Mesa (master): llvmpipe: fix use after free with fs variant cleanup
GitLab Mirror
gitlab-mirror at kemper.freedesktop.org
Wed Feb 10 22:48:17 UTC 2021
Module: Mesa
Branch: master
Commit: c10b7854902cec504b5bc5139d9a56e489c00b16
URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=c10b7854902cec504b5bc5139d9a56e489c00b16
Author: Dave Airlie <airlied at redhat.com>
Date: Mon Feb 8 16:52:57 2021 +1000
llvmpipe: fix use after free with fs variant cleanup
item->base will be freed for the NULL reference write
so just use a temporary to avoid it.
This was found with asan and lavapipe:
dEQP-VK.api.copy_and_blit.core.blit_image*
Reviewed-by: Adam Jackson <ajax at redhat.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/8912>
---
src/gallium/drivers/llvmpipe/lp_state_fs.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/gallium/drivers/llvmpipe/lp_state_fs.c b/src/gallium/drivers/llvmpipe/lp_state_fs.c
index b151efcd798..ec77d3cee33 100644
--- a/src/gallium/drivers/llvmpipe/lp_state_fs.c
+++ b/src/gallium/drivers/llvmpipe/lp_state_fs.c
@@ -4235,7 +4235,8 @@ llvmpipe_update_fs(struct llvmpipe_context *lp)
assert(item);
assert(item->base);
llvmpipe_remove_shader_variant(lp, item->base);
- lp_fs_variant_reference(lp, &item->base, NULL);
+ struct lp_fragment_shader_variant *variant = item->base;
+ lp_fs_variant_reference(lp, &variant, NULL);
}
}
More information about the mesa-commit
mailing list