enabled at all, you'd skip unbinding it. This was mostly
harmless, since if you don't have a GS, why are you looking at GS
constants? However, if a new program came along that didn't use cb0 at
all, we wouldn't end up in this atom to get the disable, and now you have
a GS enabled but a GS constbuf pointing at potentially freed data.
Dereferencing the freed cb0 data ended up happening in freedreno's
fallback UBO upload path with this combination of tests (which execute in
that order):
dEQP-GLES31.functional.shaders.opaque_type_indexing.sampler.uniform.geometry.sampler2darray
dEQP-GLES31.functional.shaders.opaque_type_indexing.ubo.const_literal_fragment
dEQP-GLES31.functional.shaders.opaque_type_indexing.ubo.dynamically_uniform_geometry
and it seems also affected softpipe as well.
Reviewed-by: Rob Clark <robdclark@chromium.org>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/9070>