From 71a197943cf856b320082e4e969e0e57de7d9e66 Mon Sep 17 00:00:00 2001 From: Eric Anholt Date: Mon, 2 Nov 2020 10:11:11 -0800 Subject: [PATCH] mesa/st: Fix a use-after-free of the NIR shader stage. We just freed the NIR after turning it into TGSI, no using it in that last switch statement. Closes: #3725 Fixes: 57effa342b75 ("st/mesa: Drop the TGSI paths for PBOs and use nir-to-tgsi if needed.") Reviewed-by: Ian Romanick Part-of: --- src/mesa/state_tracker/st_nir_builtins.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/src/mesa/state_tracker/st_nir_builtins.c b/src/mesa/state_tracker/st_nir_builtins.c index 1d1a4ae6907..3791ce628d2 100644 --- a/src/mesa/state_tracker/st_nir_builtins.c +++ b/src/mesa/state_tracker/st_nir_builtins.c @@ -34,11 +34,12 @@ st_nir_finish_builtin_shader(struct st_context *st, { struct pipe_context *pipe = st->pipe; struct pipe_screen *screen = pipe->screen; - enum pipe_shader_type sh = pipe_shader_type_from_mesa(nir->info.stage); + gl_shader_stage stage = nir->info.stage; + enum pipe_shader_type sh = pipe_shader_type_from_mesa(stage); nir->info.name = ralloc_strdup(nir, name); nir->info.separate_shader = true; - if (nir->info.stage == MESA_SHADER_FRAGMENT) + if (stage == MESA_SHADER_FRAGMENT) nir->info.fs.untyped_color_outputs = true; NIR_PASS_V(nir, nir_lower_global_vars_to_local); @@ -49,8 +50,8 @@ st_nir_finish_builtin_shader(struct st_context *st, if (nir->options->lower_to_scalar) { nir_variable_mode mask = - (nir->info.stage > MESA_SHADER_VERTEX ? nir_var_shader_in : 0) | - (nir->info.stage < MESA_SHADER_FRAGMENT ? nir_var_shader_out : 0); + (stage > MESA_SHADER_VERTEX ? nir_var_shader_in : 0) | + (stage < MESA_SHADER_FRAGMENT ? nir_var_shader_out : 0); NIR_PASS_V(nir, nir_lower_io_to_scalar_early, mask); } @@ -82,7 +83,7 @@ st_nir_finish_builtin_shader(struct st_context *st, ralloc_free(nir); } - switch (nir->info.stage) { + switch (stage) { case MESA_SHADER_VERTEX: return pipe->create_vs_state(pipe, &state); case MESA_SHADER_TESS_CTRL: