Module: Mesa Branch: master Commit: c10b7854902cec504b5bc5139d9a56e489c00b16 URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=c10b7854902cec504b5bc5139d9a56e489c00b16
Author: Dave Airlie <[email protected]> Date: Mon Feb 8 16:52:57 2021 +1000 llvmpipe: fix use after free with fs variant cleanup item->base will be freed for the NULL reference write so just use a temporary to avoid it. This was found with asan and lavapipe: dEQP-VK.api.copy_and_blit.core.blit_image* Reviewed-by: Adam Jackson <[email protected]> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/8912> --- src/gallium/drivers/llvmpipe/lp_state_fs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/gallium/drivers/llvmpipe/lp_state_fs.c b/src/gallium/drivers/llvmpipe/lp_state_fs.c index b151efcd798..ec77d3cee33 100644 --- a/src/gallium/drivers/llvmpipe/lp_state_fs.c +++ b/src/gallium/drivers/llvmpipe/lp_state_fs.c @@ -4235,7 +4235,8 @@ llvmpipe_update_fs(struct llvmpipe_context *lp) assert(item); assert(item->base); llvmpipe_remove_shader_variant(lp, item->base); - lp_fs_variant_reference(lp, &item->base, NULL); + struct lp_fragment_shader_variant *variant = item->base; + lp_fs_variant_reference(lp, &variant, NULL); } } _______________________________________________ mesa-commit mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/mesa-commit
