Mesa (master): mesa/st: Fix a use-after-free of the NIR shader stage.

GitLab Mirror gitlab-mirror at kemper.freedesktop.org
Tue Nov 3 20:59:18 UTC 2020 

Module: Mesa
Branch: master
Commit: 71a197943cf856b320082e4e969e0e57de7d9e66
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=71a197943cf856b320082e4e969e0e57de7d9e66

Author: Eric Anholt <eric at anholt.net>
Date:   Mon Nov  2 10:11:11 2020 -0800

mesa/st: Fix a use-after-free of the NIR shader stage.

We just freed the NIR after turning it into TGSI, no using it in that last
switch statement.

Closes: #3725
Fixes: 57effa342b75 ("st/mesa: Drop the TGSI paths for PBOs and use nir-to-tgsi if needed.")
Reviewed-by: Ian Romanick <ian.d.romanick at intel.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/7407>

---

 src/mesa/state_tracker/st_nir_builtins.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/mesa/state_tracker/st_nir_builtins.c b/src/mesa/state_tracker/st_nir_builtins.c
index 1d1a4ae6907..3791ce628d2 100644
--- a/src/mesa/state_tracker/st_nir_builtins.c
+++ b/src/mesa/state_tracker/st_nir_builtins.c
@@ -34,11 +34,12 @@ st_nir_finish_builtin_shader(struct st_context *st,
 {
    struct pipe_context *pipe = st->pipe;
    struct pipe_screen *screen = pipe->screen;
-   enum pipe_shader_type sh = pipe_shader_type_from_mesa(nir->info.stage);
+   gl_shader_stage stage = nir->info.stage;
+   enum pipe_shader_type sh = pipe_shader_type_from_mesa(stage);
 
    nir->info.name = ralloc_strdup(nir, name);
    nir->info.separate_shader = true;
-   if (nir->info.stage == MESA_SHADER_FRAGMENT)
+   if (stage == MESA_SHADER_FRAGMENT)
       nir->info.fs.untyped_color_outputs = true;
 
    NIR_PASS_V(nir, nir_lower_global_vars_to_local);
@@ -49,8 +50,8 @@ st_nir_finish_builtin_shader(struct st_context *st,
 
    if (nir->options->lower_to_scalar) {
       nir_variable_mode mask =
-         (nir->info.stage > MESA_SHADER_VERTEX ? nir_var_shader_in : 0) |
-         (nir->info.stage < MESA_SHADER_FRAGMENT ? nir_var_shader_out : 0);
+          (stage > MESA_SHADER_VERTEX ? nir_var_shader_in : 0) |
+          (stage < MESA_SHADER_FRAGMENT ? nir_var_shader_out : 0);
 
       NIR_PASS_V(nir, nir_lower_io_to_scalar_early, mask);
    }
@@ -82,7 +83,7 @@ st_nir_finish_builtin_shader(struct st_context *st,
       ralloc_free(nir);
    }
 
-   switch (nir->info.stage) {
+   switch (stage) {
    case MESA_SHADER_VERTEX:
       return pipe->create_vs_state(pipe, &state);
    case MESA_SHADER_TESS_CTRL:

More information about the mesa-commit mailing list